On 18/9/2024 12:14 μ.μ., Q Misell via Servercert-wg wrote:
Consulting with the IANA registrar falls apart when a reseller is
involved. Sometimes the correct contact data is held by a reseller not
the registrar of record.
I don't think we should allow validation based on Registration
Directory Services <https://e.as207960.net/w4bdyj/U0u4dSeajXbodURp>
knowing how unreliable they can be.
This seems overly subjective. Resellers exist whether we like it or not.
They convince Domain Owners to use their services and then act on behalf
of them. For certificate lifecycle management, this has been discussed
multiple times and I recall that the result was that it is practically
impossible for a CA to distinguish beyond reasonable doubt whether it is
dealing with an Applicant/Domain Owner or a reseller operating on behalf
of that Domain Owner.
In the WHOIS paradigm, resellers already have access to "do bad things"
with the Base Domain Name they register and manage, so they could
obviously abuse their position and issue a TLS Certificate to Domain
Names using ANY validation method under 3.2.2.4.
Dimitris.
------------------------------------------------------------------------
Any statements contained in this email are personal to the author and
are not necessarily the statements of the company unless specifically
stated. AS207960 Cyfyngedig, having a registered office at 13
Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca
Digital, is a company registered in Wales under № 12417574
<https://e.as207960.net/w4bdyj/9RSVdvm0MrsRNsbs>, LEI
875500FXNCJPAPF3PD10. ICO register №: ZA782876
<https://e.as207960.net/w4bdyj/KbjUXXJAKmBFs6zI>. UK VAT №:
GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South
Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered
office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1,
46001, trading as Glauca Digital, is a company registered in Estonia
under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the
Glauca logo are registered trademarks in the UK, under № UK00003718474
and № UK00003718468, respectively.
On Wed, 18 Sept 2024 at 10:59, Amir Omidi via Servercert-wg
<[email protected]> wrote:
I do not agree. What’s the point of keeping this bespoke method
available? These options create complexity and complexity creates
security vulnerabilities. In what situation would this method be
useful where DNS currently can’t solve that need?
On Wed, Sep 18, 2024 at 04:56 Adriano Santoni via Servercert-wg
<[email protected]> wrote:
I agree if by "WHOIS-related" methods we mean any method based
on the WHOIS protocol, either directly or via protocol
gateways (e.g. web-based interfaces to WHOIS records). And I
support the WHOIS deprecation initiative in this sense, since
it has been shown that it may be unreliable.
However, where the domain contacts information is obtained,
e.g. via the web, from an IANA-accredited domain registrar and
is *not* based on WHIOS, then I think it can be used.
I assume everyone agrees as long as no one raises a hand to
object.
Adriano
Il 17/09/2024 18:04, Pedro FUENTES ha scritto:
Could it be that we all agree that WHOIS-related method are
so tricky that it deserves to be ditched and the only thing
to requires consensus is the deadline to apply?
On my particular side, I personally consider that 1/1/2025 is
a reasonable date.
Le 17 sept. 2024 à 17:59, Adriano Santoni via Servercert-wg
<[email protected]>
<mailto:[email protected]> a écrit :
Andrew,
I was not referring to any WHOIS server, but rather to the
information about domain "owners" that a registrar is
supposed to collect and keep.
So you believe that if a CA does the following, the domain
contact email they can (sometimes) get is /unreliable/?
1) Consult the list of accredited domain registrars on the
IANA website (https://www.icann.org/en/accredited-registrars
<https://e.as207960.net/w4bdyj/H1JzZCLPVSEY13XJ>), thus
finding confirmation of one particular registrar's website
the CA was looking for.
2) Access the website found in point 1 above and query the
information available on a certain domain.
3) At this point, sometimes (rarely) obtain, among other
information, also the email address of a domain contact.
Note that here I'm not talking about the WHOIS protocol nor
WHOIS servers, but about the information that the domain
registrar has the duty to collect and store (not necessarily
publish) about the subject who registered a domain.
Regards,
Adriano
Il 17/09/2024 17:13, Andrew Ayer ha scritto:
[NOTICE: Pay attention - external email - Sender [email protected]
]
On Tue, 17 Sep 2024 07:21:28 +0000
Adriano Santoni via Servercert-wg<[email protected]>
<mailto:[email protected]> wrote:
I believe that the /interactive
/query of the domain registrar, directly on its website, can be
considered reliable to the extent that the CA is confident that it is in
fact consulting the "right" website.
CAs were not consulting the right WHOIS server, despite a database of
correct WHOIS servers existing (at least for gTLDs). How would the
problem
be better when it comes to finding the "right" website?
The gTLD registry agreement requires gTLD operators to update the IANA
Rootzone Database when their WHOIS server changes; I don't see a
similar requirement for keeping a database of website URLs up-to-date.
Regards,
Andrew
_______________________________________________
Servercert-wg mailing list
[email protected]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=
<https://e.as207960.net/w4bdyj/nFNVYlUfxuxcg038>
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
<https://e.as207960.net/w4bdyj/3ZZB5DEI1xwMn0DE>
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
<https://e.as207960.net/w4bdyj/JXP5t0JjVxRBmGcU>
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
