[Accred-Model] Token-based approach to WHOIS access

[Hollenbeck, Scott]

> -----Original Message-----
> From: Accred-Model [mailto:accred-model-bounces at icann.org] On Behalf Of
> Rubens Kuhl
> Sent: Friday, April 13, 2018 2:57 PM
> To: accred-model at icann.org
> Subject: [EXTERNAL] [Accred-Model] Token-based approach to WHOIS access
>
>
> Hi all.
>
> After reading the Article 29 WP letter to ICANN
> (https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-
> 11apr18-en.pdf), I started envisioning what process and system could
> achieve GDPR compliance. What I came to is a token-based system, which
> would work like this:
> - Every request is analyzed by a human at an "RDS Clearinghouse". Each
> request can be for a single data element (like "owner of domain X") or to
> multiple data elements (like "domains owned by the same owner of domain
> X"), but requests for multiple data elements are only foreseen to be
> processed by contracted parties with "Search WHOIS" contract requirements.
> - Clearinghouse issues a token with query parameters, data elements
> authorized for response, identity of authorized party, reason for
> authorization, validity (probably in the order of days), also informing
> which endpoint to go to.
> - Authorized party uses that token to access that endpoint, managed by the
> party with most data about that element (usually a registrar).
>
> Note that is not a replacement for credentialing; credentials would still
> be necessary to get tokens. This is also orthogonal to discussions like
> which use cases are legitimate or not, GDPR-compliant or not etc.; it's
> just a more granular approach to authorization that looks more inline with
> privacy-oriented guidelines including but not limited to GDPR.

Rubens, at a high level you just described how OpenID and OAuth work, except for the "Every request is analyzed by a human" part.

Scott