[gnso-rds-pdp-wg] Mp3, Attendance & AC Chat for Next-Gen RDS PDP WG
Michelle DeSmyter
michelle.desmyter at icann.org
Tue Aug 9 19:01:54 UTC 2016
Dear All,
Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Tuesday, 09 August 2016 at 16:00 UTC.
Mp3: http://audio.icann.org/gnso/gnso-nextgen-rds-09aug16-en.mp3 <http://audio.icann.org/gnso/gnso-nextgen-rds-09aug16-en.mp3>
<http://audio.icann.org/gnso/gnso-nextgen-rds-14jun16-en.mp3>
The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:
http://gnso.icann.org/en/group-activities/calendar<http://gnso.icann.org/en/group-activities/calendar#nov>
** Please let me know if your name has been left off the list **
Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
Wiki page: https://community.icann.org/x/DAOsAw
Thank you.
Kind regards,
Michelle
-------------------------------
Adobe Connect chat transcript for Tuesday 09 August 2016
Michelle DeSmyter:Dear All, Welcome to the Next-Gen RDS PDP Working Group call on Tuesday, 09 August 2016 at 16:00 UTC.
Michelle DeSmyter:If you wish to speak during the call, please either dial into the audio bridge and give the operator the password RDS, OR click on the telephone icon at the top of the AC room to activate your AC mics. Please remember to mute your phone and mics when not speaking.
Michelle DeSmyter:Agenda: https://community.icann.org/x/DAOsAw
Michelle DeSmyter:Member page: https://community.icann.org/x/I4xlAw
Maxim Alzoba (FAITID):Hello All
Michelle DeSmyter:Hello, Welcome Maxim!
Maxim Alzoba (FAITID):I called in via phone (poor ip connectivity)
Chuck Gomes:Hi all.
Richard Padilla:Hi all
Susan Kawaguchi:Hello All
Ayden Férdeline:Hi all
Fabricio Vayra:we hear you
marksv:resetting audio
Alex Deacon:...and thanks to Mark for getting to the place we are today problem statement-wise!
Maxim Alzoba (FAITID):last thing was about review of triage
Marina Lewis:hi everyone
Kal Feher:I'm not aware of any obligation on an Escrow Agent to check RDS. they simply need to ensure the deposit is valid. They do not cross reference data as part of their current contract AFAIK
Fabricio Vayra:+1 to Steve M. The UDRP and URS rules rely on complainant needing access to RDS data and thus they are stakeholders too.
Daniel K. Nanghaka:Sorry am late
Daniel K. Nanghaka:Have been in another meeting
Andrew Sullivan:Escrow operators do in fact get data encrypted. They can validate it, though, because it's encrypted to their key
Kal Feher:escrow data is encrypted on receipt by the agent. but they decrypt it.
Maxim Alzoba (FAITID):Escrow Operators have keys with the data :)
Maxim Alzoba (FAITID):encryption is for sending file only
Marika Konings:If I am not mistaken, P/P provider has 2 business days to 'reveal' following requesst of confirmation of registrant. After that, it is up to the panel whether to accept a reveal or not.
Maxim Alzoba (FAITID):this use case could be split into two or three
Alan Greenberg:@Marika. asI recall, the P/P provider maynot reveal, but in that case, they take responsibility for whatever the domain is being used for. Something the normal providers will not do.
Marika Konings:@Alan - yes that is correct. If they still decide to reveal at a later stage, it is up to the discretion of the UDRP Panel to accept updating the complaint with the information of the underlying P/P customer or not.
Lisa Phifer:@Maxim thank you
Marika Konings:If I recall well from the discussions in the PDP, in some cases the UDRP Panel would name both or refuse to update the complaint and maintain the P/P provider as the defendant.
Fabricio Vayra:RAA 3.7.7.3 A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.
Fabricio Vayra:which is why P/P unmask when a UDRP etc. is upon them.
