[gnso-rds-pdp-wg] Use case for WHOIS/RDP

Ayden Férdeline icann at ferdeline.com
Mon Aug 15 22:37:56 UTC 2016 

Hi Alex,


Thanks for your comments. I certainly agree that encryption is a technical foundation for trust on the Internet. However, this is not a use case about the merits of encryption. This is a use case about how certain Certificate Authorities (CA) determine whether or not to lend their credibility to a domain name by issuing a digital certificate.

As you implied, the difference between a $0 Let's Encrypt certificate and a $399 Symantec one is, well, $399 (plus enhanced technical support, perhaps). The encryption key is the same. The difference is more political, because an SSL certificate is, I believe, only as valid as the company from which it is acquired from. Some SSL providers have had their root CA denied (which, in effect, would invalidate all of the SSL certificates they've issued), so it's a game of reputation in theory. In practice, I would suggest that most end-users do not give much credence to who issued an SSL certificate, just so long as they see a green padlock in their browser.

If CAs are asking that the RDS have a mechanism through which they can contact the registrant (i.e. via email or another field), I think it is reasonable for us to question how else they could verify the identify of their customer. After all, it is their credibility which is at stake here. I understand the desire to automate processes and to eliminate the risk of human error - and I really do not have a position either way yet as to whether or not CAs should be able to use the RDS moving forward - I'm just trying to understand how else they could accomplish their tasks if the RDS did not accommodate their needs. I respectfully submit that this is not out-of-scope. Thanks.

Best wishes,


Ayden Férdeline
[linkedin.com/in/ferdeline](http://www.linkedin.com/in/ferdeline)


-------- Original Message --------
Subject: Re: [gnso-rds-pdp-wg] Use case for WHOIS/RDP
Local Time: August 15, 2016 11:06 PM
UTC Time: August 15, 2016 10:06 PM
From: Alex_Deacon at mpaa.org
To: icann at ferdeline.com
gtheo at xs4all.nl,gnso-rds-pdp-wg at icann.org

Hi Ayden,

Lets not forget that in terms of protecting user privacy the use of encryption is vital, so I believe this is an important use case. All web server certificates, no matter which flavor of CA is used (from self-signed, to free to high-end) will result in data encryption at the transport layer. While the encryption is the same (assuming properly configured servers/clients) the difference between TLS certs is the level of authentication of the entity the server represents.

Its way out of scope to dive deeper into the various CA business models, but search for Domain Validated, Organizational Validated and Extended Validated for more details on some of the various levels of “authentication”.

Alex






On Aug 15, 2016, at 2:41 PM, Ayden Férdeline <icann at ferdeline.com> wrote:


Thanks for this clarification, Theo. What would be the difference between these basic SSL certificates and those offered freely by, say, Let's Encrypt? (I'm just trying to get a sense of what forms of identity validation are used besides automated WHOIS/DNS checks here, and to understand whether or not other identity checks might be economical for the Digital Certificate Authority. Thanks.)

- Ayden



-------- Original Message --------
Subject: Re: [gnso-rds-pdp-wg] Use case for WHOIS/RDP
Local Time: August 15, 2016 9:00 PM
UTC Time: August 15, 2016 8:00 PM
From: gtheo at xs4all.nl
To: icann at ferdeline.com,Geoffrey_Noakes at symantec.com
gnso-rds-pdp-wg at icann.org



Hi Ayden,


These types of SSL certificates are pretty cheap and the verification is pretty simple. Can be through a verification by email or a code in the name servers, as long you can prove control over the domain name.


The Extended Validation SSL certificates require way more verification. These are the ones you usually see for web shops and have this "green" bar in the web browser.


Best regards,


Theo Geurts








On 15-8-2016 20:16, Ayden Férdeline wrote:

If I understand this use case correctly, when an SSL certificate is purchased, your system is sending an automated message to the registrant or the technical contact's email address as listed in WHOIS records. If the recipient of this email clicks a URL, it validates the certificate?

