[tech-whois] A follow up session in San Francisco?

Smith, Bill bill.smith at paypal-inc.com
Tue Mar 8 21:02:04 UTC 2011 

Exactly what problem are we trying to solve by requiring authentication for access to WHOIS data?

On Mar 8, 2011, at 11:51 AM, Michael Young wrote:

> Absolutely, a user ID accessing a whois system does not have to be tied to
> known identity if the overall policy supports anonymity.  The elements of
> usage enforcement can be applied against the user ID just the same.  Of
> course you would want some control heuristics preventing the automated
> creation of those anonymous user ID's in any sort of scale, but that's a
> well understood problem with many existing tools that can help with that.
> 
> Best Regards,
> 
> Michael Young
> M:+1-647-289-1220
> 
> 
> 
> -----Original Message-----
> From: Dave Piscitello [mailto:dave.piscitello at icann.org] 
> Sent: March-08-11 2:49 PM
> To: Michael Young; 'Smith, Bill'
> Cc: tech-whois at icann.org
> Subject: Re: [tech-whois] A follow up session in San Francisco?
> 
> Michael you raise an excellent point re: IPv6.
> 
> I also think you touch on important benefits of "knowing the source":
> accountability and auditing. Anonymity is very different from accountability
> but the Internet fails to make this distinction and thus abuse flourishes.
> 
> There are several forms of authentication that can provide auditing or a
> basis for rate limiting that do not require disclosure of personal
> information or creation of an identity, e.g., guest accounts that can be
> bound to sessions, connections, validated origin IP addresses. There's a lot
> of room between "unknown origin, unknown querying party" to "non-reputiable
> originator of a request".
> 
> 
> On 3/8/11 2:20 PM, "Michael Young" <michael at mwyoung.ca> wrote:
> 
>> "- access control, which most WHOIS providers have implemented at the 
>> TCP/IP level
>> 
>> Without source address validation, IP level access control is not 
>> sufficient. Even with IP level access control, the granularity of 
>> access control is arguably less than one might want in a future 
>> incarnation of a Whois service. For example, an IP level access 
>> control does not accommodate a future policy that might block a user 
>> of group X from accessing to a subset of registration data elements 
>> {b} while allowing a user of group Y access to those elements. A 
>> robust directory service protocol ought to accommodate this."
>> 
>> First of all I agree with this point but let me reinforce/add that the 
>> current rate limiting methodologies based on traffic from source IPs 
>> becomes much trickier with IPv6.  I don't see any practical reason why 
>> every user of a whois service shouldn't have to authenticate to get a 
>> response. Just because its a free public service doesn't mean someone 
>> seeking the data can't sign up for a user ID.  Sign up systems can be 
>> automated and protected from machine based registration, subsequent 
>> whois lookups would always be tied to User ID and usage policy 
>> enforcement can be made against individuals instead of IP addresses. 
>> You can also create classes of users with different traffic policy 
>> expectations (provided you were still in compliance with any contractual
> obligations).
>> 
>> I know this is a fundamental change from today, but the more I think 
>> about it, the more I see the practicality and operational sensibility 
>> in going that route.
>> 
>> Best Regards,
>> 
>> Michael Young
>> M:+1-647-289-1220
>> 
>> 
>> 
>> -----Original Message-----
>> From: tech-whois-bounces at icann.org 
>> [mailto:tech-whois-bounces at icann.org] On Behalf Of Smith, Bill
>> Sent: March-08-11 1:22 PM
>> To: Dave Piscitello
>> Cc: tech-whois at icann.org
>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>> 
>> 
>> On Mar 7, 2011, at 12:13 PM, Dave Piscitello wrote:
>> 
>> 
>> On 3/7/11 2:45 PM, "Jay Daley" 
>> <jay at nzrs.net.nz<mailto:jay at nzrs.net.nz>>
>> wrote:
>> [snipped]
>> 
>> The only two that cannot be addressed this way are:
>> 
>> - authentication, which is the feature where I think we are talking 
>> about a very different protocol from WHOIS
>> 
>> Agree.
>> 
>> Why would we consider requiring authentication when accurate WHOIS 
>> information is available to the public?
>> 
>> 
>> - access control, which most WHOIS providers have implemented at the 
>> TCP/IP level
>> 
>> Without source address validation, IP level access control is not 
>> sufficient. Even with IP level access control, the granularity of 
>> access control is arguably less than one might want in a future 
>> incarnation of a Whois service. For example, an IP level access 
>> control does not accommodate a future policy that might block a user 
>> of group X from accessing to a subset of registration data elements 
>> {b} while allowing a user of group Y access to those elements. A 
>> robust directory service protocol ought to accommodate this.
>> 
>> 
>> 
>> With respect, I trust we aren't talking about a directory service for 
>> the Internet public.
>> 
>> 
>> _______________________________________________
>> tech-whois mailing list
>> tech-whois at icann.org<mailto:tech-whois at icann.org>
>> https://mm.icann.org/mailman/listinfo/tech-whois
>> 
>> 
>> _______________________________________________
>> tech-whois mailing list
>> tech-whois at icann.org
>> https://mm.icann.org/mailman/listinfo/tech-whois
>> 
> 
>

More information about the tech-whois mailing list