They would need to do so in a historically accurate way too, to make sure that they didn’t validate via Whois during a window where the info was incorrect, even if it’s correct now. Could be pretty awkward!
Mike On Fri, Sep 13, 2024 at 8:01 AM Claves Nostrum <[email protected]> wrote: > I am a bit surprised that we have not seen anything from other CA on this, > Bugzilla's or comments on this discussion, surely others must be affected > to some extent, which would imply they need to audit whois-issuances for > TLD's with ""questionable" or invalid whois servers configured in their > lookup tooling. > > Op donderdag 12 september 2024 om 10:25:03 UTC+2 schreef Hanno Böck: > >> On Thu, 12 Sep 2024 09:21:07 +0200 >> Hanno Böck <[email protected]> wrote: >> >> > But there's a larger question whether there even is a reliable "source >> > of truth" for whois servers. Does IANA make any guarantees that the >> > whois servers they advertise are operational, and under control of the >> > respective TLD authority? >> >> To answer myself: It appears multiple whois servers listed by IANA are >> not operational. >> This is true for the following TLDs: >> cf ci dz ec gn gp hm iq ml na sb tk to uy xn--lgbbat1ad8j xn--mgbtx2b >> xn--ygbi2ammx >> >> It therefore strongly appears to me that there is currently no reliable >> data source for whois servers, and therefore, it is unclear how domain >> validation via whois can be implemented securely. >> >> -- >> Hanno Böck - Independent security researcher >> https://itsec.hboeck.de/ >> https://badkeys.info/ >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f1847027-e1c0-410e-91ab-250cd62cb32an%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f1847027-e1c0-410e-91ab-250cd62cb32an%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqthoPJdoqZ5uZfgCQXitf-S8cWWqZCZjZc2qFz8yTahaA%40mail.gmail.com.
