<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">What system are you referring to Allison? Are you saying that RDAP is not workable?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Chuck<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org]
<b>On Behalf Of </b>allison nixon<br>
<b>Sent:</b> Thursday, March 23, 2017 4:01 AM<br>
<b>To:</b> Andrew Sullivan <ajs@anvilwalrusden.com><br>
<b>Cc:</b> RDS PDP WG <gnso-rds-pdp-wg@icann.org><br>
<b>Subject:</b> [EXTERNAL] Re: [gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">This suggested system is not workable because the daily use of whois does not conceptually fit within that framework. Several of us who work with whois on a daily basis have already described use cases that are made impossible by that system,
so there's no need to go into the same details all over again. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Mar 22, 2017 at 1:24 PM, Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">Hi,<br>
<br>
On Wed, Mar 22, 2017 at 09:33:22AM -0700, John Horton wrote:<br>
<br>
> My biggest fear<br>
> is that in the monitoring that companies like mine do for banks, payment<br>
> providers, e-commerce companies, etc. that helps determine whether a<br>
> merchant is who they say they are, and whether they are engaged in other<br>
> bad activity (i.e., laundering money) will be unable to obtain access to<br>
> the Whois records we need in order to preserve the integrity of the<br>
> payments system, protect payment providers from risk, and derivatively<br>
> protect consumers.<br>
<br>
Modulo the inclusion of "Whois" in the above, that all seems<br>
reasonable. What you are saying is that you need a mechanism by which<br>
you can create risk analyses with respect to some domain name. But,<br>
<br>
> In other words, my fear is that we'll lose access to<br>
> Whois records, which we need for that purpose.<br>
<br>
this does not follow.<br>
<br>
Consider, for instance, that RDAP works via http(s), and that we have<br>
several kinds of authentication and authorization mechanisms related<br>
to https, and such things can be federated. It is a short hop from<br>
that knowledge to understanding that someone(s) could operate a<br>
service that authenticates service providers like you, using tokens<br>
provided by the to-be-evaluated domain names. A payment provider or<br>
whatever, when offering service to a customer, could obtain from that<br>
customer a token of consent allowing it to obtain the relevant data<br>
from the registries and registrars in question. That token could then<br>
be provided to the authorization service, which would then<br>
authenticate your request to the RDAP servers and they could provide<br>
you the data you request. This is by no means an impossible task --<br>
every time you apply for insurance online or log into a payment<br>
provider via Google or Facebook or Amazon, you're doing this. This is<br>
a technique that is already deployed all over the Internet where real<br>
money is involved, so I fail to see how it could not be used in our<br>
case. (In addition, you may not actually need the particulars of an<br>
individual -- it might be enough for you to be able to tell whether<br>
the domain and people behind it are related in some important ways to<br>
some other domain. But we're getting ahead of ourselves in the use<br>
case description here.)<br>
<br>
This is also why separating the collection of data from questions<br>
about display and so on is necessary: we need to understand as a group<br>
the compelling use cases that the RDS data can support. I agree that<br>
reputation-of-vendor systems are among those uses, and that we ought<br>
therefore to include support of such things in what we think we want<br>
the system to be able to support.<br>
<br>
Of course, all of this does represent some cost to you -- your<br>
existing service would need to change to reflect the new business<br>
logic and access rules and mechanisms and so on. But I don't think<br>
this WG has so far accepted, "But that's how we do it now," as a<br>
legitimate purpose.<br>
<br>
Best regards,<br>
<br>
A<br>
<span style="color:#888888"><br>
<br>
<span class="hoenzb">--</span><br>
<span class="hoenzb">Andrew Sullivan</span><br>
<span class="hoenzb"><a href="mailto:ajs@anvilwalrusden.com">ajs@anvilwalrusden.com</a></span><br>
<span class="hoenzb">_______________________________________________</span><br>
<span class="hoenzb">gnso-rds-pdp-wg mailing list</span><br>
<span class="hoenzb"><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a></span><br>
<span class="hoenzb"><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></span><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">_________________________________<br>
Note to self: Pillage BEFORE burning.<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>