[Servercert-wg] Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"
Amir Omidi
amir at aaomidi.com
Wed Sep 18 16:44:25 UTC 2024
The issue with DNS right now through ACME is that you effectively have to
give the ability for every certificate issuing system to change a single
DNS zone. This is possible in small organizations but very prohibitive in
large organizations.
On Wed, Sep 18, 2024 at 12:38 PM Tobias S. Josefowitz via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Andrew,
>
> On Wed, 18 Sep 2024, Andrew Ayer wrote:
>
> > On Wed, 18 Sep 2024 14:51:52 +0000
> > "Tobias S. Josefowitz via Servercert-wg" <servercert-wg at cabforum.org>
> > wrote:
> >
> >> While it may be possible to securely implement automation based on
> >> this that does so securely, checking the CSR and correlates it to the
> >> CSR automatically handed in... it sounds unlikely that the majority
> >> of such implementations do this properly. It would be reasonably
> >> involved to arrive at an actually secure automated process, and it
> >> would so easily lend itself to an insecure implementation.
> >
> > You can see in Amazon's documentation
> > (https://docs.aws.amazon.com/acm/latest/userguide/email-automation.html)
> > that the email clearly specifies the account ID of the certificate
> > requester and a certificate identifier. It is critical to validate the
> > account ID. I don't think this is as hard as you're suggesting.
>
> Indeed, thank you for sharing this. I can easily see how one could do
> something useful with this. I am not convinced that's where the majority
> of users of this method necessarily arrive, but I certainly do not want to
> criticize anyone who did.
>
> > Unfortunately, I don't think this is universally true. ALPN and
> > HTTP challenges don't work for wildcards or hostnames that are not
> > publicly-accessible on port 80 or 443. Large organizations usually lock
> > down the ability to create DNS records, or are using DNS providers
> > without sensible APIs, making it a significant challenge to manage DNS
> > challenges at scale. Being able to delegate certificate validation for
> > all domains to a central point is extremely useful.
>
> I still maintain that ACME with automated DNS changes is ultimately the
> better option, DNS hosting options enabling that are readily available as
> well. But I would not like to be forced to transition from one that
> doesn't allow it to one that does for an organization, and specifically
> not in a short timeframe. Point taken.
>
> > In the long term this should not be a reason to keep around WHOIS
> > validation, and I support immediately sunsetting WHOIS validation for
> > ccTLDs due to the demonstrated problem there. I just wanted to provide
> > an explanation for why sunsetting WHOIS would be disruptive to
> > currently-deployed automation solutions.
>
> Thank you for that!
>
> Tobi
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/364fda9f/attachment.html>
More information about the Servercert-wg
mailing list