Input to Expert Working Group on gTLD Directory Services Input / Questions Regarding the Next Generation gTLD Directory Services Model

[Jessica Crewse]

Dear EWG,

Thank you for sharing your report on the Next Generation gTLD Directory Services Model and offering an opportunity to provide feedback.  The next generation gTLD Directory Services Model could solve a number of concerns with the existing WHOIS model, but there are definitely some questions which it prompts.

As background, I'm a product manager for Symantec, within the SSL / Certificate Authority business unit, and we heavily rely upon WHOIS data to perform our business operations.  We met with a number of cross-functional teams and came up with the questions/concerns below.  Your consideration, thought, and eventual responses around these would be most appreciated.


1.     What type of credential system is EWG envisioning?  Within our company, we have over 200 persons who would need access to ARDS.  It's not best practice to share the same credential - would you envision ARDS to provide hundreds of credentials across multiple organizations?  The system would need the capability to register and unregister hundreds of people, even within one organization.  How quickly would credential access be provided?  How would the authentication be performed?

2.     It seems ARDS will provide access to cached data, and the document mentions "frequent periodic updates."  How often will the ARDS cache be updated?
              i.        During the certificate authentication process, we, as a certificate authority (CA), often ask customers to update their domain registration information.  How easy will it be for domain owners to update this information (Registrant organization information, address information, domain contact email addresses, etc.), and how quickly would the changes be reflected in ARDS?  Delays in propagation would slow certificate issuance.
§  We'd like to better understand the plan for access to live, real-time data as this would be necessary in the aforementioned cases.
             ii.        Will cached data eventually be removed from the system?

3.     Our business would require us to make thousands of calls to ARDS per day.  Will there be any cap on the number of authenticated requests from a given organization per day?

4.     We are required to authenticate domain ownership or control before we issue a certificate.  We currently do this by using WHOIS.  The document states that ARDS would be a non-authoritative source; do you believe ARDS would be any less authoritative than WHOIS?

5.     Will there be additional considerations/checks for confusable domains names with high profile domain names (e.g., paypals.com, e-bay.net, etc.)?  Is there any plan to prevent registrars from allowing the registration of confusable domain names?

6.     The document refers to "Registrant", but WHOIS supplies information about multiple contacts.  Would ARDS provide multiple contacts (e.g., registrant contact, administrative contact, technical contact, etc.?)  The CA/Browser Forum has written policy concerning the use of these contacts.

7.     Would the domain name information from different domain registrars be in a common format?  It would help to see examples of expected standardized output format.

8.     Will there be an SLA and response time guarantee for authenticated requests?

9.     Has any thought been given to digitally signing ARDS responses so that the information can be archived for audit purposes?

10.  All of the participants would need to understand the transition process from WHOIS to ARDS.

11.  Would ARDS include information on ccTLDs or gTLDs only?  We would expect and prefer that it would include information for both.

12.  When domains are re-sold/auctioned, there is no requirement for domain registration information to be updated in a timely fashion.  Would ARDS enforce timely updates in these cases?

13.  Some Certificate Authorities (CAs) are also domain registrars.  Would an entity with these multiple roles be able to gain insider knowledge that others without both roles would not be privy to?

14.  Could ARDS be extended to provide additional information about domain names?  E.g., whether any domain name label is an IDN and its native representation is made up of multiple scripts or includes bidirectional characters, or a list of which scripts are used within a label.

15.  Is the intent to provide free access to ARDS, just as WHOIS is free?



Thank you very much for your consideration.


Regards,
Jessica Crewse
Product Manager, Symantec Corporation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/input-to-ewg/attachments/20130806/b7996a1d/attachment.html>