[Servercert-wg] [External Sender] Re: Re: Discussion Period Begins - Ballot SC-080 V1: "Sunsetting use of WHOIS to identify Domain Contacts"
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Sep 18 17:41:09 UTC 2024
On 18/9/2024 11:59 π.μ., Amir Omidi via Servercert-wg wrote:
> I do not agree. What’s the point of keeping this bespoke method
> available? These options create complexity and complexity creates
> security vulnerabilities. In what situation would this method be
> useful where DNS currently can’t solve that need?
This is well explained in point 2 of Andrew's earlier post
<https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004839.html>.
Copying here for convenience:
> Regrettably, parsing emails sent to a Domain Contact is often the
> easiest way to implement automated validation for a large number of
> domains, since it allows delegation to a single central point, using
> configuration that is often already in place (WHOIS record contact
> information). Delegating DNS records using CNAME (e.g. with [3]) is
> better, but not as easy because it requires the subscriber to operate
> public-facing infrastructure. So I think that banning WHOIS,
> particularly on this timeline, would lead to a net reduction in
> automation, and I don't believe this is justified by the available
> evidence when a more targeted fix is available.
Dimitris.
>
> On Wed, Sep 18, 2024 at 04:56 Adriano Santoni via Servercert-wg
> <servercert-wg at cabforum.org> wrote:
>
> I agree if by "WHOIS-related" methods we mean any method based on
> the WHOIS protocol, either directly or via protocol gateways (e.g.
> web-based interfaces to WHOIS records). And I support the WHOIS
> deprecation initiative in this sense, since it has been shown that
> it may be unreliable.
>
> However, where the domain contacts information is obtained, e.g.
> via the web, from an IANA-accredited domain registrar and is *not*
> based on WHIOS, then I think it can be used.
> I assume everyone agrees as long as no one raises a hand to object.
>
>
> Adriano
>
> Il 17/09/2024 18:04, Pedro FUENTES ha scritto:
>> Could it be that we all agree that WHOIS-related method are so
>> tricky that it deserves to be ditched and the only thing to
>> requires consensus is the deadline to apply?
>>
>> On my particular side, I personally consider that 1/1/2025 is a
>> reasonable date.
>>
>>> Le 17 sept. 2024 à 17:59, Adriano Santoni via Servercert-wg
>>> <servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
>>> a écrit :
>>>
>>>
>>>
>>> Andrew,
>>>
>>> I was not referring to any WHOIS server, but rather to the
>>> information about domain "owners" that a registrar is supposed
>>> to collect and keep.
>>>
>>> So you believe that if a CA does the following, the domain
>>> contact email they can (sometimes) get is /unreliable/?
>>>
>>> 1) Consult the list of accredited domain registrars on the IANA
>>> website (https://www.icann.org/en/accredited-registrars), thus
>>> finding confirmation of one particular registrar's website the
>>> CA was looking for.
>>> 2) Access the website found in point 1 above and query the
>>> information available on a certain domain.
>>> 3) At this point, sometimes (rarely) obtain, among other
>>> information, also the email address of a domain contact.
>>>
>>> Note that here I'm not talking about the WHOIS protocol nor
>>> WHOIS servers, but about the information that the domain
>>> registrar has the duty to collect and store (not necessarily
>>> publish) about the subject who registered a domain.
>>>
>>> Regards,
>>>
>>> Adriano
>>>
>>>
>>> Il 17/09/2024 17:13, Andrew Ayer ha scritto:
>>>> [NOTICE: Pay attention - external email - Sender isagwa at andrewayer.name ]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, 17 Sep 2024 07:21:28 +0000
>>>> Adriano Santoni via Servercert-wg<servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org> wrote:
>>>>
>>>>> I believe that the /interactive
>>>>> /query of the domain registrar, directly on its website, can be
>>>>> considered reliable to the extent that the CA is confident that it is in
>>>>> fact consulting the "right" website.
>>>> CAs were not consulting the right WHOIS server, despite a database of
>>>> correct WHOIS servers existing (at least for gTLDs). How would the problem
>>>> be better when it comes to finding the "right" website?
>>>>
>>>> The gTLD registry agreement requires gTLD operators to update the IANA
>>>> Rootzone Database when their WHOIS server changes; I don't see a
>>>> similar requirement for keeping a database of website URLs up-to-date.
>>>>
>>>> Regards,
>>>> Andrew
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240918/4c5cc2c1/attachment-0001.html>
More information about the Servercert-wg
mailing list