Upon the security of a WHOIS request and IRIS
It has been reported by many, through anecdotal reports, that WHOIS lookups are the direct cause by which certain "domain tasters" acquire a domain for five days or more. Since it is a concern for domain name researchers, it would be a move in the right direction to begin testing secure methods of WHOIS lookups. This is only intended to be a brief comment, however I would envision that a more detailed proposed stop-gap measure should be described to solve this issue. New proposed requirement on WHOIS: 1. First off, the RFC 3912 (published in 2004 by Verisign) already disclaims the port 43 WHOIS lookup from being secure or robust. "For historic reasons, WHOIS lacks many of the protocol design attributes, for example internationalisation and strong security, that would be expected from any recently-designed IETF protocol. This document does not attempt to rectify any of those shortcomings." 2. The IETF working group, CRISP, has concluded, and has offered to implement an approved cure. See http://www.ietf.org/html.charters/crisp-charter.html "IRIS provides no authentication or privacy facilities of its own. It relies on the application-transport layer for all of these abilities. Implementers need to fully understand the application-transports employed by IRIS." From http://tools.ietf.org/html/draft-ietf-crisp-iris-core-05#section-10 From RFC 3981: http://www.ietf.org/rfc/rfc3981.txt "The IRIS XML layer provides no authentication or privacy facilities of its own. It relies on the application-transport layer for all of these abilities. Application-transports should explicitly define their security mechanisms (see Section 8.2)." And from: RFC 4698: http://tools.ietf.org/html/rfc4698 "This registry type uses the default server authentication method as described in IRIS-BEEP" which is RFC 3983, http://www.ietf.org/rfc/rfc3983.txt also know as IRIS over BEEP: "Proposed Name: IRIS over BEEP" 3. In other words, by using IRIS over BEEP, the transport layer of the communication between the requester and the server can be made secure using TLS, an encryption standard. It is transport layer security in which I believe most people are concerned about when it comes to "domain tasters" discovering what domains are being queried using the old WHOIS. 4. It would appear that RFC 4698 and RFC 3983 are on the standards track, but not approved. However, I believe that if ICANN took a step to requiring registrars to begin implementing IRIS and areg, then we may be closer to realizing a secure transport layer. 5. ICANN can and should study a requirement that would coerce all registrars to allow secure WHOIS or areg lookups of their database. And there should be a requirement to force all inter-registrar lookups to be done using a secure means. Furthermore, it would be necessary that Verisign also support a secure lookup of registry data. 6. The goal is to implement an end-to-end data encrypted transport of domain lookups, from the requester, to the registrar, to the registry, and back. A man-in-the-middle attack would be rendered futile. The only successful "man" in the middle attack would have to be the registrar (of which some are domain tasters, as we all know) or Verisign. Calling a registrar into accountability, or Verisign, for that matter, might be difficult. However, domain searches could easily bypass the registrar and be made only to Verisign. 7. WHOIS dates from 1982 or perhaps earlier. Requiring any additional type of data request would be difficult to implement rapidly just due to the fact that replacing an old protocol is not normally immediate. The best practice would be to suggest and then require the new IRIS areg, and later to drop the WHOIS requirement. That entire process could take ten years, but considering technology's rapid advancement, secure transport of data will be easy and widespread by then. The computational difficulties will have nearly vanished in that time frame. Thanks for your consideration. Billy Newsom |