[gnso-rds-pdp-wg] Some reasoning about non-contact-data (was Re: key concepts: say "contact data" when that is what we mean)
Rob Golding
rob.golding at astutium.com
Sat Dec 10 04:00:11 UTC 2016
> Expiration dates allow registrants to see when their names are
> expiring; a domain management task.
Domain management is done by Registrants at their Registrar, who will
know the dates (and indeed should be the authoritive source for those
dates) - the domain can't be "managed" anywhere else or (in most
circumstances) by anyone else
Dates are not necessarily "correct" on a whois (so for 1/12th of the
year tend to confuse more than they help) due to registrar auto renewal
and so on
And in my experience very few registrants understand whois, and the
majority of those that do at least "get it" incorrectly use 3rd party
sites, cached database copies, random google links, clickbaits etc and
not the registry/registrar version anyway
- so the potential for mistakes and misunderstandings grows
exponentially
Let's remember most of the WG are not "ordinary internet users" or even
"common registrants" we all "get it" but we're an infinitesimally small
minority.
> Expiration dates make the domain name secondary market possible.
Yes, I agree.
Unfortunately we're into playing the "risk vs reward" game
I'd rather not see the WG go with the UK Gov't view - that the potential
to maybe catch 1 criminal is worth taking away the civil liberties of 65
million law abiding individuals :(
> Create dates are important for assigning reputation to domain names
> and protecting consumers and Internet users.
I must have missed the RFC for the Internet Nanny protocol, thus am not
sure how reputation of domains works ;)
Presumably these are 3rd party "services" which are making money out of
the registries', registrars' and registrants' data they are harvesting
for free from whois ?
> Domains are often hijacked when the attacker gains control of the
> registrant account.
Yes, and that would be massively more difficult if the Registrar data
wasn't public, but I do agree that is a small enough %age to warrant the
inclusion of registrar details if we have any RDS output, benefits
outweighing risks, but they're specific and targetted attacks
> So the status does not even matter.
It certainly does. Is a car more likely to get stolen because it's left
unlocked, or because it exactly matches a specific item on a "shopping
list" ?
It's functionally equivalent to the difference between broadcasting the
state of your front door lock at all times, and having a locked door
kicked-in during your absence
If there was a global+accurate list of which homes were "open", who do
you think benefits from that ?
People that break into homes, people that market security systems,
people who want to illegally squat, a family member who has forgotten
their keys - the list is practically endless - and again it's the risk
vs reward
The only time items have ever been stolen from my garage was the one
time I got distracted to sign for a parcel delivery as I was wheeling
out my bike, and rode off without putting the padlock back on
Simply put more data = better targetting (for good or ill)
> Domain names enable lots of crime.
Do they ? Really ? Of course I agree that *some* crimes may involve
domain names in some way.
Everything can be, will be and is used in a crime at some point.
Lots of crimes involve a vehicle, but the ownership details, dealership
details, manufacturer details and so on of every vehicle in existence
isn't "public" for people to do what they like with - I'd suggest that
if it were it would increase crime not reduce it.
Can "those that *need* to know" get some of that data - yes, probably
rightly, although the amount of data and the list of accessors is
severely limited
> Is the response to that problem to make domain
> names very difficult and expensive to register? Or is making
> registration information available one proportional and reasonable
> response to the problem?
If they are the only 2 answers available to choose from , I clearly
haven't understood the question.
What we need is sadly not do-able.
All data about my-domain.ext should be locked away in an impenetrable
opaque bubble, and legitimate requests for select information can be
allowed temporary view-only access, all external copies of it blow up at
a specific time, it can't be further shared, the view is logged, the
data can be remote detonated, further / repeat access recalled at any
point etc
In fact what we need is that for all data about anything with
appropriate interconnectors for it all
Sadly 40 million years ago a caveman realised that you could paint on a
wall and permanent data records, sharing, public viewing etc have
existed ever since :(
Rob
More information about the gnso-rds-pdp-wg
mailing list