Lisa Phifer:@Maxim, I think identifying the data required by each of these actors more specifically and if it comes from WHOIS today would be helpful
Maxim Alzoba (FAITID):we might need to ask Michelle when he is back - abour Registrar caused service use cases
Kal Feher:@maxim. escrow agents do not need to cross reference with RDS. they simply validate the contents is correctly formated
Maxim Alzoba (FAITID):@Kal , it is not clear from the text of the contract
Maxim Alzoba (FAITID):I refer to Registry-Escrow Operator contratc
Kal Feher:yes. they validate the contents to ensure that it meets the RA requirements
Kal Feher:they are not obligated to confirm that any of the records which appear in the deposit actually exist or that they match what is in the SRS
Susan Kawaguchi:What about statuses of the domain name registration
Fabricio Vayra:Ayden - Under this model, how do disputes get resolved, where, against whom, on what basis?
Andrew Sullivan:The authInfo should most definitely _not_ appear in the RDDS, though as Chuck is saying we shouldn't discuss that
Susan Kawaguchi:+1 Andreww
Susan Kawaguchi:Andrew
Lisa Phifer:WHOIS misuse study link http://whois.icann.org/sites/default/files/files/misuse-study-final-13mar14-en.pdf
Maxim Alzoba (FAITID):@Susan , do you refer to URS case? ( during the URS process, URS operator issue orders to Registry to set Server statuses)
Maxim Alzoba (FAITID):and then they check it (I assume)
Lisa Phifer:The above link refers to a study that attempted to examine various kinds of WHOIS data misuse and to determine which data elements were misused most often or most impactful on the registrant
Alex Deacon:@andrew +1
Fabricio Vayra:+1 Mark
Richard Padilla:Sorry not hearing the speaker
Benny Samuelsen / Nordreg AB:So we need to kill of services like domainstools and everyone else which run whois history snaps
Benny Samuelsen / Nordreg AB:domaintools.com
Maxim Alzoba (FAITID):@Benny, it is virtually impossible , only publicly available tools are visible
Andrew Sullivan:"misuse of whois data" != "misuse of RDDS data", though, so as long as we keep that in mind I'm ok
Andrew Sullivan:That is, everyone who has the slightest technical clue about this knows that whois is a terrible protocol and ou can't build a reasonable service on top of it
Benny Samuelsen / Nordreg AB:@Maxim exactly, we are discussing how to prevent this by RDS but its not worth anything if those services are still open for everyone
Fabricio Vayra:+1 Alan
Andrew Sullivan:so we need to distinguish "getting data out easily/freely/without authentication" and "whether the data is in there".
Stephanie Perrin:+1 Andrew.
Maxim Alzoba (FAITID):info leaks only once ... then it is replicated .
Fabricio Vayra:+1 Andrew
Susan Prosser:+1 Alan
Andrew Sullivan:Since I've made this point repeatedly, in the future I will abbreviate it "ObDistinctionDataAndAccess" :-)
Alan Greenberg:@Andrew. Definitely. The identifying data does not need to be in the DNS, but does need to be availble in the RDS.
Maxim Alzoba (FAITID):@Alan, it creates superregistry ... like TMCH, but worse :)
Fabricio Vayra:+1 Alan
Kal Feher:it's only useful to filter data in the nextgen RDS if it is the only source of data for whois aggregation. do we imagine that the nextgen RDS will become the only channel for registry data? or will we try to apply the same permissions model to all registry services?
Maxim Alzoba (FAITID):we should not forget about ccTLDs , who, most probably will stick to WHOIS for some time
Fabricio Vayra:I would add to the data elements needs in TM use case
Alan Greenberg:What ccTLDs do is both out of our control and out of scope for the PDP.
Fabricio Vayra:Who, where and for how long is relevant/necessary to consider TM infringement.
Andrew Sullivan:If the content on the site is a problem, there are two positions that people take
Maxim Alzoba (FAITID):@Alan, agree
Andrew Sullivan:(1) you should be able to find the address of the person operating the site and therefore RDS is good for this
Andrew Sullivan:(2) you should find out the address of the person operating the server, in which case domain name registration is not what you want: contact the server operator or ISP
Lisa Phifer:@Mark, are those data elements of the registrant, admin contact, tech contact, or all of those?
steve metalitz:Not clear whether the ultimate "success rate" in variant 2 is relevant -- the requirement to identify/contact the registrant is the same -- isn't it?
Fabricio Vayra:+1 Steve
marksv:hard to hear
Lisa Phifer:@Mark, my question was getting at identifying the party who needs to be identified for legal action - may not be a tech contact but the registrant itself
Alan Greenberg:@Steve, success rate is relevant if the rate is zero though.
