[gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")

Wed Mar 22 17:24:05 UTC 2017

Hi,

On Wed, Mar 22, 2017 at 09:33:22AM -0700, John Horton wrote:

> My biggest fear
> is that in the monitoring that companies like mine do for banks, payment
> providers, e-commerce companies, etc. that helps determine whether a
> merchant is who they say they are, and whether they are engaged in other
> bad activity (i.e., laundering money) will be unable to obtain access to
> the Whois records we need in order to preserve the integrity of the
> payments system, protect payment providers from risk, and derivatively
> protect consumers.

Modulo the inclusion of "Whois" in the above, that all seems
reasonable.  What you are saying is that you need a mechanism by which
you can create risk analyses with respect to some domain name.  But,

> In other words, my fear is that we'll lose access to
> Whois records, which we need for that purpose.

this does not follow.

Consider, for instance, that RDAP works via http(s), and that we have
several kinds of authentication and authorization mechanisms related
to https, and such things can be federated.  It is a short hop from
that knowledge to understanding that someone(s) could operate a
service that authenticates service providers like you, using tokens
provided by the to-be-evaluated domain names.  A payment provider or
whatever, when offering service to a customer, could obtain from that
customer a token of consent allowing it to obtain the relevant data
from the registries and registrars in question.  That token could then
be provided to the authorization service, which would then
authenticate your request to the RDAP servers and they could provide
you the data you request.  This is by no means an impossible task --
every time you apply for insurance online or log into a payment
provider via Google or Facebook or Amazon, you're doing this.  This is
a technique that is already deployed all over the Internet where real
money is involved, so I fail to see how it could not be used in our
case.  (In addition, you may not actually need the particulars of an
individual -- it might be enough for you to be able to tell whether
the domain and people behind it are related in some important ways to
some other domain.  But we're getting ahead of ourselves in the use
case description here.)

This is also why separating the collection of data from questions
about display and so on is necessary: we need to understand as a group
the compelling use cases that the RDS data can support.  I agree that
reputation-of-vendor systems are among those uses, and that we ought
therefore to include support of such things in what we think we want
the system to be able to support.

Of course, all of this does represent some cost to you -- your
existing service would need to change to reflect the new business
logic and access rules and mechanisms and so on.  But I don't think
this WG has so far accepted, "But that's how we do it now," as a
legitimate purpose.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com