<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.hoenzb
{mso-style-name:hoenzb;}
span.m-5067576293808784571m4764780603200855943hoenzb
{mso-style-name:m_-5067576293808784571m_4764780603200855943hoenzb;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Allison, you can find the Final EWG Report here:
<a href="https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf">
https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf</a>. As a reminder, all relevant background documents have been collected here:
<a href="https://community.icann.org/x/QIxlAw">https://community.icann.org/x/QIxlAw</a>.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Marika<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black"><gnso-rds-pdp-wg-bounces@icann.org> on behalf of allison nixon <elsakoo@gmail.com><br>
<b>Date: </b>Thursday, March 23, 2017 at 07:08<br>
<b>To: </b>"Hollenbeck, Scott" <shollenbeck@verisign.com><br>
<b>Cc: </b>"gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org><br>
<b>Subject: </b>Re: [gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The problems have nothing to do with your code, unless your code somehow simulates the cost of bureaucratic overhead of a bunch of already-overworked FBI agents "certifying" tens of thousands of people across the country who just want to
get back to work.<br>
<br>
Also how will the need for historical whois be fulfilled? The registrars do not maintain that and massive automated querying and redistribution of query results must happen.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don't know where this EWG report is, and it's not in my email so please let me know where it is. I will read it.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Also, this gated access reminds me of how we treat personal data in the United States. We sign over our personal data to companies that promise to keep it private*<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">*but they will share with "authorized third parties". The end result is that every interested party has a copy of my personal data anyways! it's worse than if I was just told it was public. I would have at least been more careful.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So we are supposed to consider this whois data as private, but under any workable gated access scheme, tens of thousands of people and scripts are going to access this allegedly "private" data, where they will often use it in activities
some of which result in publishing or sharing whois data. Potential victims of spam and harassment are going to over-disclose if they are told they can trust this system's "privacy" when the reality is the opposite. Informed consent is impossible and abusers
do work at banks and security companies.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">And I am no expert in european privacy law but i think it would frown on such a system that assures people of the privacy of data it's collecting and then releases it to thousands of people abroad, to use in insecure scripts, with $? funding
to vet the people or detect abuse.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Maybe barbed wire is safer than padded corners.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Mar 23, 2017 at 7:21 AM, Hollenbeck, Scott <<a href="mailto:shollenbeck@verisign.com" target="_blank">shollenbeck@verisign.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Allison, who do you think the gatekeepers are? In the system I am designing, client identity and query purpose can be assigned and confirmed by entities within specific communities of interest. As one example, an entity like the FBI would
be responsible for managing the identity credentials for people who claim to be affiliated with the FBI. Keepers of data would then make access control decisions based on whatever policies this group decides are appropriate for people affiliated with the FBI.
I have code running in a lab environment right now that demonstrates that this approach really does work.<span style="color:#888888"><br>
<br>
<span class="hoenzb">Scott</span></span><o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Mar 23, 2017, at 4:49 AM, allison nixon <<a href="mailto:elsakoo@gmail.com" target="_blank">elsakoo@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p>No, im referring to this token idea. And really any gated system, i am quite suspicious of, if the gatekeepers will demonstrate a fundamental lack of understanding of how whois is useful here and now.