Benny Samuelsen / Nordreg AB:I still have trouble seing how we can controll use of data and who gets access
Benny Samuelsen / Nordreg AB:there are no way we can controll leaks
Fabricio Vayra:@Benny - See EWG recommendation re: gating
Benny Samuelsen / Nordreg AB:as far as I can see
Kal Feher:I think it is important to note that there will be lots of organisations with similar motivations or desires, but they will have different competencies and different data protection obligations. so goal will be the same, safety of the data will not
Richard Padilla:Sorry guys got to go another meeting to attend
Andrew Sullivan:I believe that this is an incredibly rare use of the RDS, and I believe that this is what EV certificates are for
Ayden Férdeline:+1 Andrew. I very much doubt a sizeable volume of consumers are using WHOIS for this purpose.
Andrew Sullivan:(But I'm prepared for a counterargument)
Andrew Sullivan:I think it's a legit use case, but in prioritisation if we lose this one it's not the end of the world
steve metalitz:@Andrew, I have done this as well and know others. Those are anecdotes but I recall that ICANN developed some data on this use case in the past.
Andrew Sullivan:I am fully prepared to believe that anyone who knows what an ICANN is might do this ;-)
Holly Raiche:This brings up the debate in the P/P Seervices WG and whether we should have distinguisned between commercial entities and non-commercial entities
marksv:+1, seems like a "nice to have", but not top priority use case
Marina Lewis:@Andrew and Ayden...glad you guys are prepared for the counter-argument. ;-) I use the WHOIS to verify the identity of websites and email addresses ALL THE TIME. It's no different than looking up the agent for process of service for a company with which one wants to do business. You want to know who you're giving your money and info to.
marksv:hmmm
Susan Prosser:+1 Steve, I hear this use case often
Ayden Férdeline:@Steve and Marina - Given, I am told, that WHOIS data is often unreliable, I would hope not many consumers are turning to WHOIS to source this information… ;-)
steve metalitz:Another similar (not identical) use case is parents looking into who is responsible for a web site their child is visiting (or wishes to visit).
Lisa Phifer:@Andrew re: certs, Geoff Noakes is preparing an example use case to describe what cert issuers need - that would be a prerequisite for relying on EV certs instead?
Andrew Sullivan:@Marina: why do you believe the whois in that case instead of your EV cert?
Benny Samuelsen / Nordreg AB:Sorry but RDS cant cure stupidity...
Susan Prosser:@Fab - wouldn't the brand (manufacturer) also be a stakeholder?
Marina Lewis:Hey Ayden...actually it does help because if the WHOIS is totally random, I'll likely stay away from that site.
Elaine Pruis:apologies I have to drop off now
Fabricio Vayra:@Susan - I susppose, if they are different from the registrant
Ayden Férdeline:I have been told that the Whois Review Team did an independent study which found that consumers have no idea that Whois even exists…
Lisa Phifer:@Susan, that's the entity associated with the domain name
Ayden Férdeline:@Marina point taken there ;-)
karnika seth:the voice is not clear cant hear
Lisa Phifer:@Ayden, that was not the WHOIS RT but there is a separate study on consumer confidence and trust that conducted some studies
Benny Samuelsen / Nordreg AB:most people doesnt even know what whois is and how to use it...
Alan Greenberg:Just to be clear, I also am one of the people who do this regularly.
Marika Konings:@Alan - I think those types of web-sites already exist that indicate whether a certain site is 'legit' or not. Presumably they use the WHOIS data as part of their assessment (e.g. when was the domain created)
Marika Konings:and I have to admit, I have done the same thing :-)
Alan Greenberg:The legit sites exist, but the ones I have used to not seem to be contingent on whois but rather website comments.
Benny Samuelsen / Nordreg AB:there are plugins for firefox doing this already showing the basic info but most people dont understand these data
Alan Greenberg:Oops - contents
Alex Deacon:@andrew - not all web sites use EV certs. In a world of free web server certs based on "domain validation" the in the cert (or which the issuance of the cert was based on" is only good as the rds/dns data.
