Re: Hybrid Tiered Access Proposal (was Re: [gnso-dow123] Alternative proposal re Whois)

[Thomas Keller <tom@xxxxxxxxxx>]

Now that brings us back to the findings and suggestions of  TF 1 and
the combined TF 1+2 from 04

I personally still believe that these findings are very valuable
and due to the lack of any consensus on the horizon in regard to the two 
other proposals I would suggest that we pursue them a bit longer.

Since last minute proposals seem to be ok in this TF I would like
to throw this concept in the ring. 

Basically it is just an aggregation of Jordyns last two mails.

1. Everybody who likes can sign a extra contract for access to 
   the "hidden" whois information after he identified himself 
   properly (to whom and how needs to be defined)

2. That person get credentials asigned (in the best case a certificate)
   that grands him access to the whois db (maybe using a proxy).

3. The person can retrieve the whois information on a domain by domain
   basis after login into the service and stating a reason for why
   he needs the data.

4. The person who owns the domain name is informed about who requested
   what data unless the requester can provide a subpoena or something
   similar directly to the registrar.

What do you think about this approach?

Best,

tom


Am 01.11.2006 schrieb Jordyn Buchanan:
> On 11/1/06, Metalitz, Steven <met@xxxxxxx> wrote:
> >
> >
> >Our concerns with tiered access (which is your point 2) center on
> >scalability. What may work for .name, a thick registry which holds all the
> >Whois data (data for which there is very little demand, by the way), would
> >be much harder to apply to 800 + registrars (or even 200+ if that is the
> >"real" number).   Similarly, a need for .name Whois data occurs so rarely
> >that it may not be a major problem to stop and "enter into a contract"
> >before accessing it. We have not been able to figure out a way this could
> >possibly work in .com without major delays.
> >
> 
> I think there are solutions here.  The main stumbling block I've perceived
> for tiered access proposals in the past is "who gets access?".  Here I'm
> proposing a fairly low bar for that--everyone who agrees (by contract) to
> play nice gets access.  In previous iterations of the task force, we've
> discussed some possible approaches, and I'll speculate about some other
> options as well:
> 
> 1) Have the contract actually be with a third party "certifier".  This
> entity would actually issue digital certificates to the requester, which the
> requester could use to identify him/herself to the various registrars.
> 
> 2) Same as above, except the central authority would issue a
> username/password.  Registrars could do some backend query to the central
> authority to verify the username/password before displaying the full
> information.
> 
> 3) Probably the least work for registrars and maybe the most convenient for
> the requester:  requesters contract with a third party, which operates a
> Whois proxy that only contracting parties can interact with.  The requester
> would go to one website for all requests, login, and then they would be able
> to perform queries against any registrar's full DNS using the proxy.
> Registrars would identify the third party proxy by IP address, which is a
> common mechanism for distinguishing Whois behavior today.
> 
> 
> >The problem occurs on the other side of the transaction too; there are a
> >limited number of entities interested in bulk access so managing contracts
> >with them is not a problem in principle, but potentially millions of Whois
> >requesters would want access to the higher tier of data, and that could be
> >problematic even if the data, or even just the contractual mechanism, were
> >centralized on the data provider side.
> >
> 
> Presumably there would have to be some funding mechanism to deal with this
> problem, but it seems to be purely one of resources.
> 
> Point 3 is sort of the flip-side of our proposal, and as I read it would
> >lead to a situation in which accurate contact data could not be obtained at
> >all.  Or would there be a Tier #3 of requesters who would be able to access
> >data under these circumstances?
> >
> 
> Your proposal doesn't currently deal with "how to get access to data that's
> not published in the Whois", and this proposal doesn't either.  Some sort of
> mechanism would have to be worked out in both cases--I've proposed my idea
> in a separate e-mail thread.  Ross has suggested another idea for this
> problem space, which I hope to fairly summarize as "work with the registrar
> to get the data".  There may be other ideas as well...
> 
> Jordyn

Gruss,

tom

(__)        
(OO)_____  
(oo)    /|\     A cow is not entirely full of
  | |--/ | *    milk some of it is hamburger!
  w w w  w