Perhaps the many CAs who are not using WHOIS would be able to help. If they were impacted, when would they feel a clock should start for reporting these incidents? Both infrastructure-impact, and potential misuse of certificates as an ongoing scope of unaudited TLDs is being elaborated upon.
So far I'm not seeing a reason for relying on the non-authoritative information within WHOIS to provide strong identity verification. Given there are CAs still believing it to be authoritative, could they elaborate on why? - Wayne On Friday, September 13, 2024 at 2:04:15 PM UTC+1 Roman Fischer wrote: > Dear Claves, > > > > Maybe many CAs (like SwissSign) are not using WHOIS anymore and thus don't > reply to this thread. 😉 > > > > Rgds > Roman > > > > *From:* [email protected] <[email protected]> *On Behalf Of > *Claves Nostrum > *Sent:* Freitag, 13. September 2024 14:01 > *To:* [email protected] > *Cc:* Hanno Böck <[email protected]> > *Subject:* Re: Sources of Domain Contact Information? > > > > I am a bit surprised that we have not seen anything from other CA on this, > Bugzilla's or comments on this discussion, surely others must be affected > to some extent, which would imply they need to audit whois-issuances for > TLD's with ""questionable" or invalid whois servers configured in their > lookup tooling. > > Op donderdag 12 september 2024 om 10:25:03 UTC+2 schreef Hanno Böck: > > On Thu, 12 Sep 2024 09:21:07 +0200 > Hanno Böck <[email protected]> wrote: > > > But there's a larger question whether there even is a reliable "source > > of truth" for whois servers. Does IANA make any guarantees that the > > whois servers they advertise are operational, and under control of the > > respective TLD authority? > > To answer myself: It appears multiple whois servers listed by IANA are > not operational. > This is true for the following TLDs: > cf ci dz ec gn gp hm iq ml na sb tk to uy xn--lgbbat1ad8j xn--mgbtx2b > xn--ygbi2ammx > > It therefore strongly appears to me that there is currently no reliable > data source for whois servers, and therefore, it is unclear how domain > validation via whois can be implemented securely. > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > https://badkeys.info/ > > -- > > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f1847027-e1c0-410e-91ab-250cd62cb32an%40mozilla.org > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f1847027-e1c0-410e-91ab-250cd62cb32an%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b32504c9-8b2b-48dc-8076-2a00abc1d18dn%40mozilla.org.
