Domain Name Registrars may use the Domain Contact information in their
records, and published using the WHOIS/RDAP/WWW protocols, to contact a
Domain Owner for password resets or modifications to the Domain Name
Servers.
If Domain Name Registrars use that information to make changes to the
Name Servers associated with a Domain Name, which is way more critical
for the security of that actual Domain Name, why shouldn't the WebPKI
rely on it for demonstration of ownership of the Domain Name?
Over the years, most Registrars have implemented additional controls
like stronger authentication using 2FA and others, but the fundamental
issue exists. What happens when a Domain Owner forgets their password?
Each Registrar may have a different approach to handle this particular
situation but I assure you most of them use the Domain Contact
information to perform this reset.
BTW, the same principles guide the IP address blocks
assignment/management, and also still rely heavily on WHOIS.
Dimitris.
On 18/9/2024 3:43 μ.μ., Mike Shaver via Servercert-wg wrote:
Here's maybe a helpful way to frame the discussion: if the BRs didn't
permit WHOIS/domain-registry-website DCV right now, and someone
proposed adding it, what would we need to see in the associated ballot
to be comfortable that it didn't represent a weakening of the
sans-WHOIS DCV model? Would we permit it only for gTLD based on IANA
requiring that there at least be a server operated? Would we permit
unencrypted RFC-3912 wire transactions at all, in any case?
The migration timeline will be a source of tension between "improve
the security of the web" and "impose work on people who have been
relying on the ease of WHOIS DCV", but it's not clear to me that this
group even has consensus on what a desirable
communicate-with-domain-registrant DCV would look like after a
successful migration period.
Mike
On Wed, Sep 18, 2024 at 8:38 AM Mike Shaver via Servercert-wg
<[email protected]> wrote:
Hi Andrew,
Thanks for a really thoughtful analysis here!
On Tue, Sep 17, 2024 at 11:13 AM Andrew Ayer via Servercert-wg
<[email protected]> wrote:
Delegating DNS records using CNAME (e.g. with [3]) is
better, but not as easy because it requires the subscriber to
operate
public-facing infrastructure.
I had understood that SCWG's BRs and the issuance of web PKI certs
was indeed intended to only be for internet-accessible
infrastructure anyway. Is it really a problem that SCWG needs to
solve if people are trying to piggyback off the web PKI for their
internal systems, rather than manage their own PKI model? This
could be yet another nudge for people to stop doing that, which
IMO would be a positive side-effect and not a counter-argument.
Mike
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
