[gnso-rds-pdp-wg] One Way Gated Access to Data Might Work

[Hollenbeck, Scott]

I like to explore how systems might work by putting thoughts into action with running code. I have a working implementation of RDAP with client authentication that might be useful in helping people see how some of our data element and data access ideas might actually work in practice. The implementation currently includes three levels of client/end user access:

1. Unauthenticated: a client that does not provide any authentication information to the server will receive responses that include very little information beyond what is currently available from the DNS.

2. Authenticated Basic: a client that authenticates using an easily acquired, open credential (like a Gmail or Hotmail email account) will receive additional information (like registration dates and domain status values), but no personally identifiable contact information.

3. Authenticated Advanced: a client who authenticates using a specialized identity provider (we currently support providers implemented by Verisign Labs, CZNIC and an interoperability test provider) will receive full access to all available data. The purpose of the query can be identified and shared with the server operator, who can use the client-supplied identity information to make fine-grained access control decisions.

A web-based front-end to the service can be found here:

https://rdap.verisignlabs.com/

We currently support entity (contact), name server, and domain lookup and search queries for the .cc and .tv ccTLDs. You can use the nic.tv domain for basic exploration. Try it out with your Gmail address using the "Authenticate" button to see the difference between authenticated and unauthenticated behaviors.

A word of warning: RDAP responses are JSON-encoded and *very* character-dense. It may help to have a JSON pretty printer plugin installed in your browser.

Anyone who wants a test account from Verisign Labs for advanced authenticated access can have one for the asking. Please reply directly to me and I'll make sure you get set up.

A logical conclusion should we decide to pursue this line of thinking is that there will be a need for identity providers who are able to issue user credentials to people who belong to specific communities of interest. Policies will need to be developed to determine which communities of interest get access to which data elements.

Scott