[tech-whois] A follow up session in San Francisco?

Dave Piscitello dave.piscitello at icann.org
Tue Mar 8 22:14:40 UTC 2011 

Too often people think of authentication as a means of preventing or
blocking user access. Authentication is also an enabler of other security
and network services. For example,

1) If the Whois service provider knows and trusts the user, it could rate
limit access  - or - it could grant a trusted user a higher rate/volume of
queries, it could process queries involving pattern matching, or it could
accommodate "search" capabilities. The trust could be based on the
reputation or it could be a trust assertion based on reputation, user,
group, origin (ASN/netblock), etc.

2) Whois service providers could support data and access classification; for
example, a Whois service provider could support policy* that would
discriminate among classes of Whois users; for example, the policy might
accommodate granular access controls so that some registration data elements
are accessed based on a user or group "privilege" (mentioned this before),
or the policy might allow Whois service providers to restrict access to
registrations held by natural persons to certain classes of users (law
enforcement, for example).

These are the kinds of features one finds in a directory (DS) application.
I'm not sure we would continue to call this Whois (to Jay's delight:-). I'm
extrapolating here based on enterprise DS applications.

* for domain registration Whois, such policies would be the product of a
bottom-up, multistakeholder consensus policy process:-)

On 3/8/11 4:02 PM, "Smith, Bill" <bill.smith at paypal-inc.com> wrote:

> Exactly what problem are we trying to solve by requiring authentication for
> access to WHOIS data?
> 
> On Mar 8, 2011, at 11:51 AM, Michael Young wrote:
> 
>> Absolutely, a user ID accessing a whois system does not have to be tied to
>> known identity if the overall policy supports anonymity.  The elements of
>> usage enforcement can be applied against the user ID just the same.  Of
>> course you would want some control heuristics preventing the automated
>> creation of those anonymous user ID's in any sort of scale, but that's a
>> well understood problem with many existing tools that can help with that.
>> 
>> Best Regards,
>> 
>> Michael Young
>> M:+1-647-289-1220
>> 
>> 
>> 
>> -----Original Message-----
>> From: Dave Piscitello [mailto:dave.piscitello at icann.org]
>> Sent: March-08-11 2:49 PM
>> To: Michael Young; 'Smith, Bill'
>> Cc: tech-whois at icann.org
>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>> 
>> Michael you raise an excellent point re: IPv6.
>> 
>> I also think you touch on important benefits of "knowing the source":
>> accountability and auditing. Anonymity is very different from accountability
>> but the Internet fails to make this distinction and thus abuse flourishes.
>> 
>> There are several forms of authentication that can provide auditing or a
>> basis for rate limiting that do not require disclosure of personal
>> information or creation of an identity, e.g., guest accounts that can be
>> bound to sessions, connections, validated origin IP addresses. There's a lot
>> of room between "unknown origin, unknown querying party" to "non-reputiable
>> originator of a request".
>> 
>> 
>> On 3/8/11 2:20 PM, "Michael Young" <michael at mwyoung.ca> wrote:
>> 
>>> "- access control, which most WHOIS providers have implemented at the
>>> TCP/IP level
>>> 
>>> Without source address validation, IP level access control is not
>>> sufficient. Even with IP level access control, the granularity of
>>> access control is arguably less than one might want in a future
>>> incarnation of a Whois service. For example, an IP level access
>>> control does not accommodate a future policy that might block a user
>>> of group X from accessing to a subset of registration data elements
>>> {b} while allowing a user of group Y access to those elements. A
>>> robust directory service protocol ought to accommodate this."
>>> 
>>> First of all I agree with this point but let me reinforce/add that the
>>> current rate limiting methodologies based on traffic from source IPs
>>> becomes much trickier with IPv6.  I don't see any practical reason why
>>> every user of a whois service shouldn't have to authenticate to get a
>>> response. Just because its a free public service doesn't mean someone
>>> seeking the data can't sign up for a user ID.  Sign up systems can be
>>> automated and protected from machine based registration, subsequent
>>> whois lookups would always be tied to User ID and usage policy
>>> enforcement can be made against individuals instead of IP addresses.
>>> You can also create classes of users with different traffic policy
>>> expectations (provided you were still in compliance with any contractual
>> obligations).
>>> 
>>> I know this is a fundamental change from today, but the more I think
>>> about it, the more I see the practicality and operational sensibility
>>> in going that route.
>>> 
>>> Best Regards,
>>> 
>>> Michael Young
>>> M:+1-647-289-1220
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: tech-whois-bounces at icann.org
>>> [mailto:tech-whois-bounces at icann.org] On Behalf Of Smith, Bill
>>> Sent: March-08-11 1:22 PM
>>> To: Dave Piscitello
>>> Cc: tech-whois at icann.org
>>> Subject: Re: [tech-whois] A follow up session in San Francisco?
>>> 
>>> 
>>> On Mar 7, 2011, at 12:13 PM, Dave Piscitello wrote:
>>> 
>>> 
>>> On 3/7/11 2:45 PM, "Jay Daley"
>>> <jay at nzrs.net.nz<mailto:jay at nzrs.net.nz>>
>>> wrote:
>>> [snipped]
>>> 
>>> The only two that cannot be addressed this way are:
>>> 
>>> - authentication, which is the feature where I think we are talking
>>> about a very different protocol from WHOIS
>>> 
>>> Agree.
>>> 
>>> Why would we consider requiring authentication when accurate WHOIS
>>> information is available to the public?
>>> 
>>> 
>>> - access control, which most WHOIS providers have implemented at the
>>> TCP/IP level
>>> 
>>> Without source address validation, IP level access control is not
>>> sufficient. Even with IP level access control, the granularity of
>>> access control is arguably less than one might want in a future
>>> incarnation of a Whois service. For example, an IP level access
>>> control does not accommodate a future policy that might block a user
>>> of group X from accessing to a subset of registration data elements
>>> {b} while allowing a user of group Y access to those elements. A
>>> robust directory service protocol ought to accommodate this.
>>> 
>>> 
>>> 
>>> With respect, I trust we aren't talking about a directory service for
>>> the Internet public.
>>> 
>>> 
>>> _______________________________________________
>>> tech-whois mailing list
>>> tech-whois at icann.org<mailto:tech-whois at icann.org>
>>> https://mm.icann.org/mailman/listinfo/tech-whois
>>> 
>>> 
>>> _______________________________________________
>>> tech-whois mailing list
>>> tech-whois at icann.org
>>> https://mm.icann.org/mailman/listinfo/tech-whois
>>> 
>> 
>> 
>

More information about the tech-whois mailing list