Benny Samuelsen / Nordreg AB:@alex +1
Marina Lewis:Alex +1
Lisa Phifer:@Ayden, see https://www.icann.org/news/announcement-2-2016-06-23-en
Kal Feher:its common to have agents register domains for you as well.
Holly Raiche:Tks Andrew
Ayden Férdeline:Thanks @Lisa
steve metalitz:@Andrew, does your disapproval of this use affect whether we should consider it as a use case?
Andrew Sullivan:@Steve: During the call, I convinced myself that I think the particular use case is dangerous, yeah.
Andrew Sullivan:so we shouldn't accommodate it. _However_
Alex Deacon:Its cleary a valid use case, and one I suspect will underly and drive much future conversation/debate.
karnika seth:I think we should consider this use case
Marina Lewis:How can looking up WHOIS be dangerous? If you're savvy enough to know what it is, you probably know its vulnerabilities.
Andrew Sullivan:it is possible that a modification to it, which increased the value of the RDS for reputation services
karnika seth:I think we should consider this use case
Andrew Sullivan:@Marina: right now, not a problem. But right now, it's also such a tiny use case that it's hardly interesting
Alan Greenberg:@Stephanie, it is correct that I may pass over some legit small vendor because of their lack of definitive whois information, but as you point out, consumers oare on there own and there are a lot of nasty people out there, so I used whatever I can.
karnika seth:i think we shouild consider it
Andrew Sullivan:I think that what Rod is saying is more interesting, but I think that a "URL bar marker" of "who owns this domain" opens a whole new kind of consumer fraud that doesn't exist now
Susan Prosser:+1 Rod, very valid use case
Marina Lewis:I believe we should absolutely consider this use case. To me, this is the most fundamental way in which one can use RDS: I am an Internet user. I want to visit a website. I wanna know whose website that is before I send them credit card info. What is unreasonable about this?
karnika seth:there is no voice ??
karnika seth:no audio??
Alex Deacon:audio is fine for me
Lisa Phifer:audio is fine for me too
Andrew Sullivan:@Marina: I would like evidence that any human who is not involved in ICANN or the IETF has ever used the whois this way
Stephanie Perrin:@Alan, governments ought to regulate e-commerce. Sacrilege to talk about regulation here at ICANN , but commerce is regulated in the bricks and mortar world, there is no reason not to insist on vendor data of some kind (not necessarily the home address of Steph's homemade quilts , to be prominently displayed online. Savvy home entrepreuneurs selling goods would be in good standing with their local small business association. This is not an area where ICANN needs to play.
Andrew Sullivan:Well, ok, ever used it that way since, say, 1999
Ayden Férdeline:The study that Lisa linked to, commissioned by ICANN and conducted by Nielsen, found that no consumers even knew what WHOIS was. Around 5% of the most experienced Internet users did.
Fabricio Vayra:Ayden - No knowledge may = missed opportunity
Fabricio Vayra:& 5% of all internet users = a lot
Stephanie Perrin:As I said a minute ago, let me repeat it....massive public education job, Fab. WHo is going to take that job on? Please dont suggest using the auction funds.....
Fabricio Vayra:@Stephanie - you said it for me :)
Maxim Alzoba (FAITID):public companies data is available
Marina Lewis:@Andrew - not sure what kind of evidence you're looking for, but I talk to clients all the time whose marketing and promotions people (granted, who work with websites) know what WHOIS data is.
Kal Feher:this seems like a user story for whois validation
Maxim Alzoba (FAITID):so it could be taken from other sources
karnika seth: we have seen mails requesting to verify who is data , there are many inaccuracies, some deliberate , some not!
Stephanie Perrin:I guess we worked together too long Fab....:-)
Holly Raiche:@ Stephanie - Isn't this part of the discussion conducted in the P/PWG
Ayden Férdeline:@Fabricio – That 5% claim to know what WHOIS is does not mean they actually use the service. I would not be surprised, if we looked at the margin of error, to find that some people will say they’ve heard of anything…
Stephanie Perrin:Indeed yes Holly, we did get into it quite a bit.
Stephanie Perrin:and welcome back!
Marina Lewis:I'm guessing from all these comments about the "5%" that maybe we should pay more attention to educational outreach. :-)
Stephanie Perrin:Not within the ICANN mandate marina, in my view....
karnika seth:we have seen mails asking registrants to verify registranat data, some information is inaccurate (deliberate and may be not)!
