Hi, drafting team – I’m Kirk Hall, and I work on policy and compliance issues with Certification Authority Entrust Datacard (plus I’m a recovering lawyer).  Before that I was with the CA GeoTrust (acquired by Symantec) and later started the CA AffirmTrust (acquired by Entrust Datacard).  I’m currently serving as Chair of the CA/Browser Forum.

 

Marika Konings shared the drafting team memo “Domain Name Certification,” and it’s very good.  I would just point out the WhoIs data is widely used by CAs for three different methods of domain confirmation – BR 3.2.2.4.1, .2, and .3 – and CAs and their website owner customers very much want the WhoIs information to continue to be available, as these three methods can be among the “easiest” for website owners, particularly enterprise owners with hundreds of domains.  If these methods become unavailable because WhoIs-type data becomes unavailable, it will be much harder for many website owners to confirm their domains and obtain certificates to encrypt their websites – the other domain confirmation methods require active demonstrations of control of the domain like posting a unique Random Value supplied by the CA at a specific place on each of their websites, or in each of their DNS records for each domain.  This will not be popular!

 

I understand there are policy and legal reasons why Registrars/Registries may not want to display WhoIs data to the public – but would it be possible for each Registrar/Registry to “whitelist” all the commercial CAs so that they may have access to the data?  How would the Registrars/Registries obtain this data?  That part is easy – there are lists of CAs whose issuing “roots” are recognized as trustworthy by the major browsers – they can be found and downloaded here: 

 

http://ccadb.org/resources

http://ccadb-public.secure.force.com/mozilla/AllCertificateRecordsCSVFormat

 

So it would be easy for Registrars/Registries to download this list and make it the “whitelist” that is allowed to access the WhoIs data, even if the data is no longer available to the general public.  That would serve the interests of the domain owners, who need to obtain digital certificates from CAs.

 

Let me know if you have any questions which commercial CAs can answer.  I will be leading a face-to-face meeting of the CA/Browser Forum this Wednesday-Thursday in Washington, so it would be a good time to pull in the CAs and browsers on these issues.

 

Best regards.

 

Kirk Hall

Entrust Datacard

Chair, CA/Browser Forum

 

 

From: Gnso-rds-pdp-3 [mailto:gnso-rds-pdp-3-bounces@icann.org] On Behalf Of Terri Agnew
Sent: Monday, March 5, 2018 3:34 PM
To: gnso-rds-pdp-3@icann.org
Cc: gnso-secs@icann.org
Subject: [EXTERNAL][Gnso-rds-pdp-3] added Kirk Hall/ RDS drafting team 3 / Reconvening Domain Name Certification team

 

Hello RDS Drafting Team 3,

 

This is to inform you Kirk Hall has been added to the drafting team.

 

Welcome Kirk.

 

Thank you.

 

With kind regards,

Terri

            ---

Terri Agnew

Operations Support - GNSO Lead Administrator

Internet Corporation for Assigned Names and Numbers (ICANN)

Email:  terri.agnew@icann.org

Skype ID:  terri.agnew.icann

 

Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages

Follow @GNSO on Twitter: https://twitter.com/ICANN_GNSO

Follow the GNSO on Facebook: https://www.facebook.com/icanngnso/

http://gnso.icann.org/en/