[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"
Mike Shaver
mike.shaver at gmail.com
Wed Sep 18 12:43:03 UTC 2024
Here's maybe a helpful way to frame the discussion: if the BRs didn't
permit WHOIS/domain-registry-website DCV right now, and someone proposed
adding it, what would we need to see in the associated ballot to be
comfortable that it didn't represent a weakening of the sans-WHOIS DCV
model? Would we permit it only for gTLD based on IANA requiring that there
at least be a server operated? Would we permit unencrypted RFC-3912 wire
transactions at all, in any case?
The migration timeline will be a source of tension between "improve the
security of the web" and "impose work on people who have been relying on
the ease of WHOIS DCV", but it's not clear to me that this group even has
consensus on what a desirable communicate-with-domain-registrant DCV would
look like after a successful migration period.
Mike
On Wed, Sep 18, 2024 at 8:38 AM Mike Shaver via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Andrew,
>
> Thanks for a really thoughtful analysis here!
>
> On Tue, Sep 17, 2024 at 11:13 AM Andrew Ayer via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Delegating DNS records using CNAME (e.g. with [3]) is
>> better, but not as easy because it requires the subscriber to operate
>> public-facing infrastructure.
>>
>
> I had understood that SCWG's BRs and the issuance of web PKI certs was
> indeed intended to only be for internet-accessible infrastructure anyway.
> Is it really a problem that SCWG needs to solve if people are trying to
> piggyback off the web PKI for their internal systems, rather than manage
> their own PKI model? This could be yet another nudge for people to stop
> doing that, which IMO would be a positive side-effect and not a
> counter-argument.
>
> Mike
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/220ac6c2/attachment-0001.html>
More information about the Servercert-wg
mailing list