[gnso-rds-pdp-wg] key concepts: say "contact data" when that is what we mean

Rob Golding rob.golding at astutium.com
Sat Dec 10 05:28:59 UTC 2016 

> Regarding Rob's reasons against publishing thin data:
> * "it's unnecessary to the functioning of the domain/internet."  This
> is not the razor to be used here.

Yes, it might be "nice" or "convenient" or for various-use-cases 
"helpful" - which may be considered reasons to publish the data, but 
this does not make publishing in any way *necessary*

>  A domain name can function if
> there's no RDS at all.

Agreed :)

>  This WG would look foolish in the eyes of the
> world if it decided to abolish WHOIS and any successor RDSes.

I doubt that will be the final outcome, but it would be a very valid 
"solution" to the "whois problem" that has caused 15 years of working 
groups. Various people-with-an-agenda think whois is not fit for *their 
purpose* so one solution would be to put it out of its' misery and scrap 
it !

> * "the EWG said not to make it all freely available".   No, not
> correct.  The EWG said the thin data should be freely available,

That wasn't my understanding/reading (or what was quoted in the email I 
replied to), there was mention of
>> _While basic data would remain publicly available,

And I said ...
> So ideally we just need to identify "basic data" which I'd suggest is
> * domain name
> * domain registrar

That's all.


> * "it costs time/effort/money to collect, store, display etc."
> Storing, transmitting, and publishing data is the core job of a
> registry;

In a convoluted manner, sort of.

The primary task of a registry is to maintain the master list of domain 
names in that tld and provide nameservers for those domains to allow the 
referral of ns lookups.

Plenty of them publish basically nothing for whois, so many do not see 
it as a "core" feature - a contractual requirement to answer to a 
protocol maybe, but not a core aspect of their function

> it is literally their reason for being.  (And registrars
> too, until .COM and .NET go thick.)

If you asked every registrar and registry, I seriously doubt you'll get 
any who would say operating a WHOIS service was their "reason for being"

It's a given that:
More data = more cost
More publishing = more cost
More access = more cost

> They build the cost of doing it
> into the prices they charge.

To an extent, we're already incorrectly charging the registrant, who 
doesn't want whois anyway.

RDS kind-of implies centralising, and that will be more/additional/new 
costs - so at the least provides an opportunity to switch to a PPV 
model.

> * "it's a security risk."  Some argue that it is a security risk to
> publish certain kinds of personal data.  Is an RDS itself a security
> risk?   A bank is a security risk, but that does not mean we should
> not have banks.  We have good reasons to have banks, and they outweigh
> the risks.

The question was about publishing data - if you dont have that data 
there is no risk and if you dont publish that data there is  less risk.

Why do you think banks dont publish all the numbers and names of their 
account holders - because doing so would be considered a massive 
security risk (to themselves and their account holders)

Do they have that data - yes, so there is some risk. And the risks are 
magnified if it's centralised - imagine if there was 1  bank that had 
every possible account holders details - and then the regulator said 
"publish it" !

As I said ...
> Perhaps anon/open data access should be to the minimum elements
> necessary, with anything else being subject to knowing
> * who they are
> * what data they're authorised to see
> * what exactly that data is going to be used for
> * agreement to be slapped if they misuse or redistribute the data

Which I think is entirely in-line with what the EWG report says.

TL:DR;

# I doubt we'll get consensus on just turning whois off and suggesting 
no RDS, but I promise to buy the 1st round of Champagne for us all to 
celebrate if it is the WG final decision

# what is "stored" needs to be only what is absolutely necessary and 
can't be obtained elsewhere or by another method, defaulting to 
'nothing'

# what is "published" from what is stored needs to be as close to 
nothing as possible by default, and then for each thing stored, only 
what is absolutely necessary for that accesser and that access reason 
(with appropriate controls and audits applicable to handling that)

Rob

More information about the gnso-rds-pdp-wg mailing list