[gnso-rds-pdp-wg] a suggestion for "purpose in detail"

John Bambenek jcb at bambenekconsulting.com
Wed Mar 22 02:16:45 UTC 2017 

In line. 

Sent from my iPhone

> On Mar 21, 2017, at 20:45, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> 
>> On Tue, Mar 21, 2017 at 03:01:50PM -0500, John Bambenek via gnso-rds-pdp-wg wrote:
>> Except that is not the only approach to the problem nor the ones exclusively used by DP authorities (i.e. Twitter). That is why I asked the question I did and why I will be lobbying them directly for whois privacy for free. 
>> 
> 
> But I thought the point of what we were doing was to make some
> proposals for what to mask and how -- basically, that's what
> differential access does.  And I also thought we were at the beginning
> of that effort (much as it frustrates me the rate at which we move).

I guess I am speaking of masking in a broad sense. What do we allow the consumer to mask and on what terms. 

> 
>> The question of whether fields are optional or can be "masked" is inherently part of this discussion. 
>> 
> 
> That's just conflating two different things.  The first thing is to
> ask whether something should be collected _at all_.  Then one can ask,
> if something is collected, who may obtain it and under what
> circumstances.  This latter is the "masking" of which you speak.  And
> it's all implemented as it currently is because whois is brain-dead.
> So let us not be restricted to the functionality we can get from a
> primitive protocol that had already been extended well beyond its
> design constraints more than 20 years ago.

I would disagree on they being separate issues. No matter what technology is created, some things will have to be fully public and some things are subject to debate here. For instance, if we don't make authoritative nameservers fully public without gates, we break the internet. I don't mean that as hyperbole, I mean no internet except for the savants who can us IP addresses for everything. 

> 
>> To enable third-parties to communicate directly to resolve and troubleshoot problems. 
> 
> I suggest that's already there.

Not in what I saw in the poll. 
> 
>> To enable third-parties to report abuse or security incidents so they may be resolved. 
> 
> This too.
> 
>> To enable users and entities to have information to adjudicate an entity is who they say they are (for instance phishing, scams, fake news). 
>> 
> 
> I find it impossible to imagine using the whois for this purpose, so
> I'd like a use description for this.  Since it's not authenticated or
> authenticatable information anyway, as there are no signatures and so
> on, it seems a pretty poor way to do it.  This is partly included in
> the purposes however when we discuss X.509 certificates.

It actually happens to me quite frequently. I get an email from X at say y.com. Says they want to contract my services, speak at a conference, investigate an incident. Are they actually a legitimate entity?  We've already covered that whois data is unauthenticated and a registrar on this list all but admitted they knowingly ignore fake whois data. But I am not a fair target. I work in investigations and intelligence. So you can send me an email from say citibankcreditcards.com and I'll check the address in whois to compare to a corp registry, or known good domains. I imagine the brand protection investigators could chime in here on their thoughts too. 

I also develop machine learning tools that proactively find junk data in domains and scores them to protect my customers. Is X person a spammer? Whois privacy protection is a good indicator. Is Y domain used in hacking the DNC registered by Russian intelligence? We can make that assessment because we know how they lie. Z domain was registered 12 hours ago, can email and web traffic from that domain be trusted (no)?

X.509 certs are more maliciously pointless. At least registrars don't sell a service to authenticate domain owners. The entire X.509 and CA regime exists for one purpose, to validate the person asking for a cert is who they say they are. That's the service you pay for. And the entire thing is a complete failure whole and entire that instills a false sense of security where there is none. And if you like I can give you validated SSL certs for every domain on this lost to prove it. 

But again, I do investigations and intelligence for a living and how people lie is very useful to me. 

> 
>> ICANN isn't just a business to confer domain names. Its a quasi-regulatory body over a "commons" and a natural monopoly. The purposes must be viewed beyond the prism of the mere registrar-consumer relationship as many interests are relevant and just as important. 
>> 
> 
> While I strongly agree that the purposes need to be rather wider than
> the domain name industry, I'm uncomfortable with both of the claims of
> quasi-regulatory authority, the notion of the Internet as a commons.
> The root zone is indeed a natural monopoly, though.

I'd be interested in why you say that? How isn't the domain registration regime a commons? Does ICANN not contractually require certain behaviors of various parties?

> 
> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list