[Servercert-wg] - Sunsetting use of WHOIS to identify Domain Contacts

Ryan Dickson ryandickson at google.com
Mon Sep 16 19:47:36 UTC 2024


Hi Trev,

I interpret the motivation
<https://aws.amazon.com/blogs/security/aws-certificate-manager-will-discontinue-whois-lookup-for-email-validated-certificates/#:~:text=Why%20are%20we,of%20this%20post.>
for the behavior described in the link you shared as a matter of overcoming
the low success rate of WHOIS-based communications (“*Over the past several
years, we’ve observed that the WHOIS lookup success rate has declined to
less than 5 percent. If you rely on the contact addresses listed in the
WHOIS database provided by your domain registrar to validate your domain
ownership, this might create an availability risk.*”)

The motivation for the ballot is focused on managing a separate risk,
closing circumstances that can be actively exploited and result in
fraudulent certificate issuance (and worse, abuse given the existence of
that certificate). Given this perspective, can you help me better
understand what you'd consider an appropriate timeline to close what could
be considered an open vulnerability with this DCV method?

Thanks,
Ryan

On Mon, Sep 16, 2024 at 1:12 PM Ponds-White, Trev via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Thanks for putting this together Ryan. As some might be aware Amazon began
> a process earlier this year to remove use of this method. (
> https://aws.amazon.com/blogs/security/aws-certificate-manager-will-discontinue-whois-lookup-for-email-validated-certificates/
> )
>
>
>
> We got feedback from customers that for some this is a non-trivial
> dependency to remove. It’s not uncommon for companies to have built
> automation on top of email validation. Based on the information we got I
> recommend a date of April 30, 2025.
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Servercert-wg
> *Sent:* Monday, September 16, 2024 9:16 AM
> *To:* Pedro FUENTES <pfuentes at wisekey.com>; CA/B Forum Server Certificate
> WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* RE: [EXTERNAL] [Servercert-wg] [EXTERNAL]- Sunsetting use of
> WHOIS to identify Domain Contacts
>
>
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> Mozilla will endorse, too, if needed.
>
> Thanks,
>
> Ben
>
>
>
> On Mon, Sep 16, 2024 at 9:06 AM Pedro FUENTES via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> OISTE would endorse this initiative
>
>
>
> On 16 Sep 2024, at 16:32, Ryan Dickson via Servercert-wg <
> Servercert-wg at cabforum.org> wrote:
>
>
>
> All,
>
>
>
> In light of recent events where research from WatchTowr Labs demonstrated
> how threat actors could exploit WHOIS to obtain fraudulently issued TLS
> certificates [1] and follow-on discussions in MDSP [2][3], we drafted an
> introductory proposal [4] to sunset the use of WHOIS for identifying Domain
> Contacts.
>
>
>
> The proposal sets a prohibition against relying on WHOIS to identify
> Domain Contacts beginning 11/1/2024.
>
>
>
> While publicly-trusted CA Owners are required to disclose and maintain
> in-use DCV methods to the CCADB [5], the collected data lacks specificity,
> hindering our ability to assess the extent of reliance on WHOIS and the
> potential impact of transitioning away from it.
>
>
>
> Feedback on the proposal (preferably using comments or suggestions on the
> Pull Request via GitHub) along with volunteers for endorsers would be
> appreciated.
>
> Thanks,
>
> Ryan
>
>
>
> P.S., I apologize if this effort is redundant to discussions already
> taking place in the Forum, I was traveling last week and am catching up on
> email.
>
>
>
> [1]
> https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.watchtowr.com_we-2Dspent-2D20-2Dto-2Dachieve-2Drce-2Dand-2Daccidentally-2Dbecame-2Dthe-2Dadmins-2Dof-2Dmobi_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=1CJcldkOKNaH6Tu9kiTliBmTMzTdtFrQ0USL5juRHSkA78re2Z_FuT3Hr1z1Cd6m&s=qZzpnP-57sE4nQ6LxHM50ULVrjSKSIk2Fccl0d8PESE&e=>
>
> [2]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_mozilla.org_g_dev-2Dsecurity-2Dpolicy_c_FuOi-5FuhQB6U&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=1CJcldkOKNaH6Tu9kiTliBmTMzTdtFrQ0USL5juRHSkA78re2Z_FuT3Hr1z1Cd6m&s=31lolz5JP-8ykEL9HDAxaX6AcVj3rFj7LwOwRxwFkZg&e=>
>
> [3]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_mozilla.org_g_dev-2Dsecurity-2Dpolicy_c_mAl9XjieSkA&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=1CJcldkOKNaH6Tu9kiTliBmTMzTdtFrQ0USL5juRHSkA78re2Z_FuT3Hr1z1Cd6m&s=37YIE6Jw_R8c8obIjNP3qo3yo9YW36r4WMZH76HyUGM&e=>
>
> [4] https://github.com/cabforum/servercert/pull/548
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_pull_548&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=1CJcldkOKNaH6Tu9kiTliBmTMzTdtFrQ0USL5juRHSkA78re2Z_FuT3Hr1z1Cd6m&s=vBGh-YJqmgDPKGnq5cAcEuu__uSmeZaCK_EGoFkB-Kc&e=>
>
> [5]
> https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_spreadsheets_d_1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-2Df9SbsMA28_edit-3Fgid-3D268412787-23gid-3D268412787&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=1CJcldkOKNaH6Tu9kiTliBmTMzTdtFrQ0USL5juRHSkA78re2Z_FuT3Hr1z1Cd6m&s=nHPN4vmJhl30c7Nh_y7NmG73eUtxjUstZR6YNcUH0o4&e=>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=1CJcldkOKNaH6Tu9kiTliBmTMzTdtFrQ0USL5juRHSkA78re2Z_FuT3Hr1z1Cd6m&s=hOfLasOApOVBc0Uwo83PbDiIvJ4IjPP7O-hs7suejHw&e=
>
>
>
>
> * WISeKey SA*
>
>
> *Pedro Fuentes *CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00 <+41%2022%20594%2030%2000>
> Mobile: + 41 (0) 791 274 790
>
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
>
>
> *Stay connected with WISeKey <http://www.wisekey.com> *
>
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a WISeKey
> identity. If you get a mail from WISeKey please check the signature to
> avoid security risks
>
>
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be
> confidential and it’s intended solely for the use of the individual or
> entity to which they are addressed. If you are not the named addressee
> you should not disseminate, distribute or copy this e-mail. If you have
> received this email in error please notify the sender
>
>
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of
> this message and does not accept any liability for any errors or
> omissions herein as this message has been transmitted over a public
> network. Internet communications cannot be guaranteed to be secure or
> error-free as information may be intercepted, corrupted, or contain
> viruses. Attachments to this e-mail are checked for viruses; however, we do
> not accept any liability for any damage sustained by viruses and therefore
> you are kindly requested to check for viruses upon receipt.
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240916/90c90964/attachment-0001.html>


More information about the Servercert-wg mailing list