[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"
Tobias S. Josefowitz
tobij at opera.com
Wed Sep 18 14:40:16 UTC 2024
Hi Dimitris,
On Mon, 16 Sep 2024, Dimitris Zacharopoulos (HARICA) via Servercert-wg wrote:
> Is there feedback about the number of TLDs and possible certificate
> volumes that might be affected by this attack?
>
> The majority of validations performed by CAs using WHOIS is done in
> gTLDs which have decent rules for monitoring and supervising their
> operators. The biggest issue is with ccTLDs, which in majority work ok.
> Unfortunately, most of them do not disclose email contact information,
> making them unusable for Domain Validation.
>
> Why are we causing such a large disturbance as if the Global Internet is
> unsafe by this attack when the impact is 1 or 2 vanity TLDs for which
> mitigations exist (like, use a better library or use the latest updated
> list from IANA)?
I may have missed something, and if so, I am very open to input on that.
That said, as the issue presents to me, it seems to illustrates that
multiple CAs must have been querying WHOIS servers which's hostnames and
domains simply do not exist anymore, for longer than just a brief period,
The possibility for this to occur without anyone noticing and sounding the
alarm to the WebPKI community alone seems to disqualify WHOIS based Domain
Validation as an acceptable method; this seemingly inherent lack of
monitoring into validations/validation attempts performed via this method
seems reason enough to retire it. And soon. What else have we missed, if
we missed this?
If this were the only problem with this validation method, it might be
merited to find ways to address this very fundamental issue with it, try
to compensate for it and adding safeguards around it. While the BRs may
not specifically mandate them, what would be required, ignoring the issue
of outdated but published WHOIS endpoints attackers can get control of
easily, to securely perform WHOIS based DV to begin with, is a whole host
of safeguards and compensations.
In light of that, this current, fundamental issue really is our sign to
get rid of it.
Tobi
PS: While I wrote the above primarily thinking about WHOIS (the protocol),
I do not think that "scraping WHOIS data from a website" necessarily
sounds super robust either...
More information about the Servercert-wg
mailing list