<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-whois-study] FW: Response to Request regarding WHOIS and IRIS
- To: "gnso-whois-study@xxxxxxxxx" <gnso-whois-study@xxxxxxxxx>
- Subject: [gnso-whois-study] FW: Response to Request regarding WHOIS and IRIS
- From: Liz Gasster <liz.gasster@xxxxxxxxx>
- Date: Mon, 19 May 2008 19:12:55 -0700
All, here is information as requested from Steve Crocker on behalf of the SSAC
on WHOIS and IRIS (and our apologies for delay).
Thanks, Liz
From: Steve Crocker
Sent: Monday, May 19, 2008 4:26 PM
To: Gasster Liz; Liz Gasster
Cc: Steve Crocker; Denise Michel
Subject: Response to Request regarding WHOIS and IRIS
Liz,
Apologies and thanks for the nudge. We drafted a response a while ago and
there's been some very active discussion in the background. We didn't complete
the internal discussions we had in mind, but the direction is clear so I am
sending you this on my own and a pretty good sense that it represents our sense
of the right approach. This is a bit lengthy because I am including some
background and commentary. The short, bulletized version is
o The WHOIS system is broken
o A complete revision is needed
o The revision must lay out the desired policies
o The technical foundation should fit the desired policies, if feasible. As a
reasonably informed guess, IRIS, developed by the IETF, is likely to fit the
need.
o A substantial technical examination is needed. This is beyond SSAC's
capabilities. We recommend GNSO ask staff to initiate an effort similar to the
way RSTEP studies are carried out.
Here's the full response.
You originally asked:
From: Liz Gasster
Sent: Thursday, April 17, 2008 12:45 PM
To: Crocker Steve
Cc: Denise Michel
Subject: Request regarding WHOIS and IRIS
Hello Steve,
The GNSO Council has a "WHOIS study group" underway, to consider what if any
studies, surveys or other fact-finding research or analysis should be conducted
that would be constructive in further informing the policy debate on WHOIS. We
have already solicited study suggestions from the public and we are in the
process of discussing different views about what studies might be useful, if
any. The group would like to get some more information about what it would
take to implement IRIS from both a technical and policy perspective. I'm not
sure if this would be of interest, but would you have a thought about whether
this is something that someone from the SSAC might like to participate in, for
example, to give a short overview and answer questions? This might be too
short notice, but our next call is Tuesday the 22nd at 11 EST, and we will
probably meet several more times at the same interval weekly.
The participants in the group, in addition to ICANN staff, are as follows:
Jordi Iparraguirre - gTLD Registry C
Ken Stubbs - gTLD Registry C
David Maher - gTLD Registry C
Steve Metalitz - IPC
Lee Eulgen -IPC
Steve DelBianco - CBUC
Tony Harris - ISP
Tim Ruiz - Registrar
Paul Stahura - Registrar
James Bladel - Registrar
Krista Papac - Registrar
Stéphane Van Gelder - Registrar
Eric Brunner-Williams -Registrar
Danny Younger
Beau Brendler
Wendy Seltzer - ALAC Liaison on the ICANN Board
Thanks so much for considering,
Liz
Our bottom line conclusion is that the current whois system is broken and needs
to be replaced completely. The underlying technical structure should be
replaced with an appropriate database-oriented approach, and the policies about
what information is included, what level of accuracy is required and what
access should be provided to whom should be approached with a clean slate. The
technical foundations are probably in the best shape with the work on
CRISP/IRIS in the IETF.
A different but also relevant wrinkle is the consequences of IDNs. So far as
we have been able to see, despite an enormous effort to bring IDNs into the
domain name system, essentially no thought has been given to internationalizing
the whois database.
The magnitude of the change we're advocating requires substantial time and
effort. It obviously cannot happen overnight, so there is plenty of room to
argue about what to do in the interim. However, those discussions will take on
very different tenor if it's clear where things are going in the medium to long
term future.
As you know, we formally commented to the GNSO in
[SAC027]: SSAC Comment to GNSO regarding WHOIS studies (7 February 2008)
http://www.icann.org/committees/security/sac027.pdf
The full text is relevant to this discussion, so I am including it in its
entirety below.
7 February 2008
SAC027: SSAC Comment to GNSO regarding WHOIS studies
The Security and Stability Advisory Committee thanks the GNSO for the
opportunity to
comment on future studies related to WHOIS. SSAC has conducted studies on WHOIS
in
the past (SAC 014, Information Gathering Using Domain Name Registration Records
28
September 2006, and SAC 023, Is the WHOIS Service a Source for email Addresses
for
Spammers? 23 October 2007) and believes additional studies may prove valuable.
SSAC members have and will continue to work with the GNSO to provide a viable
and
scalable solution to the administration and access of domain name registration
information. To do so, we believe it is useful to consider the following
matters:
* To date, little progress has been made towards the development of a formal
directory service for the Internet. While the development of technical standards
for the Internet is not an ICANN activity, the ICANN community would benefit
from the use of a formal directory service.
* In the absence of a formal directory service, the Internet community has
attempted to "make do" with available protocols/services. The adaptation of the
WHOIS protocol by the domain name registration community is a noteworthy
example.
