[gnso-rds-pdp-wg] Use case for WHOIS/RDP

Mon Aug 15 22:41:55 UTC 2016

Some information on the SSL industry and certificate types can be found
here: https://www.netcraft.com/internet-data-mining/ssl-survey/.

I'm not sure I understand your reference to "basic SSL certificates."  It
appears there are several types of SSL certificates (according to the page
above, at least the following: "*domain-validated* certificates simply
validate control over a domain name; *organisation-validated* certificates
include the identity of the organisation; and *Extended Validation*
certificates
increase the level of identity checking"), and that Let's Encrypt is
offering only domain-validated certificates, the most basic type (but
that's not entirely clear).  The distinction between Let's Encrypt and
commercial Certificate Authorities seems to be (a) it's free and (b) its
process is automated.  There doesn't appear to be any difference in the
certificate itself.  Indeed, Let's Encrypt appears to rely on a commercial
CA to cross-sign its certificates, since Let's Encrypt certificates are not
yet trusted by most browsers.

I'm also not sure I understand your thought " I cannot imagine a
significant volume of these certificates are purchased on a daily basis, "
 I would tend to imagine the opposite.  I see that Let's Encrypt, which is
not by any means a major CA, issued over a million certificates in 16
months.  I assume the major certificate authorities each have numbers that
are a multiple of that, although it appears there are different ways to
count certificates.

As for whether this applies to a "handful of businesses worldwide." I've
seen reference to a 2012 EFF study that said there were over 650
Certificate Authorities.  The study first referenced above does show that a
much smaller number have a significant share of the market, but that still
doesn't jibe with your assumption.

I'm also not sure that any of this really matters.  It's not up to us to
change real-world use cases.  If Certificate Authorities use WHOIS data in
their validation process, that's a fact.  Whether you think they should use
something else doesn't really matter.

I also find it quite odd that you are attempting to minimize this use
case.  This is clearly both an important and widespread use case.

Greg

On Mon, Aug 15, 2016 at 5:41 PM, Ayden Férdeline <icann at ferdeline.com>
wrote:

