<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>You miss my point. As a mere *end-user* I should be able to
validate this information and any system that has to accredit
however billion internet users is a system that doesn't need
accreditation. It isn't a question of what *I* need, there doesn't
exist any system you can devise that will ultimately keep me from
that... it is a question of what end network operators need. And
that includes home users, small offices, etc. That being said,
based on the conduct of members on this list, the conclusion by me
and other security professionals is that you will *never* accredit
us to use such a system or get that data unless the issue is
forced upon the system somehow.</p>
<p>You say we need "accreditation" to get fine-grained stuff. On
paper, I'll concede that may be true. But at this point, the trust
is completely broken. In my mind, such a system will be designed
in practice to prevent us from getting the information directly.
But like I said, it isn't about me. I have resources, I'll get the
information. It's about the billions of other people who need it
to make THEIR networking decisions because contrary to popular
belief, I don't control every network on the planet.</p>
<p>I think if you explain to an end-user that WHOIS is a phone book
so people can contact them if they list their information, they'll
understand it. To say it is a maze is to grossly complicate the
matter considering these same end-users are using Facebook,
Twitter, Instagram, etc. Publish it on the internet for the world
to see means the world can see it. It just isn't a hard concept.<br>
</p>
<br>
<div class="moz-cite-prefix">On 12/07/2017 09:35 PM, Stephanie
Perrin wrote:<br>
</div>
<blockquote
cite="mid:ab952626-90ad-5c40-4880-1b280e75c249@mail.utoronto.ca"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p><font size="+1"><font face="Lucida Grande">John, you just have
to be accredited, and authenticated to get tiered access.
No problem. DPAs agree. Then you get all the finegrained
stuff you need, and since it is not public there are fewer
Mickey and Minnie Mouse entries...</font></font></p>
<p><font size="+1"><font face="Lucida Grande">End users can
understand that they don't want their own phone number in
the book. What they cannot understand is how to read the
WHOIS and figure out who is behind a website or an email,
and whether that person/entity is even who they should
expect to see there. WHOIS is not a phone book, where it
concerns the actors one needs to be concerned about, or the
large corporations one wants to trust but verify. It is a
maze.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">SP</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2017-12-07 21:54, John Bambenek
via gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5c44ed8f-7ab1-e72d-c897-dc73db1f2a57@bambenekconsulting.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>This is the most important point you have made of which I am
in violent agreement:</p>
<p><font size="+1"><font face="Lucida Grande">"The noncommercial
users constituency has been trying to make this point
since it was formed. Life is too complex to dump all this
on the end user. "<br>
</font></font></p>
The reason open WHOIS is necessary (and end users can surely
understand how open directories work much like phone books do),
is because the service providers see no need to police usage of
their system and dump that on end-users. Because they can't do
it, people like me and anti-abuse organizations exist (many
doing work for little to no money). If domain registries,
hosting providers and ISPs ACTUALLY enforced their AUPs, or
better yet, kicked criminals off their systems, there would
literally be no need for people like me. I wouldn't need WHOIS
in that scenario, because I quite literally would not be
working.<br>
<br>
Take phishing for example, it took us how many YEARS to get
ICANN and the registrars to even begin to deal with overt brand
impersonation? And even then, identification of domains used in
brand impersonation is still outsources to me and the brands
involved to notify the registries that their own service is
being misused.<br>
<br>
The attempt again to disabuse the notion that WHOIS isn't
necessary... let's go back to the French presidential elections.
We discovered Russian attempts to phish En Marche! that
ultimately led to 7 e-mail accounts being linked PURELY by whois
data. We saw domains registered with that "brand", we correlated
registrant information, and enumerated all that in time for En
Marche! to take mitigating steps. Without whois, it would have
played out like this, the attempts at Russian election influence
would have been discovered once the emails got leaked (and
probably more than 7 accounts), at which point, the damage was
done. We are in a world were foreign powers are messing with
others' democractic processes. Surely we can agree that having
tools to stop such activities would be a good thing?<br>
<br>
When those who are in business relationships with criminals and
other miscreants say "security is not our job", that outsources
it to me and others like me. And usually, we only have coarse
tools to work with.<br>
<br>
You could take WHOIS away from me (and let's all be honest here,
you're going to). That will just leave me blocking strategies
that are more prone to collateral damage. For instance, I could
block every domain for X registry because they ignore
complaints, I have no ability to contact the end domain owner,
and I'm left with no other option. Yes, that will adversely
impact some measure of otherwise innocent people. But you've
taken away my ability to be precise, so it's either no
protection, or protection with collateral damage. The good news
is, when we do provider-based bans, we let people know why so
they can choose better providers.<br>
<br>
It also means that instead of working with domain owners or
other less costly ways of dealing with abuse, now, for 100% of
domain based abuse reports, I'm just going to go to court and
drag the registry in. Sure, there are some subset that have
proxy registration you have to deal with. Now you're going to
deal with 100% of all domains and you're going to have to deal
with it in a court of law. It won't cost me much, it will cost
the registries. This will literally create orders of magnitude
more work and legal costs for the registries.<br>
<br>
But I reject the notion that the common person doesn't
understand the notion of what happens when their phone number is
put on the internet because they all have facebook and twitter
accounts.<br>
<br>
If you want our blocking and enforcement to be precise, we need
precise information. If you don't give us precise information,
we're still going to protect our constituencies, there just will
be collateral damage. You can blame us for that, of course, but
the reality, we aren't the ones creating this problem.<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/07/2017 08:08 PM, Stephanie
Perrin wrote:<br>
</div>
<blockquote
cite="mid:d402a82c-aeec-5690-3b30-6bd56336fff4@mail.utoronto.ca"
type="cite"><font size="+1"><font face="Lucida Grande">The
noncommercial users constituency has been trying to make
this point since it was formed. Life is too complex to
dump all this on the end user. </font></font></blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>