Re: [gnso-thickwhoispdp-wg] i've started drawing pictures -- here's the first one

[Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx>]

One thing that side tracks groups like this is making up new words
with new meanings. Please don't make up new words "secret data" being
just one example. Authoritative is a word that is well defined in the
context of domains, and DNS and I suggest you use their definitions.

By choosing new words, and ignoring well established definitions you
make this process of understanding take longer.

-rick


On Sun, Feb 3, 2013 at 6:48 AM, Mike O'Connor <mike@xxxxxxxxxx> wrote:
> ah!  i love this.  i draw pictures, go to bed and arise to much hammering.  
> thanks.
>
> a few responses…
>
> - "personal data" is meant in the sense that it's used in privacy policy/law. 
>  i'll let others who are a lot more knowledgeable fill in the details and 
> will update the picture to make that clearer
>
> - "secret data" is my idea -- partly to trigger discussion and partly because 
> i couldn't come up with a better term at the time.  the longer version (which 
> doesn't fit in the picture/bubble very well) is something like "information 
> that registrants and providers view as secret or confidential" and would 
> include all that kinda stuff that Alan describes.  the providers want to keep 
> this secret too, for business reasons.  so a better/clearer term would indeed 
> be helpful.  "non-public" data perhaps?
>
> - i may need to expand the picture to include the differences between proxy 
> and privacy service-providers.  i could use a companion or two down that 
> path.  i'll give my lame understanding here and let the hammering fix it.  a 
> proxy provider acts in my stead as the registrant -- registering the domain 
> in their own name and thus shielding my identity behind theirs.  that might 
> be my lawyer, or my aunt, or a commercial service provider.  a privacy 
> service is generally offered by my registrar -- in that instance the 
> service-provider includes my name (individual or corporate) in the public 
> Whois data, but replaces all my contact information with their own.
>
> - in any event, the information that gets into the (public) Whois database is 
> up to me, depending on choices that i make.  i can submit false information 
> or use a proxy/privacy provider.  the non-public data is much less subject to 
> choice -- i have to give that data to somebody in order to get the name.  
> and, perhaps even more importantly, to control the name.
>
> in my view, the only data that is in-scope for our discussion in this working 
> group is the public data that's already in Whois.  what i'm trying to do with 
> this drawing is highlight that a transition to thick Whois does not touch the 
> non-public secret data.
>
> Alan, i put the "authoritative" term in there to see if anybody was actually 
> reviewing my drawing.  you get an A+.  that's one of the subteam's topics to 
> figure out.  although i'm swayed by the argument that the registrars remain 
> authoritative since they're the ones in contact with the registrant.  but 
> it's too early to call that one yet.  :-)
>
> more hammering por favor.
>
> thanks all,
>
> mikey
>
>
> On Feb 2, 2013, at 11:09 PM, Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx> 
> wrote:
>
>> all of the types of data collected by a registrar (or worse a
>> reseller) are not governed by the RAA. Data coverend by thick-whois
>> elements are in-scope for this discussion, all other data are
>> out-of-scope.
>>
>> For instance your mother's maden name if collected would have no
>> bearing on moving from thin to thick whois. Whois is about publishing.
>>
>> The move from thick to thin has no barring on the security of proxy
>> protected registrations.
>>
>>
>> -rick
>>
>>
>> On Sat, Feb 2, 2013 at 8:15 PM, Alan Greenberg <alan.greenberg@xxxxxxxxx> 
>> wrote:
>>> I'll approach this from another angle. If "secret data" means information
>>> about the registrant that is not in Whois, it may well exist, but it is
>>> unclear to me what the relevance of such data is since it is not in Whois.
>>>
>>> It could include:
>>>
>>> - My mother's maiden name or birth date or the name of a first pet, which
>>> the registrar or proxy provider asks for as a means of verifying identity.
>>> The registrar does what it wants with this data. Hides it away, plasters it
>>> on a public sign, whatever. It does not come into the Whois equation in any
>>> way.