> Thanks for this clarification, Theo. What would be the difference between
> these basic SSL certificates and those offered freely by, say, Let's
> Encrypt? (I'm just trying to get a sense of what forms of identity
> validation are used besides automated WHOIS/DNS checks here, and to
> understand whether or not other identity checks might be economical for the
> Digital Certificate Authority. Thanks.)
>
> - Ayden
>
> -------- Original Message --------
> Subject: Re: [gnso-rds-pdp-wg] Use case for WHOIS/RDP
> Local Time: August 15, 2016 9:00 PM
> UTC Time: August 15, 2016 8:00 PM
> From: gtheo at xs4all.nl
> To: icann at ferdeline.com,Geoffrey_Noakes at symantec.com
> gnso-rds-pdp-wg at icann.org
>
>
> Hi Ayden,
>
> These types of SSL certificates are pretty cheap and the verification is
> pretty simple. Can be through a verification by email or a code in the name
> servers, as long you can prove control over the domain name.
>
> The Extended Validation SSL certificates require way more verification.
> These are the ones you usually see for web shops and have this "green" bar
> in the web browser.
>
> Best regards,
>
> Theo Geurts
>
>
>
>
> On 15-8-2016 20:16, Ayden Férdeline wrote:
>
> If I understand this use case correctly, when an SSL certificate is
> purchased, your system is sending an automated message to the registrant or
> the technical contact's email address as listed in WHOIS records. If the
> recipient of this email clicks a URL, it validates the certificate?
>
> If this is the case, I would like to understand how commonplace this
> practice is. Are these emails only sent once, when the certificate is
> initially purchased? I cannot imagine a significant volume of these
> certificates are purchased on a daily basis, and I struggle to believe that
> there could be more than, say, 200 such certification bodies globally. If
> my assumptions are correct, are we talking, here, about a use case
> applicable to only a handful of businesses worldwide? Businesses selling
> these certificates for large volumes of money?
>
> The other issue I see is that there is very little verification of
> information in WHOIS as it stands today. To rely on the email addresses
> stored in WHOIS to authenticate a certificate strikes me as flawed. Would
> it not be more appropriate for the Certification Authority to visit the
> domain name in question, call the phone number listed on their website, and
> to clarify with the contact that claims to have purchased your service that
> they have purchased your service? If the website does not list even the
> number for a switchboard, perhaps that should raise red flags?
>
> - Ayden
>
> -------- Original Message --------
> Subject: [gnso-rds-pdp-wg] Use case for WHOIS/RDP
> Local Time: August 15, 2016 6:40 PM
> UTC Time: August 15, 2016 5:40 PM
> From: Geoffrey_Noakes at symantec.com
> To: gnso-rds-pdp-wg at icann.org
>
>
> I’ve attached a use case for WHOIS/RDP.
>
>
>
> Thanks…
>
>
>
> Geoff
>
>
>
>
>
>
>
>
> *From:* Lisa Phifer [mailto:lisa at corecom.com <lisa at corecom.com>]
> *Sent:* Monday, August 15, 2016 10:37 AM
> *To:* Geoffrey Noakes <Geoffrey_Noakes at symantec.com>
> <Geoffrey_Noakes at symantec.com>
> *Subject:* RE: Use Case
>
>
>
>
>
> Hi Geoff, it's <gnso-rds-pdp-wg at icann.org>
>
> For further info, see mailing list archives:
> http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
>
> As a WG member, you are on that mailing list, so if you're not currently
> receiving email from that list, please let me or the GNSO secretariat
> gnso-secs at icann.org know.
>
> Thanks again
> Lisa
>
>
> At 11:19 AM 8/15/2016, Geoffrey Noakes wrote:
>
>
>
> Lisa, what is the “WG email list” email address?
>
> *From:* Lisa Phifer [ mailto:lisa at corecom.com <lisa at corecom.com>]
> *Sent:* Monday, August 15, 2016 10:17 AM
> *To:* Geoffrey Noakes <Geoffrey_Noakes at symantec.com>
> *Subject:* RE: Use Case
>
> Thanks Geoff and welcome back. I hope you had an excellent vacation.
>
> I will upload your case to the WG's table of example use cases and see
> that the case is included on the 23 August call agenda.
>
> In addition, it is best if you would also email this example use case
> directly to the WG email list so that any comments that may be provided on
> the mailing list in advance of the call will be sent to your attention.
>
> Best, Lisa
>
>
> At 11:11 AM 8/15/2016, you wrote:
>
>
> +Lisa (we had a side conversation about this), plus some Symantec
> employees who are involved in this
>
>
> Chuck, I am just back from a week of PTO.  I’ve attached a markup of a
> document originally authored by Scott Hollenbeck of VeriSign, which is
> essentially the use case for a CA’s use of WHOIS.
>
>
> I would prefer the August 23 date – I am on jury duty the week of August
> 29-September 2.
>
>
> Thanks…
>
>
> Geoff
>
>
>
>
> From: Gomes, Chuck [ mailto:cgomes at verisign.com <cgomes at verisign.com>]
>
> Sent: Monday, August 15, 2016 9:53 AM
>
> To: Geoffrey Noakes < Geoffrey_Noakes at symantec.com>
>
> Cc: RDS-Leaders-List ( gnso-next-gen-rds-lead at icann.org) <
> gnso-next-gen-rds-lead at icann.org>
>
> Subject: Use Case
>
>
> Geoff,
>
>
> You volunteered to prepare a use case for Certificate Authorities.  We
> hope to discuss that use case in the WG meeting on either August 23 or
> August 30?  Which date would work better for you?  In either case, we would
> need the use case to be submitted to the WG list 24 hours in advance.
>
>
> Hope you are having a good vacation.
>
>
> Chuck
>
>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160815/a00ba827/attachment.html>