If this is the case, I would like to understand how commonplace this practice is. Are these emails only sent once, when the certificate is initially purchased? I cannot imagine a significant volume of these certificates are purchased on a daily basis, and I struggle to believe that there could be more than, say, 200 such certification bodies globally. If my assumptions are correct, are we talking, here, about a use case applicable to only a handful of businesses worldwide? Businesses selling these certificates for large volumes of money?

The other issue I see is that there is very little verification of information in WHOIS as it stands today. To rely on the email addresses stored in WHOIS to authenticate a certificate strikes me as flawed. Would it not be more appropriate for the Certification Authority to visit the domain name in question, call the phone number listed on their website, and to clarify with the contact that claims to have purchased your service that they have purchased your service? If the website does not list even the number for a switchboard, perhaps that should raise red flags?


- Ayden


-------- Original Message --------
Subject: [gnso-rds-pdp-wg] Use case for WHOIS/RDP
Local Time: August 15, 2016 6:40 PM
UTC Time: August 15, 2016 5:40 PM
From: [ Geoffrey_Noakes at symantec.com](mailto:Geoffrey_Noakes at symantec.com)
To: [ gnso-rds-pdp-wg at icann.org](mailto:gnso-rds-pdp-wg at icann.org)



I’ve attached a use case for WHOIS/RDP.





Thanks…





Geoff













From: Lisa Phifer [mailto:lisa at corecom.com]
Sent: Monday, August 15, 2016 10:37 AM
To: Geoffrey Noakes [ <Geoffrey_Noakes at symantec.com>](mailto:Geoffrey_Noakes at symantec.com)
Subject: RE: Use Case









Hi Geoff, it's <gnso-rds-pdp-wg at icann.org>

For further info, see mailing list archives: [ http://mm.icann.org/pipermail/gnso-rds-pdp-wg/](http://mm.icann.org/pipermail/gnso-rds-pdp-wg/)

As a WG member, you are on that mailing list, so if you're not currently receiving email from that list, please let me or the GNSO secretariat gnso-secs at icann.org know.

Thanks again
Lisa


At 11:19 AM 8/15/2016, Geoffrey Noakes wrote:







Lisa, what is the “WG email list” email address?

From: Lisa Phifer [[ mailto:lisa at corecom.com](mailto:lisa at corecom.com)]
Sent: Monday, August 15, 2016 10:17 AM
To: Geoffrey Noakes <Geoffrey_Noakes at symantec.com>
Subject: RE: Use Case

Thanks Geoff and welcome back. I hope you had an excellent vacation.

I will upload your case to the WG's table of example use cases and see that the case is included on the 23 August call agenda.

In addition, it is best if you would also email this example use case directly to the WG email list so that any comments that may be provided on the mailing list in advance of the call will be sent to your attention.

Best, Lisa


At 11:11 AM 8/15/2016, you wrote:




+Lisa (we had a side conversation about this), plus some Symantec employees who are involved in this





Chuck, I am just back from a week of PTO. I’ve attached a markup of a document originally authored by Scott Hollenbeck of VeriSign, which is essentially the use case for a CA’s use of WHOIS.





I would prefer the August 23 date – I am on jury duty the week of August 29-September 2.





Thanks…





Geoff











From: Gomes, Chuck [ [ mailto:cgomes at verisign.com](mailto:cgomes at verisign.com)]


Sent: Monday, August 15, 2016 9:53 AM


To: Geoffrey Noakes <[ Geoffrey_Noakes at symantec.com](mailto:Geoffrey_Noakes at symantec.com)>


Cc: RDS-Leaders-List ([ gnso-next-gen-rds-lead at icann.org](mailto:gnso-next-gen-rds-lead at icann.org)) <[ gnso-next-gen-rds-lead at icann.org](mailto:gnso-next-gen-rds-lead at icann.org)>


Subject: Use Case





Geoff,





You volunteered to prepare a use case for Certificate Authorities. We hope to discuss that use case in the WG meeting on either August 23 or August 30? Which date would work better for you? In either case, we would need the use case to be submitted to the WG list 24 hours in advance.





Hope you are having a good vacation.





Chuck








_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg at icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160815/164abc7e/attachment.html>

More information about the gnso-rds-pdp-wg mailing list