[gnso-rds-pdp-wg] One Way Gated Access to Data Might Work

Volker Greimann vgreimann at key-systems.net
Mon Dec 12 14:12:41 UTC 2016 

Interesting, but I am not sure this is ultimately what we should be 
looking for for one simple reason. This proposed implementation 
apparently does not provide for any differentiation between access 
levels except for the three authentification levels.

So once one obtains and advanced authentification, one can access all 
data in the database, which I would consider insufficient 
differentiation. Access should be further scecialized on a "need to 
know" and "right to know" basis. For example, should a certified and 
authentificated law enforcement agency have access to all registrant 
data or only to registrant data that applies to their jurisdiction (plus 
maybe an identifier that details which jurisdiction applies to a data 
set that agency cannot access).

Similarly, would a IP rights holder have access to all data or only to 
just enough data needed to achieve their goal, which would likely be to 
contact the registrant?

In other words, the access level scheme should differentiate between 
levels of access much more and restrict that access to those with a 
right to access or a legitimate need to access without overstepping 
legal or jurisdictional boundaries.

This proposed implementation it too simplistic.

Best,

volker


Am 10.12.2016 um 06:35 schrieb Carlton Samuels:
> Way to go Scott!
>
> -Carlton
>
>
> ==============================
> /Carlton A Samuels/
> /Mobile: 876-818-1799
> Strategy, Planning, Governance, Assessment & Turnaround/
> =============================
>
> On Fri, Dec 9, 2016 at 7:25 AM, Hollenbeck, Scott 
> <shollenbeck at verisign.com <mailto:shollenbeck at verisign.com>> wrote:
>
>     I like to explore how systems might work by putting thoughts into
>     action with running code. I have a working implementation of RDAP
>     with client authentication that might be useful in helping people
>     see how some of our data element and data access ideas might
>     actually work in practice. The implementation currently includes
>     three levels of client/end user access:
>
>     1. Unauthenticated: a client that does not provide any
>     authentication information to the server will receive responses
>     that include very little information beyond what is currently
>     available from the DNS.
>
>     2. Authenticated Basic: a client that authenticates using an
>     easily acquired, open credential (like a Gmail or Hotmail email
>     account) will receive additional information (like registration
>     dates and domain status values), but no personally identifiable
>     contact information.
>
>     3. Authenticated Advanced: a client who authenticates using a
>     specialized identity provider (we currently support providers
>     implemented by Verisign Labs, CZNIC and an interoperability test
>     provider) will receive full access to all available data. The
>     purpose of the query can be identified and shared with the server
>     operator, who can use the client-supplied identity information to
>     make fine-grained access control decisions.
>
>     A web-based front-end to the service can be found here:
>
>     https://rdap.verisignlabs.com/
>
>     We currently support entity (contact), name server, and domain
>     lookup and search queries for the .cc and .tv ccTLDs. You can use
>     the nic.tv <http://nic.tv> domain for basic exploration. Try it
>     out with your Gmail address using the "Authenticate" button to see
>     the difference between authenticated and unauthenticated behaviors.
>
>     A word of warning: RDAP responses are JSON-encoded and *very*
>     character-dense. It may help to have a JSON pretty printer plugin
>     installed in your browser.
>
>     Anyone who wants a test account from Verisign Labs for advanced
>     authenticated access can have one for the asking. Please reply
>     directly to me and I'll make sure you get set up.
>
>     A logical conclusion should we decide to pursue this line of
>     thinking is that there will be a need for identity providers who
>     are able to issue user credentials to people who belong to
>     specific communities of interest. Policies will need to be
>     developed to determine which communities of interest get access to
>     which data elements.
>
>     Scott
>     _______________________________________________
>     gnso-rds-pdp-wg mailing list
>     gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>     https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>     <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20161212/5b8a8e6d/attachment.html>

More information about the gnso-rds-pdp-wg mailing list