[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"

Adriano Santoni adriano.santoni at staff.aruba.it
Wed Sep 18 09:49:37 UTC 2024 

Let me put it differently.

Here is the definition of Domain Contact in BRs:

> *Domain Contact*: The Domain Name Registrant, technical contact, or 
> administrative contact
> (or the equivalent under a ccTLD) as listed in the WHOIS record of the 
> Base Domain Name or
> in a DNS SOA record, or as obtained through direct contact with the 
> Domain Name Registrar.
>
Since the changes proposed in the pull request 
https://github.com/cabforum/servercert/pull/549 do not modify the 
definition above, I assume that - while "CAs MUST NOT rely on WHOIS to 
identify Domain Contacts" (quoting the pull request)  - nothing prevents 
a CA from relying on other ways to identify Domain Contacts, e.g. 
"through direct contact with the Domain Name Registrar".

If my interpretation is correct, then there is no need to talk about 
this anymore.

If, however, my interpretation is incorrect, and people here actually 
want to deprecate the case "through direct contact with the Domain Name 
Registrar" as well, then I think it is necessary to clarify this, and 
probably the pull request should also include a change to the definition 
mentioned above.

Regards

Adriano


Il 18/09/2024 10:59, Amir Omidi ha scritto:
> NOTICE: Pay attention - external email - Sender is amir at aaomidi.com
>
>
>
> I do not agree. What’s the point of keeping this bespoke method 
> available? These options create complexity and complexity creates 
> security vulnerabilities. In what situation would this method be 
> useful where DNS currently can’t solve that need?
>
> On Wed, Sep 18, 2024 at 04:56 Adriano Santoni via Servercert-wg 
> <servercert-wg at cabforum.org> wrote:
>
>     I agree if by "WHOIS-related" methods we mean any method based on
>     the WHOIS protocol, either directly or via protocol gateways (e.g.
>     web-based interfaces to WHOIS records). And I support the WHOIS
>     deprecation initiative in this sense, since it has been shown that
>     it may be unreliable.
>
>     However, where the domain contacts information is obtained, e.g.
>     via the web, from an IANA-accredited domain registrar and is *not*
>     based on WHIOS, then I think it can be used.
>     I assume everyone agrees as long as no one raises a hand to object.
>
>
>     Adriano
>
>     Il 17/09/2024 18:04, Pedro FUENTES ha scritto:
>>     Could it be that we all agree that WHOIS-related method are so
>>     tricky that it deserves to be ditched and the only thing to
>>     requires consensus is the deadline to apply?
>>
>>     On my particular side, I personally consider that 1/1/2025 is a
>>     reasonable date.
>>
>>>     Le 17 sept. 2024 à 17:59, Adriano Santoni via Servercert-wg
>>>     <servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
>>>     a écrit :
>>>
>>>     
>>>
>>>     Andrew,
>>>
>>>     I was not referring to any WHOIS server, but rather to the
>>>     information about domain "owners" that a registrar is supposed
>>>     to collect and keep.
>>>
>>>     So you believe that if a CA does the following, the domain
>>>     contact email they can (sometimes) get is /unreliable/?
>>>
>>>     1) Consult the list of accredited domain registrars on the IANA
>>>     website (https://www.icann.org/en/accredited-registrars), thus
>>>     finding confirmation of one particular registrar's website the
>>>     CA was looking for.
>>>     2) Access the website found in point 1 above and query the
>>>     information available on a certain domain.
>>>     3) At this point, sometimes (rarely) obtain, among other
>>>     information, also the email address of a domain contact.
>>>
>>>     Note that here I'm not talking about the WHOIS protocol nor
>>>     WHOIS servers, but about the information that the domain
>>>     registrar has the duty to collect and store (not necessarily
>>>     publish) about the subject who registered a domain.
>>>
>>>     Regards,
>>>
>>>     Adriano
>>>
>>>
>>>     Il 17/09/2024 17:13, Andrew Ayer ha scritto:
>>>>     [NOTICE: Pay attention - external email - Sender isagwa at andrewayer.name ]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>     On Tue, 17 Sep 2024 07:21:28 +0000
>>>>     Adriano Santoni via Servercert-wg<servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org> wrote:
>>>>
>>>>>     I believe that the /interactive
>>>>>     /query of the domain registrar, directly on its website, can be
>>>>>     considered reliable to the extent that the CA is confident that it is in
>>>>>     fact consulting the "right" website.
>>>>     CAs were not consulting the right WHOIS server, despite a database of
>>>>     correct WHOIS servers existing (at least for gTLDs).  How would the problem
>>>>     be better when it comes to finding the "right" website?
>>>>
>>>>     The gTLD registry agreement requires gTLD operators to update the IANA
>>>>     Rootzone Database when their WHOIS server changes; I don't see a
>>>>     similar requirement for keeping a database of website URLs up-to-date.
>>>>
>>>>     Regards,
>>>>     Andrew
>>>     _______________________________________________
>>>     Servercert-wg mailing list
>>>     Servercert-wg at cabforum.org
>>>     https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=
>>>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=>
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/6c14142e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4857 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/6c14142e/attachment-0001.p7s>

More information about the Servercert-wg mailing list