<div dir="ltr">It also appears that the registrant identifier does not carry the same meanings across all registrars. Some registrars supply only blank data for the field, despite always providing the fields. Most, if they supply it at all, appear to do so on a "unique-per-domain" basis which is useless for investigative purposes. The registrant identifier of "C270-LRMS" does yield more than one domain in a search but it's unclear if this means they are all on the same one paying account at the registrar, or if that happens to be a hash of some identifier coincidentally used by multiple different people.<div><br></div><div>Regardless, it doesn't matter, because "rgret8eyhugregre" is a perfectly valid street address for WHOIS and hashing a randomized result combined with valid identifiers will result in nothing useful for anyone attempting to enumerate domains associated with the same campaign.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 24, 2017 at 9:31 AM, Paul Keating <span dir="ltr"><<a href="mailto:Paul@law.es" target="_blank">Paul@law.es</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I would like to understand this further and forgive my ignorance. Could<br>
you please explain what you mean by the following:<br>
<span class=""><br>
We already have "anonymized unique identifiers" in the form of contact<br>
identifiers, sometimes also known as "handles" (but not to be confused<br>
with handle system (RFC 3650) identifiers). For example, a WHOIS query for<br>
a particular domain to one particular thick RDDS registry service will<br>
return a registrant identifier of "C270-LRMS" in addition to the more<br>
identifiable information that we're all familiar with. RDAP also supports<br>
these identifiers, so they are available for purposes as we see fit to<br>
recommend.<br>
<br>
<br>
<br>
</span>Also, although WHOIS information itself is not always helpful, WHOIS<br>
combined with other data (including DNS and historical data) can be<br>
extremely helpful. So, I am not at all certain as to what is intended by<br>
the message or what the solution proposed is or how it works.<br>
<br>
Thank you,<br>
<br>
Paul Keating<br>
<br>
On 4/24/17, 2:47 PM, "Hollenbeck, Scott via gnso-rds-pdp-wg"<br>
<<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@<wbr>icann.org</a> on behalf of <a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>><br>
wrote:<br>
<div class="HOEnZb"><div class="h5"><br>
>I must have missed this note when it was original sent back in March.<br>
>Chuck asked me to address one of the questions posed below.<br>
><br>
>Scott<br>
><br>
>> -----Original Message-----<br>
>> From: Gomes, Chuck<br>
>> Sent: Monday, April 24, 2017 7:48 AM<br>
>> To: Hollenbeck, Scott <<a href="mailto:shollenbeck@verisign.com">shollenbeck@verisign.com</a>><br>
>> Subject: FW: [EXTERNAL] Re: [gnso-rds-pdp-wg] international law<br>
>> enforcement association resolution regarding domain registration data<br>
>><br>
>> FYI Scott.<br>
>><br>
>> Chuck<br>
>><br>
>> -----Original Message-----<br>
>> From: theo geurts [mailto:<a href="mailto:gtheo@xs4all.nl">gtheo@xs4all.nl</a>]<br>
>> Sent: Thursday, March 02, 2017 4:21 PM<br>
>> To: Gomes, Chuck <<a href="mailto:cgomes@verisign.com">cgomes@verisign.com</a>>; Greg Aaron <<a href="mailto:gca@icginc.com">gca@icginc.com</a>><br>
>> Cc: <a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
>> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] international law enforcement<br>
>> association resolution regarding domain registration data<br>
>><br>
>><br>
>> Thanks, Chuck.<br>
>><br>
>> I think it is important that we as a WG understand that gated access<br>
>>could<br>
>> be a recommendation. But it does not single out any other<br>
>> solutions/recommendations, but to get to that point, we should keep<br>
>> exploring.<br>
>><br>
>> To give this some more color. In 2016 we assisted <a href="http://paloaltonetworks.com" rel="noreferrer" target="_blank">paloaltonetworks.com</a><br>
>>and<br>
>> shadow server taking down the Prince of Persia malware that went<br>
>> undetected and roamed the internet for ten years (that's a long time<br>
>> folks) <a href="http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-" rel="noreferrer" target="_blank">http://researchcenter.<wbr>paloaltonetworks.com/2016/06/<wbr>unit42-prince-</a><br>
>> of-persia-game-over/<br>
>><br>
>> So the actual WHOIS data was useless in a sense we were dealing with<br>
>> stolen identities.<br>
>> But we were able to map out the botnet controller network through the<br>
>> WHOIS and coordinated with more Registrars to sinkhole the entire lot.<br>
>><br>
>> Again the WHOIS data was useless in this case as it was fake, could have<br>
>> passed every syntax or WHOIS cross-validation check.<br>
>><br>
>> So instead of gated access, why not aim for an RDS that used anonymized<br>
>> unique identifiers that are available for everyone?<br>
><br>
>We already have "anonymized unique identifiers" in the form of contact<br>
>identifiers, sometimes also known as "handles" (but not to be confused<br>
>with handle system (RFC 3650) identifiers). For example, a WHOIS query<br>
>for a particular domain to one particular thick RDDS registry service<br>
>will return a registrant identifier of "C270-LRMS" in addition to the<br>
>more identifiable information that we're all familiar with. RDAP also<br>
>supports these identifiers, so they are available for purposes as we see<br>
>fit to recommend.<br>
><br>
>Scott<br>
>_____________________________<wbr>__________________<br>
>gnso-rds-pdp-wg mailing list<br>
><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">_________________________________<br>Note to self: Pillage BEFORE burning.</div>
</div>