[gnso-rds-pdp-wg] We should not build atop whois (was Re: Domain Name Certification )
Andrew Sullivan
ajs at anvilwalrusden.com
Tue Jan 9 23:29:40 UTC 2018
On Tue, Jan 09, 2018 at 10:40:19PM +0000, benny at nordreg.se wrote:
> My point is that the purpose for collecting data to RDS should not be build upon the needs for other systems build on top the present Whois
If that's what you think, then I believe we disagree very strongly.
Many of the problems with respect to the registration databases and
with respect to regisration data directory services can be traced
directly to the problems with whois. It seems to me that this litany
has been recited before (more than once by me), so those who remember
it can stop reading; but to remind people what I'm talking about with
respect to these data and policy problems, here are a few:
1. WHOIS was designed in an era when the entire names registry
was completely centralised, in the NIC. So, it did not need to
become a distributed system, and it wasn't designed for
distributed operation. (To be clear: the NICNAME specfication is
in RFC 812, which is dated March 1982. The first DNS
specification is in RFC 882, from November of 1983. NICNAME
didn't have to deal with a distributed database _at all_: it was
about the HOSTS.TXT file and the related metadata. Obviously,
people knew DNS was coming, but it wasn't a thing yet.)
2. Adding references to whois in order to make a distributed
protocol -- rwhois, whois++, and some other flavours -- never
really worked. This meant that it was unreliable which
(registrar) database you'd get some whois information from, which
meant you often got stale data from the wrong registrar. This,
more than anything else, was the incentive behind "thick"
registries, which is why registries ended up having information
about registrants, with whom they do not strictly speaking have a
direct contractual relationship. (I observe that now we seem to
be treating an awful lot of data that is collected by registrars
and transmitted to registries as just "data that is collected",
which was why I was trying to figure out the delimitation of the
RDS some months ago.)
3. WHOIS was designed as a simple-minded human-consumable
call-and-response protocol when internationalisation didn't work
reliably on a single computer, never mind on the network. So it
knows nothing about different types of data and therefore cannot
handle the data in different ways according to context.
Therefore, the ICANN whois policies have all kinds of extraneous
rules about formatting, how "fields" need to be handled, and so
on. None of this belongs in a policy, but it's there because the
protocol was wrong.
4. WHOIS was designed and deployed for a network in which
practically all the users were also developers of the network, and
where the scope of the users of the network was controlled because
of contractual arrangements permitting connection in the first
place. Therefore, it has no notion of "context" and cannot do
anything to determine who is asking a query or to determine
authorization. Many of the debates about privacy turn out to be
debates abount access, not whether the data should be collected in
the first place. We keep tripping over this now, even though
we're supposed to be alert to it.
5. The fact of unfettered access has meant that people who want a
domain name -- but who, quite reasonably, do not want to pay extra
to prevent their cell phone number and home address from being
published to 2 billion of their closest friends -- simply lie
about their information in an effort to obscure it. Others who
are lying, of course, are hiding because they're doing something
untoward. There is today literally no way to distinguish these
cases because the first class of people are sympathetic victims of
WHOIS, a protocol created two years before the founder of Facebook
was born.
We have got to get over the idea that the existing whois is _any_ kind
of model for what we ought to be trying to do. Anyone with the
faintest technical background can look at the early specification of
WHOIS/NICNAME and recognise a protocol that was designed to be exactly
good enough for the purpose at hand. Indeed, RFC 3912 (which
obsoleted the previous WHOIS protocol specifications in 2004) is quite
explicit that whois has some fundamental inadequacies that need to be
fixed. Please stop claiming that "whois" -- either the protocol or
all the collections of policies that have been built on top of that
miserable hangover of a protocol -- is any guide for what we should
do. It is not.
Best regards,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the gnso-rds-pdp-wg
mailing list