>>>
>>> - The registrant's real contact information if provided via a privacy or
>>> proxy service. The P/P service takes this data and substitutes its own for
>>> the purposes of the registration. It is this information that appears in the
>>> registrar's whois database if they maintain one, and in the registry's whois
>>> database for a thick registry. How safe or private the registrants
>>> information is depends on the P/P provider (which may be an arm of the
>>> registrar, or a separate entity altogether. Nothing in any current ICANN
>>> rule talks about what happens to this information and certainly nothing
>>> forces it to move anywhere. That is governed by the terms and conditions of
>>> the P/P server to its customers  which presumably also reflect the legal
>>> regime under which it operates. Information *may* be revealed in a UDRP or
>>> other dispute *if* a proxy provider does not want to take full
>>> responsibility for how the domain is being used - but nothing to do with
>>> thick or thin whois models.
>>>
>>> - The registrant's real name. Identical treatment as the contact information
>>> above.
>>>
>>> I have been told, but have never tried to verify the accuracy, that there
>>> are also current cases where a registrar may accept money for a (say) ten
>>> year registry but only present one year to the registry, resulting in
>>> different expiration dates. But that situation would be identical in both
>>> thin and thick as the expiration date is one of the items that is supposedly
>>> echoed in both Whois's regardless of model.
>>>
>>> Regarding "authoritative", it is not clear to me who is authoritative in a
>>> thick model. I am not even sure exactly what the term means. If it means who
>>> holds the version to be trusted and is correct if the two version differ,
>>> there seem to be various takes on this. The UDRP tells dispute providers to
>>> go to the registrar to find out registrant information. I suspect (but do
>>> not know for sure) that this is an outcome of the only whois model that
>>> existed at the time the UDRP was created was thin.  I have heard that it is
>>> not uncommon for a registry to make a chance in a thick model (such as a
>>> transfer ordered by a court) that for whatever reason does not get reflected
>>> in the registrar's data.
>>>
>>> Alan
>>>
>>>
>>>
>>> At 02/02/2013 07:14 PM, Rick Wesson wrote:
>>>
>>>> Largely incorrect. There are not any definitions of personal data,
>>>> only registrant data. A proxy is often a subshell of the registrar
>>>> that preforms proxy functions for the 4 delivery mechanisms which are
>>>> postal, email, telephone and fax to reach one of the 4 potential
>>>> contact linked to a domain registration. Within the registrar they
>>>> function the same regardless of thick or thin whois style.
>>>>
>>>> The escrow contains all the same data in the whois record, it is
>>>> encrypted and help in an archive for backup and business failure.
>>>>
>>>> If there is business data that isn't in the whois document then
>>>> whatever business data you are referring to is also not escrowed or
>>>> specified as being required for publishing.
>>>>
>>>> Could you please, rather than draw a picture, simply enumerate this
>>>> data elements of which you speak that "never finds its way into the
>>>> whois." Please, if you could also include a link to a contractual
>>>> document specifying said data should be published and escrowed.
>>>>
>>>> thanks,
>>>> -rick
>>>>
>>>>
>>>>
>>>> On Sat, Feb 2, 2013 at 3:46 PM, Mike O'Connor <mike@xxxxxxxxxx> wrote:
>>>>> i'm a big fan of pictures, especially in policy papers, because they
>>>>> give me
>>>>> a chance to think about things in a different way as i draw them.
>>>>>
>>>>> i've been rereading the comments-summary document that Marika, Berry and
>>>>> Lars prepared and realized that i think a lot of the issues that are
>>>>> being
>>>>> raised are about the handling of data that never finds its way into
>>>>> Whois.
>>>>> so here's a thick-Whois based drawing to illustrate that.  as with
>>>>> everything else i do, it's likely to be wrong until the rest of you
>>>>> hammer
>>>>> on it a little bit.
>>>>>
>>>>> hammer away.
>>>>>
>>>>> mikey
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE:
>>>>> OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
>>>>>
>>>>>
>>>
>>>
>
>
> PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: 
> OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
>