[gnso-rds-pdp-wg] Question for Stephanie

Andrew Sullivan ajs at anvilwalrusden.com
Thu Dec 8 17:44:07 UTC 2016 

On Thu, Dec 08, 2016 at 12:29:50PM -0500, Stephanie Perrin wrote:

> Furthermore, even the datestamp and registrar-generated data may reveal
> association of domains that leads you to the registrant.  Let's say I
> register ten names one day, with the same registrar,  one of which is
> Stephanieperrin.com, another is canadianconvertstoterrorism.com, is it not
> possible to find that cluster of registrations, and associate all domains
> with me?

If this were the only trail you left on the Internet while doing that
(and it isn't), I'd say it'd depend on your registrar.  If you
registered all those on the same day through GoDaddy, then no, I think
it'd be a ridiculous association (because GoDaddy is a large and busy
registrar and com is a very large zone).  If you registered them
through Andrew's Registrar and Bait Shop, then I think your terrorist
trainers did rather a bad job.  And of course, if you're doing this
sort of thing and value any sort of privacy, then you'd not use the
same registrar anyway.

> The data commissioners pointed out many years ago (2003 I think, I
> can check) that they had a problem with the reverse directory capability of
> the WHOIS, because it was not at all necessary for the functioning of the
> domain system, or at least ICANN had never made the argument.

Please don't leap to "the WHOIS", since it isn't plain what that
means.  We need to stick to specific fields here, please.  In particular,

> They did not
> think WHOIS should offer the capability of searching by registrant name.  I
> would argue further, these days, that publication of other data should not
> make registrant identity reasonably retrievable.

the registrant case is not relevant to the data we're talking about.
We'll never make any progress if we keep obliterating the distinctions
people are trying to draw.

> There is a question that I have in return.  I presume that much of the
> current configuration and policy of WHOIS and its data elements is based on
> simply building on a flimsy foundation.

Yes.  We took a phone book protocol that was perfectly good for a
network of 4000 people all under contract to the US DoD, and have used
it for more than 20 years on a large Internet involving all kinds of
people with all manner of contractual relationships.  This is why the
question of whether we can ditch whois makes me livid: it should have
been replaced approximately forever ago.

> concept of tiered access extensively in the EWG, but at least one member of
> that group (me) never understood whether the tiered access we were specing
> is something that is technically possible but financially, legally and
> operationally infeasible.

RDAP is explicitly designed _on purpose_ to make this cheap and easy.
It was one of the goals that those of us who got the working group
going had.


-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the gnso-rds-pdp-wg mailing list