[tech-whois] A follow up session in San Francisco?
Smith, Bill
bill.smith at paypal-inc.com
Tue Mar 8 21:02:04 UTC 2011
Exactly what problem are we trying to solve by requiring authentication for access to WHOIS data?
On Mar 8, 2011, at 11:51 AM, Michael Young wrote:
> Absolutely, a user ID accessing a whois system does not have to be tied to
> known identity if the overall policy supports anonymity. The elements of
> usage enforcement can be applied against the user ID just the same. Of
> course you would want some control heuristics preventing the automated
> creation of those anonymous user ID's in any sort of scale, but that's a
> well understood problem with many existing tools that can help with that.
>
> Best Regards,
>
> Michael Young
> M:+1-647-289-1220
>
>
>
> -----Original Message-----
> From: Dave Piscitello [mailto:dave.piscitello at icann.org]
> Sent: March-08-11 2:49 PM
> To: Michael Young; 'Smith, Bill'
> Cc: tech-whois at icann.org
> Subject: Re: [tech-whois] A follow up session in San Francisco?
>
> Michael you raise an excellent point re: IPv6.
>
> I also think you touch on important benefits of "knowing the source":
> accountability and auditing. Anonymity is very different from accountability
> but the Internet fails to make this distinction and thus abuse flourishes.
>
> There are several forms of authentication that can provide auditing or a
> basis for rate limiting that do not require disclosure of personal
> information or creation of an identity, e.g., guest accounts that can be
> bound to sessions, connections, validated origin IP addresses. There's a lot
> of room between "unknown origin, unknown querying party" to "non-reputiable
> originator of a request".
>
>
> On 3/8/11 2:20 PM, "Michael Young" <michael at mwyoung.ca> wrote:
>
>> "- access control, which most WHOIS providers have implemented at the
>> TCP/IP level
>>
>> Without source address validation, IP level access control is not
>> sufficient. Even with IP level access control, the granularity of
>> access control is arguably less than one might want in a future
>> incarnation of a Whois service. For example, an IP level access
>> control does not accommodate a future policy that might block a user
>> of group X from accessing to a subset of registration data elements
>> {b} while allowing a user of group Y access to those elements. A
>> robust directory service protocol ought to accommodate this."
>>
>> First of all I agree with this point but let me reinforce/add that the
>> current rate limiting methodologies based on traffic from source IPs
>> becomes much trickier with IPv6. I don't see any practical reason why
>> every user of a whois service shouldn't have to authenticate to get a
>> response. Just because its a free public service doesn't mean someone
>> seeking the data can't sign up for a user ID. Sign up systems can be
>> automated and protected from machine based registration, subsequent
>> whois lookups would always be tied to User ID and usage policy
>> enforcement can be made against individuals instead of IP addresses.
>> You can also create classes of users with different traffic policy
>> expectations (provided you were still in compliance with any contractual
> obligations).
>>
>> I know this is a fundamental change from today, but the more I think
>> about it, the more I see the practicality and operational sensibility
>> in going that route.
>>
>> Best Regards,
>>
>> Michael Young
>> M:+1-647-289-1220
>>
>>
>>
>> -----Original Message-----
>> From: tech-whois-bounces at icann.org
>> [mailto:tech-whois-bounces at icann.org] On Behalf Of Smith, Bill
>> Sent: March-08-11 1:22 PM
>> To: Dave Piscitello
>> Cc: tech-whois at icann.org
>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>>
>>
>> On Mar 7, 2011, at 12:13 PM, Dave Piscitello wrote:
>>
>>
>> On 3/7/11 2:45 PM, "Jay Daley"
>> <jay at nzrs.net.nz<mailto:jay at nzrs.net.nz>>
>> wrote:
>> [snipped]
>>
>> The only two that cannot be addressed this way are:
>>
>> - authentication, which is the feature where I think we are talking
>> about a very different protocol from WHOIS
>>
>> Agree.
>>
>> Why would we consider requiring authentication when accurate WHOIS
>> information is available to the public?
>>
>>
>> - access control, which most WHOIS providers have implemented at the
>> TCP/IP level
>>
>> Without source address validation, IP level access control is not
>> sufficient. Even with IP level access control, the granularity of
>> access control is arguably less than one might want in a future
>> incarnation of a Whois service. For example, an IP level access
>> control does not accommodate a future policy that might block a user
>> of group X from accessing to a subset of registration data elements
>> {b} while allowing a user of group Y access to those elements. A
>> robust directory service protocol ought to accommodate this.
>>
>>
>>
>> With respect, I trust we aren't talking about a directory service for
>> the Internet public.
>>
>>
>> _______________________________________________
>> tech-whois mailing list
>> tech-whois at icann.org<mailto:tech-whois at icann.org>
>> https://mm.icann.org/mailman/listinfo/tech-whois
>>
>>
>> _______________________________________________
>> tech-whois mailing list
>> tech-whois at icann.org
>> https://mm.icann.org/mailman/listinfo/tech-whois
>>
>
>
More information about the tech-whois
mailing list