Hi all, I work in the same department as Lúcia at Serpro. Just to clarify this point we already use primary RDAP protocol (when Lúcia previously answeared "*including the CA software automatically validating the proof of control*") this is exactly the first step the System do to get information for proceduring to the Validation of Domain Authorization or Control, and than next it starts the steps described in section 3.2.2.4 in the Baseline Requirements.
Best regards, André Em terça-feira, 13 de dezembro de 2022 às 08:31:25 UTC-3, [email protected] escreveu: > Hi all, > > I second Matthias suggestion of RDAP; > > Other benefits of RDAP: the data schemas are IETF standardised (making > machine reading easier), there is a solid referral mechanism to find the > authoritative source for a given query, and most RDAP servers offer access > over TLS. > > https://github.com/arineng/nicinfo > https://github.com/openrdap/rdap > https://github.com/meeb/whoisit > > It would be good to consider RDAP the primary mechanism and only fall back > to using WHOIS if RDAP isn’t available. > > Kind regards, > > Job > > On Tue, 13 Dec 2022 at 15:22, Matthias Merkel <[email protected]> > wrote: > >> ICANN provides a central lookup service for RDAP (the more modern >> replacement for Whois) at https://lookup.icann.org/. The lookups are >> made client side. It supports all gTLDs and some of the more popular ccTLDs. >> >> On Tue, Dec 13, 2022 at 6:18 AM 'Kurt Seifried' via public < >> [email protected]> wrote: >> >>> Ok a quick refresher on WHOIS since a lot has changed since >>> https://www.rfc-editor.org/rfc/rfc3912.html was published in 2004: >>> >>> Lots of places still support WHOIS. AFAIK none support SSL/TLS, >>> hopefully they use DNSSEC for the domain but this still allows BGP >>> hijacking as mentioned in the Mozilla docs. >>> >>> Lots of places don't support WHOIS, it's old, it's a pain, and they have >>> a website, so you can use their website to search for WHOIS records. >>> >>> AFAIK almost everyone modern does private DNS registrations now, in >>> fact, many DNS registrars make it the default (e.g. Cloudflare). >>> >>> Is there a list of official sources for WHOIS for all the domains? I >>> can't find anything remotely up to date with all the new TLDs. >>> >>> Perhaps it is time to consider retiring this method? It seems prone to >>> error and unreliable, and there are better ways to do this (ACME yo). >>> >>> >>> On Mon, Dec 12, 2022 at 2:16 PM Ben Wilson <[email protected]> wrote: >>> >>>> All, >>>> >>>> Forking this side discussion with its own subject line. >>>> >>>> Here is what we say about WHOIS - >>>> >>>> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#WHOIS_and_DNS >>>> . >>>> >>>> This was likely written before the detailed provisions of section >>>> 3.2.2.4 of the Baseline Requirements. Any suggestions to improve this will >>>> be appreciated. >>>> >>>> Thanks, >>>> >>>> Ben >>>> >>>> On Mon, Dec 12, 2022 at 2:05 PM 'Kurt Seifried' via public < >>>> [email protected]> wrote: >>>> >>>>> To go meta for a moment, @kwilson/bwilson do we have any idea what >>>>> services other CA's are relying upon to do validation that may have >>>>> problems similar to this? >>>>> >>>>> Ironically this is an area I've been looking into as part of my work >>>>> at the CloudSecurityAlliance, e.g. >>>>> >>>>> >>>>> https://github.com/kurtseifried/wardley-maps/blob/main/cloud/Creating%20cloud%20services.wm >>>>> >>>>> [image: Screenshot 2022-12-12 at 2.03.57 PM.png] >>>>> >>>>> On Mon, Dec 12, 2022 at 1:51 PM Joel Reardon <[email protected]> >>>>> wrote: >>>>> >>>>>> who.is does "not warrant that our services will meet your >>>>>> requirements, or that the services will be uninterrupted, timely, secure >>>>>> or >>>>>> error free" nor do they "make any warranty as to the results obtained >>>>>> from >>>>>> the use of the services or as to the accuracy or reliability of any >>>>>> information obtained through our services." >>>>>> >>>>>> In my view this is not a serious way to do organization validation. >>>>>> >>>>>> >>>>>> >>>>>> On Monday, December 12, 2022 at 1:42:26 PM UTC-7 [email protected] >>>>>> wrote: >>>>>> >>>>>>> On Mon, Dec 12, 2022 at 1:00 PM Lucia Castelli <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> This query aims to verify >>>>>>>> a) which organization is responsible for the domain with >>>>>>>> Registro.br or non-br; >>>>>>>> b) which person or which area of the organization is registered as >>>>>>>> responsible for the >>>>>>>> domain. We also use option 3.2.2.4.2 for domain validation. >>>>>>>> >>>>>>> >>>>>>> Why are you using https://who.is/ instead of running your own >>>>>>> whois query server (e.g. a linux box with jwhois)? Do you have a >>>>>>> contract >>>>>>> or some agreement with who.is? I tried finding their contact/legal >>>>>>> information and all their website lists is [email protected] so >>>>>>> it's not clear who/what entity is behind this website (e.g. can I pay >>>>>>> them >>>>>>> to change WHOIS info they serve so I can buy a certificate for a >>>>>>> website I >>>>>>> don't in fact control?). >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Em segunda-feira, 12 de dezembro de 2022 às 16:46:13 UTC-3, Andrew >>>>>>>> Ayer escreveu: >>>>>>>> >>>>>>>>> On Mon, 12 Dec 2022 11:08:36 -0800 (PST) >>>>>>>>> Lucia Castelli <[email protected]> wrote: >>>>>>>>> >>>>>>>>> > For domains other than .br, we use the link https://who.is/ >>>>>>>>> with the >>>>>>>>> > same criteria mentioned above. >>>>>>>>> >>>>>>>>> Could you clarify what you use https://who.is/ for? Is it to >>>>>>>>> determine >>>>>>>>> the Domain Contact for domain validation method 3.2.2.4.2? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Andrew >>>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "public" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> >>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/ccadb.org/d/msgid/public/94bff8df-364d-4a23-899c-069547be3509n%40ccadb.org >>>>>>>> >>>>>>>> <https://groups.google.com/a/ccadb.org/d/msgid/public/94bff8df-364d-4a23-899c-069547be3509n%40ccadb.org?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Kurt Seifried (He/Him) >>>>>>> [email protected] >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Kurt Seifried (He/Him) >>>>> [email protected] >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "public" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3-7gaZQd36nz%3DqQ%3D0enEqSyC4Tw%3Did96uFFiGK7kPEH9g%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3-7gaZQd36nz%3DqQ%3D0enEqSyC4Tw%3Did96uFFiGK7kPEH9g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>> >>> -- >>> Kurt Seifried (He/Him) >>> [email protected] >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "public" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa39o4%2BYmecxVxeA46kw%2BvpcqLqF%3DUsCKTzqaAtz9iYT7pg%40mail.gmail.com >>> >>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa39o4%2BYmecxVxeA46kw%2BvpcqLqF%3DUsCKTzqaAtz9iYT7pg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/CAKtZuQ6Oc9-SpDFFfujATvDXCFWoGLsnGmtEkaGuQiARQOLTLA%40mail.gmail.com >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/CAKtZuQ6Oc9-SpDFFfujATvDXCFWoGLsnGmtEkaGuQiARQOLTLA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/37bf6d7f-ac56-4f35-a73d-f1fd637112f9n%40ccadb.org.
