Re: [gnso-thickwhoispdp-wg] i've started drawing pictures -- here's the first one

[Alan Greenberg <alan.greenberg@xxxxxxxxx>]

A few comments. Alan

At 03/02/2013 09:48 AM, Mike O'Connor wrote:
> ah!  i love this.  i draw pictures, go to bed 
> and arise to much hammering.  thanks.
> a few responses…
>
> - "personal data" is meant in the sense that 
> it's used in privacy policy/law.  i'll let 
> others who are a lot more knowledgeable fill in 
> the details and will update the picture to make that clearer
> - "secret data" is my idea -- partly to trigger 
> discussion and partly because i couldn't come up 
> with a better term at the time.  the longer 
> version (which doesn't fit in the picture/bubble 
> very well) is something like "information that 
> registrants and providers view as secret or 
> confidential" and would include all that kinda 
> stuff that Alan describes.  the providers want 
> to keep this secret too, for business 
> reasons.  so a better/clearer term would indeed 
> be helpful.  "non-public" data perhaps?
> - i may need to expand the picture to include 
> the differences between proxy and privacy 
> service-providers.  i could use a companion or 
> two down that path.  i'll give my lame 
> understanding here and let the hammering fix 
> it.  a proxy provider acts in my stead as the 
> registrant -- registering the domain in their 
> own name and thus shielding my identity behind 
> theirs.  that might be my lawyer, or my aunt, or 
> a commercial service provider.  a privacy 
> service is generally offered by my registrar -- 
> in that instance the service-provider includes 
> my name (individual or corporate) in the public 
> Whois data, but replaces all my contact information with their own.
My understanding about what is "hidden" from 
Whois (and perhaps from the registrar) is the 
same as my understanding. Your attribution of who 
provides the service is not necessarily correct, 
but it also is not relevant to this discussion.

> - in any event, the information that gets into 
> the (public) Whois database is up to me, 
> depending on choices that i make.  i can submit 
> false information or use a proxy/privacy provider.
Or both! But it is moot to us. We are talking 
about what is in the Whois record, for better or worse.
>  the non-public data is much less subject to 
> choice -- i have to give that data to somebody 
> in order to get the name.  and, perhaps even 
> more importantly, to control the name.
> in my view, the only data that is in-scope for 
> our discussion in this working group is the 
> public data that's already in Whois.  what i'm 
> trying to do with this drawing is highlight that 
> a transition to thick Whois does not touch the non-public secret data.
That is corre3ct. But whether it is "secret" or 
not is out of scope. The fact that it is not in 
the Whois record is what makes it out of scope.

> Alan, i put the "authoritative" term in there to 
> see if anybody was actually reviewing my 
> drawing.  you get an A+.  that's one of the 
> subteam's topics to figure out.  although i'm 
> swayed by the argument that the registrars 
> remain authoritative since they're the ones in 
> contact with the registrant.  but it's too early to call that one yet.  :-)
The "authoritative" issues is one of those that I 
believe is not relevant to the PDP. There are a 
large number of thick Whois TLDs. However they 
work, so will any ones where we may recommend a 
transition from thin to thick. Why do we need to 
worry about it? There is (supposedly) a global 
review of Whois coming - which it is for, how it 
should work. If there is an issues regarding 
authoritativeness if the dichotomy between Rr 
Whois and Ry Whois remains, let them solve it.
I suspect that if and when the two versions of 
Whois disagree (and it can happen in both thick 
and thin), the problem is not solved by a ruling 
based on the book definition of who is 
authoritative, but on an investigation of the 
specifics to understand how the discrepancy crept in.
Why make work for ourselves?


> more hammering por favor.
Glad to be of service.