Ayden Férdeline:@Marina - Careful what you wish for. Consumers may be very concerned if they realise that it’s not only information of other website owners in there – but their personal data, too!!
karnika seth:my chat window doesnt seem to work fine!
Fabricio Vayra:@Marina - And possibly, going forward, if instance of occurence falls below a certain margin then it's not valid and we not consider use cases accross the board
Alan Greenberg:Probably less than 5% of users follow good practices in setting and changing their many passwords. That does not make it something that we should not advocate.
Fabricio Vayra:stated differently, if someone can't show mass occurence it's not relevant, I guess?
Marina Lewis:@Stephanie - I disagree. Maintaining the safety and security of the DNS is absolutely within ICANN's scope. That includes consumer safety.
Fabricio Vayra:+1 Alan
Stephanie Perrin:It remains to be proven that putting consumer data and the data of small entrepreneurs in an open registry is useful to the safety and security of the DNS.
Alan Greenberg:Loud typing!
Marina Lewis:To me, it seems we all care about the same thing: not letting bad people do bad things to good people. We seem to diverge on our opinions of where that threat comes from.
karnika seth:are you able to hear anything??
Ayden Férdeline:+1 Stephanie
Ayden Férdeline:@Fabricio – We need to differentiate between use and misuse cases here. Whether it is frequent or not, even one instance of the RDS being misused is too many in my mind.
Fabricio Vayra:@Stephanie - Under that logic, we could say "it remains to be seen whether removing data from public access via RDS helps with privacy"
Maxim Alzoba (FAITID):could we name bad use cases - negative use case?
Marina Lewis:@Stephanie - domain name registrants are not "consumers" in my opinion. The people who visit their websites (or receive their emails or purchase their domain name registrations) are.
Andrew Sullivan:@Marina: you seem not to be attending to the difference between "who registered this domain name?" and "who is operating this site?" What you're trying to identify is the latter
Fabricio Vayra:@Ayden - From the same token, just one saved consumer is worth it
Andrew Sullivan:and the RDDS will give you the former
Ayden Férdeline:@Maxim: I prefer "misuse cases". I would not want to have any use cases referred to as "positive" ones before we enter into our deliberations.
Andrew Sullivan:the gap there is an invitation to consumer fraud
Andrew Sullivan:that's the reason there's a problem. I agree with Rod that you might be able to use the data as part of a reputation service
Lisa Phifer:Michele's domain name control cases would be helpful
steve metalitz:Could you specify the topics of Michele's and Rod's use cases?
Maxim Alzoba (FAITID):@Ayden , it might be better
Marina Lewis:@Andrew - they are two different things, and I am aware of that. However, when trying to determine the identity of the bad actor behind the website, the DN registration info is the best place to start.
Rod Rasmussen:Just to be clear - lots of people already ARE using whois data as part of a reputation service. :-)
steve metalitz:@Lisa thanks for reminder....
Marina Lewis:Frankly, I think if we had a more robust and accessible WHOIS system, many more people would use it.
Stephanie Perrin:On the issue of the use of the term "consumer" perhaps we should distinguish between end users of the DNS (registrants etc) and end users of the INternet. IN my view, how end users of the Internet (web surfers) are protectied
Kal Feher:yay for alt time!
Stephanie Perrin:Is not within the remit of ICANN, sorry for the break in the sentence
Fabricio Vayra:Thanks all!
marksv:great meeting, thanks - bye till next time
Maxim Alzoba (FAITID):bye all
Ayden Férdeline:thanks all
Nathalie Coupet:bye! thanks chuck
Marina Lewis:Thanks all! Have a good week.
Alex Deacon:bye all
Andrew Sullivan:bye all
Patrick Lenihan:Very informative presentations and chats.....!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160809/fbfb7198/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Attendance Next-Gen RDS PDP 09 August 2016 Sheet1.pdf
Type: application/pdf
Size: 32657 bytes
Desc: Attendance Next-Gen RDS PDP 09 August 2016 Sheet1.pdf
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160809/fbfb7198/AttendanceNext-GenRDSPDP09August2016Sheet1.pdf>
More information about the gnso-rds-pdp-wg
mailing list