[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"
Mike Shaver
mike.shaver at gmail.com
Mon Sep 16 16:59:07 UTC 2024
Thanks for the action on this.
Should this ballot include guidance or instruction for CAs who have been
using Whois DCV previously? Are we content to simply let Whois-validated
certs expire, or should CAs revalidate domain control for relevant certs
using an approved method? If domain control can be validated, then I don’t
think there would be any need to revoke/reissue (unless the CPS calls out
Whois DCV maybe? I don’t know of any such). If it *can’t* be revalidated,
then revoking the certificate is probably appropriate!
Mike
On Mon, Sep 16, 2024 at 12:15 PM Ryan Dickson via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Purpose of Ballot SC-080 V1:
>
>
>
> This Ballot proposes updates to the Baseline Requirements for the
> Issuance and Management of Publicly-Trusted TLS Server Certificates
> (i.e., TLS BRs) related to sunsetting the use of WHOIS when identifying
> Domain Contacts.
>
>
> Background:
>
>
> In light of recent events where research from WatchTowr Labs demonstrated
> how threat actors could exploit WHOIS to obtain fraudulently issued TLS
> certificates [1] and follow-on discussions in MDSP [2][3], we drafted an
> introductory proposal [4] to sunset the use of WHOIS for identifying Domain
> Contacts.
>
>
> The proposal sets a prohibition against relying on WHOIS to identify
> Domain Contacts beginning 11/1/2024. At the same time, it also prohibits
> use of DCV reuse where WHOIS was used as the source of truth for a Domain
> Contact.
>
>
>
> Proposal Revision History:
>
>
> - Pre-Ballot Version #1 [4]
>
>
>
> Previous Versions of this Ballot:
>
>
> - N/A
>
>
> References:
>
> [1]
> https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
>
> [2]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U
>
> [3]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA
>
> [4] https://github.com/cabforum/servercert/pull/548
>
> [5]
> https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787
>
>
>
> The following motion has been proposed by Ryan Dickson and Chris Clements
> of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign)
> and Pedro Fuentes (OISTE).
>
>
> — Motion Begins —
>
>
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted TLS Server Certificates” (“Baseline
> Requirements”), based on Version 2.0.7.
>
>
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
>
> https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9
>
>
>
> — Motion Ends —
>
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
>
>
> Discussion (7 days)
>
> - Start: 2024-09-16 16:00:00 UTC
>
> - End no earlier than: 2024-09-23 16:00:00 UTC
>
>
>
> Vote for approval (7 days)
>
> - Start: TBD
>
> - End: TBD
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/97d6c79a/attachment-0001.html>
More information about the Servercert-wg
mailing list