On 18/9/2024 11:59 π.μ., Amir Omidi via Servercert-wg wrote:
I do not agree. What’s the point of keeping this bespoke method available? These options create complexity and complexity creates security vulnerabilities. In what situation would this method be useful where DNS currently can’t solve that need?
This is well explained in point 2 of Andrew's earlier post <https://archive.cabforum.org/pipermail/servercert-wg/2024-September/004839.html>. Copying here for convenience:
Regrettably, parsing emails sent to a Domain Contact is often the easiest way to implement automated validation for a large number of domains, since it allows delegation to a single central point, using configuration that is often already in place (WHOIS record contact information). Delegating DNS records using CNAME (e.g. with [3]) is better, but not as easy because it requires the subscriber to operate public-facing infrastructure. So I think that banning WHOIS, particularly on this timeline, would lead to a net reduction in automation, and I don't believe this is justified by the available evidence when a more targeted fix is available.
Dimitris.
On Wed, Sep 18, 2024 at 04:56 Adriano Santoni via Servercert-wg <[email protected]> wrote:I agree if by "WHOIS-related" methods we mean any method based on the WHOIS protocol, either directly or via protocol gateways (e.g. web-based interfaces to WHOIS records). And I support the WHOIS deprecation initiative in this sense, since it has been shown that it may be unreliable. However, where the domain contacts information is obtained, e.g. via the web, from an IANA-accredited domain registrar and is *not* based on WHIOS, then I think it can be used. I assume everyone agrees as long as no one raises a hand to object. Adriano Il 17/09/2024 18:04, Pedro FUENTES ha scritto:Could it be that we all agree that WHOIS-related method are so tricky that it deserves to be ditched and the only thing to requires consensus is the deadline to apply? On my particular side, I personally consider that 1/1/2025 is a reasonable date.Le 17 sept. 2024 à 17:59, Adriano Santoni via Servercert-wg <[email protected]> <mailto:[email protected]> a écrit : Andrew, I was not referring to any WHOIS server, but rather to the information about domain "owners" that a registrar is supposed to collect and keep. So you believe that if a CA does the following, the domain contact email they can (sometimes) get is /unreliable/? 1) Consult the list of accredited domain registrars on the IANA website (https://www.icann.org/en/accredited-registrars), thus finding confirmation of one particular registrar's website the CA was looking for. 2) Access the website found in point 1 above and query the information available on a certain domain. 3) At this point, sometimes (rarely) obtain, among other information, also the email address of a domain contact. Note that here I'm not talking about the WHOIS protocol nor WHOIS servers, but about the information that the domain registrar has the duty to collect and store (not necessarily publish) about the subject who registered a domain. Regards, Adriano Il 17/09/2024 17:13, Andrew Ayer ha scritto:[NOTICE: Pay attention - external email - Sender [email protected] ] On Tue, 17 Sep 2024 07:21:28 +0000 Adriano Santoni via Servercert-wg<[email protected]> <mailto:[email protected]> wrote:I believe that the /interactive /query of the domain registrar, directly on its website, can be considered reliable to the extent that the CA is confident that it is in fact consulting the "right" website.CAs were not consulting the right WHOIS server, despite a database of correct WHOIS servers existing (at least for gTLDs). How would the problem be better when it comes to finding the "right" website? The gTLD registry agreement requires gTLD operators to update the IANA Rootzone Database when their WHOIS server changes; I don't see a similar requirement for keeping a database of website URLs up-to-date. Regards, Andrew_______________________________________________ Servercert-wg mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=IqgVx_nvAxgc9vUVg8d2gCn7R7eMqKPCSgoIW6If9F-DHYck2BXkEdTactbQnmGx&s=TSpgJKJi2JL8yKR40EYmCep1QcQe0Ueo8VaHzA2ijT0&e=>_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg _______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
