Welcome Kirk to the drafting team, and the working group. Your expertise is very welcome.
On 6 Mar 2018, at 8:52 am, Kirk Hall <Kirk.Hall@entrustdatacard.com> wrote:
Hi, drafting team – I’m Kirk Hall, and I work on policy and compliance issues with Certification Authority Entrust Datacard (plus I’m a recovering lawyer). Before that I was with the CA GeoTrust (acquired by Symantec) and later started the CA AffirmTrust (acquired by Entrust Datacard). I’m currently serving as Chair of the CA/Browser Forum.
Marika Konings shared the drafting team memo “Domain Name Certification,” and it’s very good. I would just point out the WhoIs data is widely used by CAs for three different methods of domain confirmation – BR 3.2.2.4.1, .2, and .3 – and CAs and their website owner customers very much want the WhoIs information to continue to be available, as these three methods can be among the “easiest” for website owners, particularly enterprise owners with hundreds of domains.
That is close to our understanding, that WHOIS data is one of the methods used to demonstrate domain control. Disputes in the working group have centered around issues of data exactly what constitutes legitimate data collection, and its implications. I think there is general agreement that if the data is collected for some purpose (and while it is possible that some changes may take place, it seems likely that data of at least rough equivalence will be collected), it should be possible for it to be voluntarily used for Domain Certification by those that wish it. Quite how we express that in terms of policy that appropriately translates to the GDPR etc is something we do not quite understand. It sounds as if you agree with the drafting teams point that data for other certification purposes, eg EV certificates, needs to be sourced outside the RDS/ WHOIS system in any case, and so is largely not relevant to working group discussion?
If these methods become unavailable because WhoIs-type data becomes unavailable, it will be much harder for many website owners to confirm their domains and obtain certificates to encrypt their websites – the other domain confirmation methods require active demonstrations of control of the domain like posting a unique Random Value supplied by the CA at a specific place on each of their websites, or in each of their DNS records for each domain. This will not be popular!
The various methods involving web or dns entries are notable in that they provide an alternative, but I think there is a general understanding that many people will prefer to use the BR 3.2.2.4.x methods, and this should remain possible for those that wish it. Quite what that means at each stage of the policy process is not always clear.
I understand there are policy and legal reasons why Registrars/Registries may not want to display WhoIs data to the public – but would it be possible for each Registrar/Registry to “whitelist” all the commercial CAs so that they may have access to the data?
Some system should be possible, but the general question of how we validate/ certify access has not been addressed, and we don’t plan to get into that for a while. Hopefully some fruitful discussions will take place at the face to face meeting - will you be there, Kirk? I personally think the CAs getting the information will be a relatively easy case - clearly the applicants have assented, the list of authorized CAs should be fairly uncontroversial, and if it is only the information required above that is needed, then it is a well defined list. This is much less controversial than some other data access issues we will need to address. But as I said, we aren’t quite at that point yet.
Let me know if you have any questions which commercial CAs can answer. I will be leading a face-to-face meeting of the CA/Browser Forum this Wednesday-Thursday in Washington, so it would be a good time to pull in the CAs and browsers on these issues.
Great. I think our main question at this point is essentially if any uses of WHOIS data outside the voluntary use of data for establishing domain control is needed. David
Best regards.
Kirk Hall Entrust Datacard Chair, CA/Browser Forum
From: Gnso-rds-pdp-3 [mailto:gnso-rds-pdp-3-bounces@icann.org] On Behalf Of Terri Agnew Sent: Monday, March 5, 2018 3:34 PM To: gnso-rds-pdp-3@icann.org Cc: gnso-secs@icann.org Subject: [EXTERNAL][Gnso-rds-pdp-3] added Kirk Hall/ RDS drafting team 3 / Reconvening Domain Name Certification team
Hello RDS Drafting Team 3,
This is to inform you Kirk Hall has been added to the drafting team.
Welcome Kirk.
Thank you.
With kind regards, Terri --- Terri Agnew Operations Support - GNSO Lead Administrator Internet Corporation for Assigned Names and Numbers (ICANN) Email: terri.agnew@icann.org Skype ID: terri.agnew.icann
Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages Follow @GNSO on Twitter: https://twitter.com/ICANN_GNSO Follow the GNSO on Facebook: https://www.facebook.com/icanngnso/ http://gnso.icann.org/en/
_______________________________________________ Gnso-rds-pdp-3 mailing list Gnso-rds-pdp-3@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-3