All, In light of recent events where research from WatchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates [1] and follow-on discussions in MDSP [2][3], we drafted an introductory proposal [4] to sunset the use of WHOIS for identifying Domain Contacts.
The proposal sets a prohibition against relying on WHOIS to identify Domain Contacts beginning 11/1/2024. While publicly-trusted CA Owners are required to disclose and maintain in-use DCV methods to the CCADB [5], the collected data lacks specificity, hindering our ability to assess the extent of reliance on WHOIS and the potential impact of transitioning away from it. Feedback on the proposal (preferably using comments or suggestions on the Pull Request via GitHub) along with volunteers for endorsers would be appreciated. Thanks, Ryan P.S., I apologize if this effort is redundant to discussions already taking place in the Forum, I was traveling last week and am catching up on email. [1] https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/ [2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U [3] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA [4] https://github.com/cabforum/servercert/pull/548 [5] https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