* Considerable technical shortcomings prevent WHOIS services from satisfying the
needs of the domain name community in areas of authentication, data accuracy,
data confidentiality, and data integrity. SSAC observes that it is unlikely
that this
rudimentary protocol could be improved to overcome these shortcomings.
* The limitations of the WHOIS protocol and variability among WHOIS
implementations and services contribute to the poor quality of domain name
registration data currently available.
* The domain name registration community has focused its attention on
compensating for (3) through policy definition and enforcement. However, policy
alone will not provide the Internet community with a secure and reliable
directory
service capability that is able to satisfy the needs of diverse Internet
constituencies. SSAC believes that this objective can only be achieved through a
combination of policy development and implementation of a standard, uniform
directory service that provides authentication, data confidentiality, data
accuracy
and data integrity services.
On these bases, SSAC recommends the following:
1. The GNSO should continue current and proposed work to resolve legal and
privacy issues within the existing WHOIS framework. SSAC believes that studies
that catalog legitimate uses as well as abuses of domain registration
information,
continued studies regarding privacy, and studies that consider finer-grained
access
and role-based access control models for WHOIS can help the community
establish requirements for the administration of domain registration
information.
2. ICANN should take aggressive measures with respect to improving registration
data accuracy and integrity. Future agreements should include data accuracy and
integrity (e.g., archival and restoration) guidelines and should include
provisions
for sanctions or other penalties for those who do not comply with these
guidelines.
3. The ICANN community should adopt an Internet standard directory service as an
initial step toward deprecating the use of the WHOIS protocol in favor of a more
complete directory service. SSAC encourages the ICANN community to study the
standards developed by the IETF's Cross Registry Information Service Protocol
(CRISP) Working Group. In particular, SSAC urges the GNSO to consider the
requirements for CRISP identified in RFC 3707 and the set of RFCs associated
with the Internet Registry Information Service (IRIS) (RFCs 3981 - 3983) which
appear to provide sufficient features and services to meet the needs of the
domain
registration community.
4. ICANN should work with all TLD registry operators to develop a timeline and
transition plan for migrating from the current WHOIS service to a successor
Internet "domain" directory service.
SSAC looks forward to participating in these activities.
With all of the above as background, here is our suggestion for the GNSO at
this point.
In response to SSAC's Comment to GNSO regarding WHOIS studies (7 February 2008,
at http://www.icann.org/committees/security/sac023.pdf), a GNSO Council WHOIS
study group has asked SSAC to provide more information about what it would take
to implement IRIS from both a technical and policy perspective.
We are pleased that the GNSO intends to pursue this study topic and have the
following additional comments to offer.
In SAC023, we recommended that the ICANN community adopt an Internet standard
directory service. We also suggested that the community review the Internet
Registry Information Service (IRIS) standards developed by the IETF's Cross
Registry Information Service Protocol (CRISP) Working Group. We further
suggested that the community should study at least three important features
provided by many directory services, assess the utility of these features in
the context of domain name administration, and include provisions for these
features in policy development.
Auditing: SSAC believes that most constituencies would benefit from having a
detailed auditing capability with respect to access to registration records.
SSAC has consistently regarded a domain name as an asset. Thus, the registrant
should be able to know who's checked his record. LEAs, IP attorneys, brand
defenders, business constituents, and general public may all have a legitimate
reason in some context to know who's checked a record. This implies identity
verification but it doesn't have to be linked to tiered access. SSAC believes
this is a desirable feature and the community should consider how to
incorporate it into a policy.
Access control: Having an access control model should not be controversial and
SSAC believes this should also be incorporated into policy. The finer points of
how access controls are applied, to whom they are applied, and for what purpose
(e.g., privacy) merit further discussion. But a consensus policy should at
least reflect the community's awareness that "access controls are needed, and
in principle, there are legitimate purposes for LEAs, IP attorneys, brand
defenders, business constituents, and general public to access registration
records". Most importantly, the access model should accommodate these purposes
to the extent they are permitted by applicable laws. A benefit of a
well-defined access control model is that you could, in principle, apply
privacy controls to individuals according whatever the prevailing privacy laws
demand.
Data integrity (accuracy): We believe it is imperative that a directory service
study should consider data accuracy and abuse prevention. The substitution of a
directory service for WHOIS does not assure improved accuracy, but SSAC
believes that a re-examination of the ways current registration practices are
exploited, including consideration of methods to corroborate contact and
billing information registrants submit prior to including a domain name in a
TLD zone file, are necessary irrespective of whether WHOIS persists or a
successor directory service is adopted.
Careful deliberation of these features alone requires the focused attention of
individuals who have extensive directory service expertise and are also very
familiar with domain name registration processes, and this list is but a sample
of the issues that should be factors in policy development. The level of
effort required for such work exceeds the resources SSAC can bring to bear.
Instead, we recommend there should be a focused technical effort similar to the
way the RSTEP process is run for examination of proposed registry service
changes. We recommend GNSO ask the ICANN staff to create such an effort on
behalf of the GNSO WHOIS process.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|