[cabf_validation] Proposal for Adding RDAP

Tim Hollebeek tim.hollebeek at digicert.com
Tue May 1 06:03:18 MST 2018

I’ll endorse, and I have comments.


First, thanks for doing this, and thanks for the excellent observation that the (IMHO wrong) interpretation that “WHOIS” is strictly limited to the IETF WHOIS protocol would also prohibit getting the information from the registry/registrar’s web interface.  I know that doing that is ridiculously common throughout the industry.


Do we want to define “WHOIS information” instead of “WHOIS”?  That neatly sidesteps the issue of “WHOIS, the protocol” vs “WHOIS, the data”.


On the question of authentication, I love authentication, but there is the question of whether this is a “clarification” ballot or an “improve the rules” ballot.  The initial goal of this ballot was the former, and “WHOIS, the protocol” is unauthenticated, so if we stick to that goal, then no.


However, if there is enough support, I would love to support something along these lines:


CAs MAY continue to use WHOIS.

CAs MAY use HTTPS interfaces and APIs if they validate that the server is operated by the registry  / registrar.

CAs SHOULD prefer RDAP when available.

CAs MUST use authenticated HTTPS and/or RDAP methods when supported by the registry / registrar.


But I think that might not have majority support.  It does have the advantage that it slowly moves the industry towards modern, authenticated methods as registrars and registries start supporting them.  Which should only take a century or two.




From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Wayne Thayer via Validation
Sent: Monday, April 30, 2018 8:10 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Proposal for Adding RDAP


If there are no comments on this, are two members willing to endorse the ballot?


On Fri, Apr 27, 2018 at 8:30 PM, Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> > wrote:

The BRs as currently written use the term WHOIS in a number of places without defining it. This creates ambiguity over the use of RDAP, the successor protocol to WHOIS. There are a few ways to fix this - I propose we simply add a definition for WHOIS that expressly includes RDAP. Here is the proposed language:



This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based upon Version 1.5.6:

In section 1.6.1, add the following definition:

WHOIS: the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website operated by a Domain Name Registrar or registry operator that provides the same information.



Does the inclusion of a 'website operated by a Registry or Registrar' create issues? I believe that it is common practice for CAs to use sites like https://www.networksolutions.com/whois/index.jsp or https://www.nominet.uk/whois/, but I don't recall ever discussing the use of websites that put a UI on top of port 43 queries.


Also, are there features of RDAP such as authentication that we SHOULD or MUST require?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180501/df4f6495/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180501/df4f6495/attachment-0001.p7s>

More information about the Validation mailing list