[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"
Tobias S. Josefowitz
tobij at opera.com
Wed Sep 18 14:51:43 UTC 2024
Hi Andrew,
On Tue, 17 Sep 2024, Andrew Ayer via Servercert-wg wrote:
> Regrettably, parsing emails sent to a Domain Contact is often the
> easiest way to implement automated validation for a large number of
> domains, since it allows delegation to a single central point, using
> configuration that is often already in place (WHOIS record contact
> information). Delegating DNS records using CNAME (e.g. with [3]) is
The use case you bring up here is however problematic. In this validation
scenario, how would the automation ensure that the certificate request
subject to approval by e.g. the link contained in the email is indeed the
one that was requested?
While it may be possible to securely implement automation based on this
that does so securely, checking the CSR and correlates it to the CSR
automatically handed in... it sounds unlikely that the majority of such
implementations do this properly. It would be reasonably involved to
arrive at an actually secure automated process, and it would so easily
lend itself to an insecure implementation.
It would be my guess that you could arrive at a secure automation for the
use case you describe with much less effort through the use of e.g. ACME.
Accordingly, as I currently see it, this use case is not necessarily one
that seems valuable to keep around in the face of fundamental challenges
with the underlying WHOIS based Domain Validation method, or at all.
Tobi
More information about the Servercert-wg
mailing list