On Thu, Apr 26, 2018 at 6:59 AM, Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, April 26, 2018 at 11:45:15 AM UTC, Tim Hollebeek wrote: > > > > which is why in the near future we can hopefully use RDAP over TLS > > > > (RFC > > > > 7481) instead of WHOIS, and of course since the near past, DNSSEC :) > > > > > > I agree moving away from WHOIS to RDAP over TLS is a good low hanging > fruit > > > mitigator once it is viable. > > > > My opinion is it is viable now, and the time to transition to optionally > authenticated RDAP over TLS is now. It solves pretty much all the problems > we are currently having in a straightforward, standards-based way. > > > > The only opposition I've seem comes from people who seem to want to > promote alternative models that destroy the WHOIS ecosystem, leading to > proprietary distribution and monetization of WHOIS data. > > > > I can see why that is attractive to some people, but I don’t think it's > best for everyone. > > > > I also agree that DNSSEC is a lost cause, though I understand why Paul > doesn't want to give up 😊 I've wanted to see it succeed for basically my > entire career, but it seems to be making about as much progress as fusion > energy. > > > I don't think this opinion is in conflict with the suggestion that we required DNSSEC validation on CAA records when (however rarely) it is deployed. I added this as https://github.com/mozilla/pkipolicy/issues/133 > > -Tim > > Moving to RDAP does not solve "all the problems we are currently having" > in that it does not do anything for DCV which is what I think this thread > was about (e.g. BGP implications for DCV). > > I agree that these are two different issues. I added https://github.com/mozilla/pkipolicy/issues/134 to track the proposal to require CAs to perform domain validations from multiple network perspectives. I do suspect this will be difficult to define in a policy. That said, if in fact, RDAP is viable today I agree we should deprecate the > use of WhoIs and mandate use of RDAP in the associated scenarios. > > I began work on a CAB Forum ballot that adds explicit BR support for RDAP. I could be wrong, but I doubt that RDAP deployment is far enough along that we can deprecate WHOIS. I will also raise the first two issues with the CAB Forum because I think they are better addressed in the BRs than in Mozilla policy. Ryan Hurst > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy