[gnso-rds-pdp-wg] We should not build atop whois (was Re: Domain Name Certification )

Andrew Sullivan ajs at anvilwalrusden.com
Tue Jan 9 23:29:40 UTC 2018 

On Tue, Jan 09, 2018 at 10:40:19PM +0000, benny at nordreg.se wrote:

> My point is that the purpose for collecting data to RDS should not be build upon the needs for other systems build on top the present Whois

If that's what you think, then I believe we disagree very strongly.
Many of the problems with respect to the registration databases and
with respect to regisration data directory services can be traced
directly to the problems with whois.  It seems to me that this litany
has been recited before (more than once by me), so those who remember
it can stop reading; but to remind people what I'm talking about with
respect to these data and policy problems, here are a few:

    1.  WHOIS was designed in an era when the entire names registry
    was completely centralised, in the NIC.  So, it did not need to
    become a distributed system, and it wasn't designed for
    distributed operation.  (To be clear: the NICNAME specfication is
    in RFC 812, which is dated March 1982.  The first DNS
    specification is in RFC 882, from November of 1983.  NICNAME
    didn't have to deal with a distributed database _at all_: it was
    about the HOSTS.TXT file and the related metadata.  Obviously,
    people knew DNS was coming, but it wasn't a thing yet.)

    2.  Adding references to whois in order to make a distributed
    protocol -- rwhois, whois++, and some other flavours -- never
    really worked.  This meant that it was unreliable which
    (registrar) database you'd get some whois information from, which
    meant you often got stale data from the wrong registrar.  This,
    more than anything else, was the incentive behind "thick"
    registries, which is why registries ended up having information
    about registrants, with whom they do not strictly speaking have a
    direct contractual relationship.  (I observe that now we seem to
    be treating an awful lot of data that is collected by registrars
    and transmitted to registries as just "data that is collected",
    which was why I was trying to figure out the delimitation of the
    RDS some months ago.)

    3.  WHOIS was designed as a simple-minded human-consumable
    call-and-response protocol when internationalisation didn't work
    reliably on a single computer, never mind on the network.  So it
    knows nothing about different types of data and therefore cannot
    handle the data in different ways according to context.
    Therefore, the ICANN whois policies have all kinds of extraneous
    rules about formatting, how "fields" need to be handled, and so
    on.  None of this belongs in a policy, but it's there because the
    protocol was wrong.

    4.  WHOIS was designed and deployed for a network in which
    practically all the users were also developers of the network, and
    where the scope of the users of the network was controlled because
    of contractual arrangements permitting connection in the first
    place.  Therefore, it has no notion of "context" and cannot do
    anything to determine who is asking a query or to determine
    authorization.  Many of the debates about privacy turn out to be
    debates abount access, not whether the data should be collected in
    the first place.  We keep tripping over this now, even though
    we're supposed to be alert to it.

    5.  The fact of unfettered access has meant that people who want a
    domain name -- but who, quite reasonably, do not want to pay extra
    to prevent their cell phone number and home address from being
    published to 2 billion of their closest friends -- simply lie
    about their information in an effort to obscure it.  Others who
    are lying, of course, are hiding because they're doing something
    untoward.  There is today literally no way to distinguish these
    cases because the first class of people are sympathetic victims of
    WHOIS, a protocol created two years before the founder of Facebook
    was born.

We have got to get over the idea that the existing whois is _any_ kind
of model for what we ought to be trying to do.  Anyone with the
faintest technical background can look at the early specification of
WHOIS/NICNAME and recognise a protocol that was designed to be exactly
good enough for the purpose at hand.  Indeed, RFC 3912 (which
obsoleted the previous WHOIS protocol specifications in 2004) is quite
explicit that whois has some fundamental inadequacies that need to be
fixed.  Please stop claiming that "whois" -- either the protocol or
all the collections of policies that have been built on top of that
miserable hangover of a protocol -- is any guide for what we should
do.  It is not.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the gnso-rds-pdp-wg mailing list