<o:p></o:p></p>
<p>Considering the prevalent attitudes I've seen on this list, the gatekeepers will likely be people who think keeping falsified whois data private is more important than anything else. It shows either a lack of care or some measure of ignorance as to larger
realities relating to losses and even privacy itself.<o:p></o:p></p>
<p>I think very few people who work with whois for investigations know what the actual prevalent attitudes are within this group. If they lose a sane way to make whois based decisions, they are not going to tolerate it.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mar 23, 2017 4:20 AM, "Gomes, Chuck" <<a href="mailto:cgomes@verisign.com" target="_blank">cgomes@verisign.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri">What system are you referring to Allison? Are you saying that RDAP is not workable?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:Calibri">Chuck</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a name="m_-5067576293808784571_m_476478060320085"><span style="font-size:11.0pt;font-family:Calibri"> </span></a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:11.0pt;font-family:Calibri">From:</span></b><span style="font-size:11.0pt;font-family:Calibri">
<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.org</a> [mailto:<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank">gnso-rds-pdp-wg-bounces@icann.org</a>]
<b>On Behalf Of </b>allison nixon<br>
<b>Sent:</b> Thursday, March 23, 2017 4:01 AM<br>
<b>To:</b> Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>><br>
<b>Cc:</b> RDS PDP WG <<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This suggested system is not workable because the daily use of whois does not conceptually fit within that framework. Several of us who work with whois on a daily basis have already
described use cases that are made impossible by that system, so there's no need to go into the same details all over again. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Wed, Mar 22, 2017 at 1:24 PM, Andrew Sullivan <<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi,<br>
<br>
On Wed, Mar 22, 2017 at 09:33:22AM -0700, John Horton wrote:<br>
<br>
> My biggest fear<br>
> is that in the monitoring that companies like mine do for banks, payment<br>
> providers, e-commerce companies, etc. that helps determine whether a<br>
> merchant is who they say they are, and whether they are engaged in other<br>
> bad activity (i.e., laundering money) will be unable to obtain access to<br>
> the Whois records we need in order to preserve the integrity of the<br>
> payments system, protect payment providers from risk, and derivatively<br>
> protect consumers.<br>
<br>
Modulo the inclusion of "Whois" in the above, that all seems<br>
reasonable. What you are saying is that you need a mechanism by which<br>
you can create risk analyses with respect to some domain name. But,<br>
<br>
> In other words, my fear is that we'll lose access to<br>
> Whois records, which we need for that purpose.<br>
<br>
this does not follow.<br>
<br>
Consider, for instance, that RDAP works via http(s), and that we have<br>
several kinds of authentication and authorization mechanisms related<br>
to https, and such things can be federated. It is a short hop from<br>
that knowledge to understanding that someone(s) could operate a<br>
service that authenticates service providers like you, using tokens<br>
provided by the to-be-evaluated domain names. A payment provider or<br>
whatever, when offering service to a customer, could obtain from that<br>
customer a token of consent allowing it to obtain the relevant data<br>
from the registries and registrars in question. That token could then<br>
be provided to the authorization service, which would then<br>
authenticate your request to the RDAP servers and they could provide<br>
you the data you request. This is by no means an impossible task --<br>
every time you apply for insurance online or log into a payment<br>
provider via Google or Facebook or Amazon, you're doing this. This is<br>
a technique that is already deployed all over the Internet where real<br>
money is involved, so I fail to see how it could not be used in our<br>
case. (In addition, you may not actually need the particulars of an<br>
individual -- it might be enough for you to be able to tell whether<br>
the domain and people behind it are related in some important ways to<br>
some other domain. But we're getting ahead of ourselves in the use<br>
case description here.)<br>
<br>
This is also why separating the collection of data from questions<br>
about display and so on is necessary: we need to understand as a group<br>
the compelling use cases that the RDS data can support. I agree that<br>
reputation-of-vendor systems are among those uses, and that we ought<br>
therefore to include support of such things in what we think we want<br>
the system to be able to support.<br>
<br>
Of course, all of this does represent some cost to you -- your<br>
existing service would need to change to reflect the new business<br>
logic and access rules and mechanisms and so on. But I don't think<br>
this WG has so far accepted, "But that's how we do it now," as a<br>
legitimate purpose.<br>
<br>
Best regards,<br>
<br>
A<br>
<span style="color:#888888"><br>
<br>
<span class="m-5067576293808784571m4764780603200855943hoenzb">--</span><br>
<span class="m-5067576293808784571m4764780603200855943hoenzb">Andrew Sullivan</span><br>
<span class="m-5067576293808784571m4764780603200855943hoenzb"><a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a></span><br>
<span class="m-5067576293808784571m4764780603200855943hoenzb">_______________________________________________</span><br>
<span class="m-5067576293808784571m4764780603200855943hoenzb">gnso-rds-pdp-wg mailing list</span><br>
<span class="m-5067576293808784571m4764780603200855943hoenzb"><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a></span><br>
<span class="m-5067576293808784571m4764780603200855943hoenzb"><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></span><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">_________________________________<br>
Note to self: Pillage BEFORE burning.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">_________________________________<br>
Note to self: Pillage BEFORE burning.<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>