Thanks for the action on this. Should this ballot include guidance or instruction for CAs who have been using Whois DCV previously? Are we content to simply let Whois-validated certs expire, or should CAs revalidate domain control for relevant certs using an approved method? If domain control can be validated, then I don’t think there would be any need to revoke/reissue (unless the CPS calls out Whois DCV maybe? I don’t know of any such). If it *can’t* be revalidated, then revoking the certificate is probably appropriate!
Mike On Mon, Sep 16, 2024 at 12:15 PM Ryan Dickson via Servercert-wg < [email protected]> wrote: > Purpose of Ballot SC-080 V1: > > > > This Ballot proposes updates to the Baseline Requirements for the > Issuance and Management of Publicly-Trusted TLS Server Certificates > (i.e., TLS BRs) related to sunsetting the use of WHOIS when identifying > Domain Contacts. > > > Background: > > > In light of recent events where research from WatchTowr Labs demonstrated > how threat actors could exploit WHOIS to obtain fraudulently issued TLS > certificates [1] and follow-on discussions in MDSP [2][3], we drafted an > introductory proposal [4] to sunset the use of WHOIS for identifying Domain > Contacts. > > > The proposal sets a prohibition against relying on WHOIS to identify > Domain Contacts beginning 11/1/2024. At the same time, it also prohibits > use of DCV reuse where WHOIS was used as the source of truth for a Domain > Contact. > > > > Proposal Revision History: > > > - Pre-Ballot Version #1 [4] > > > > Previous Versions of this Ballot: > > > - N/A > > > References: > > [1] > https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/ > > [2] > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/FuOi_uhQB6U > > [3] > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/mAl9XjieSkA > > [4] https://github.com/cabforum/servercert/pull/548 > > [5] > https://docs.google.com/spreadsheets/d/1IXL8Yk12gPQs8GXiosXCPLPgATJilaiVy-f9SbsMA28/edit?gid=268412787#gid=268412787 > > > > The following motion has been proposed by Ryan Dickson and Chris Clements > of Google (Chrome Root Program) and endorsed by Arvid Vermote (GlobalSign) > and Pedro Fuentes (OISTE). > > > — Motion Begins — > > > > This ballot modifies the “Baseline Requirements for the Issuance and > Management of Publicly-Trusted TLS Server Certificates” (“Baseline > Requirements”), based on Version 2.0.7. > > > > MODIFY the Baseline Requirements as specified in the following Redline: > > > https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5..356799f0dcfe11deb0a375a11233403236ab72c9 > > > > — Motion Ends — > > > > This ballot proposes a Final Maintenance Guideline. The procedure for > approval of this ballot is as follows: > > > > Discussion (7 days) > > - Start: 2024-09-16 16:00:00 UTC > > - End no earlier than: 2024-09-23 16:00:00 UTC > > > > Vote for approval (7 days) > > - Start: TBD > > - End: TBD > > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