> thanks all,
>
> mikey
>
>
> On Feb 2, 2013, at 11:09 PM, Rick Wesson 
> <rick@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > all of the types of data collected by a registrar (or worse a
> > reseller) are not governed by the RAA. Data coverend by thick-whois
> > elements are in-scope for this discussion, all other data are
> > out-of-scope.
> >
> > For instance your mother's maden name if collected would have no
> > bearing on moving from thin to thick whois. Whois is about publishing.
> >
> > The move from thick to thin has no barring on the security of proxy
> > protected registrations.
> >
> >
> > -rick
> >
> >
> > On Sat, Feb 2, 2013 at 8:15 PM, Alan 
> Greenberg <alan.greenberg@xxxxxxxxx> wrote:
> >> I'll approach this from another angle. If "secret data" means information
> >> about the registrant that is not in Whois, it may well exist, but it is
> >> unclear to me what the relevance of such data is since it is not in Whois.
> >>
> >> It could include:
> >>
> >> - My mother's maiden name or birth date or the name of a first pet, which
> >> the registrar or proxy provider asks for as a means of verifying identity.
> >> The registrar does what it wants with this 
> data. Hides it away, plasters it
> >> on a public sign, whatever. It does not come 
> into the Whois equation in any
> >> way.
> >>
> >> - The registrant's real contact information if provided via a privacy or
> >> proxy service. The P/P service takes this data and substitutes its own for
> >> the purposes of the registration. It is this 
> information that appears in the
> >> registrar's whois database if they maintain 
> one, and in the registry's whois
> >> database for a thick registry. How safe or private the registrants
> >> information is depends on the P/P provider (which may be an arm of the
> >> registrar, or a separate entity altogether. Nothing in any current ICANN
> >> rule talks about what happens to this information and certainly nothing
> >> forces it to move anywhere. That is governed 
> by the terms and conditions of
> >> the P/P server to its customers  which presumably also reflect the legal
> >> regime under which it operates. Information *may* be revealed in a UDRP or
> >> other dispute *if* a proxy provider does not want to take full
> >> responsibility for how the domain is being used - but nothing to do with
> >> thick or thin whois models.
> >>
> >> - The registrant's real name. Identical 
> treatment as the contact information
> >> above.
> >>
> >> I have been told, but have never tried to verify the accuracy, that there
> >> are also current cases where a registrar may accept money for a (say) ten
> >> year registry but only present one year to the registry, resulting in
> >> different expiration dates. But that situation would be identical in both
> >> thin and thick as the expiration date is one 
> of the items that is supposedly
> >> echoed in both Whois's regardless of model.
> >>
> >> Regarding "authoritative", it is not clear to me who is authoritative in a
> >> thick model. I am not even sure exactly what 
> the term means. If it means who
> >> holds the version to be trusted and is correct if the two version differ,
> >> there seem to be various takes on this. The 
> UDRP tells dispute providers to
> >> go to the registrar to find out registrant information. I suspect (but do
> >> not know for sure) that this is an outcome of the only whois model that
> >> existed at the time the UDRP was created was 
> thin.  I have heard that it is
> >> not uncommon for a registry to make a chance in a thick model (such as a
> >> transfer ordered by a court) that for 
> whatever reason does not get reflected
> >> in the registrar's data.
> >>
> >> Alan
> >>
> >>
> >>
> >> At 02/02/2013 07:14 PM, Rick Wesson wrote:
> >>
> >>> Largely incorrect. There are not any definitions of personal data,
> >>> only registrant data. A proxy is often a subshell of the registrar
> >>> that preforms proxy functions for the 4 delivery mechanisms which are
> >>> postal, email, telephone and fax to reach one of the 4 potential
> >>> contact linked to a domain registration. Within the registrar they
> >>> function the same regardless of thick or thin whois style.
> >>>
> >>> The escrow contains all the same data in the whois record, it is
> >>> encrypted and help in an archive for backup and business failure.
> >>>
> >>> If there is business data that isn't in the whois document then
> >>> whatever business data you are referring to is also not escrowed or
> >>> specified as being required for publishing.
> >>>
> >>> Could you please, rather than draw a picture, simply enumerate this
> >>> data elements of which you speak that "never finds its way into the
> >>> whois." Please, if you could also include a link to a contractual
> >>> document specifying said data should be published and escrowed.
> >>>
> >>> thanks,
> >>> -rick
> >>>
> >>>
> >>>
> >>> On Sat, Feb 2, 2013 at 3:46 PM, Mike O'Connor <mike@xxxxxxxxxx> wrote:
> >>>> i'm a big fan of pictures, especially in policy papers, because they
> >>>> give me
> >>>> a chance to think about things in a different way as i draw them.
> >>>>
> >>>> i've been rereading the comments-summary document that Marika, Berry and
> >>>> Lars prepared and realized that i think a lot of the issues that are
> >>>> being
> >>>> raised are about the handling of data that never finds its way into
> >>>> Whois.
> >>>> so here's a thick-Whois based drawing to illustrate that.  as with
> >>>> everything else i do, it's likely to be wrong until the rest of you
> >>>> hammer
> >>>> on it a little bit.
> >>>>
> >>>> hammer away.
> >>>>
> >>>> mikey
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE:
> >>>> OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
> >>>>
> >>>>
> >>
> >>
>
>
> PHONE: 651-647-6109, FAX: 866-280-2356, WEB: 
> www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)