[gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")

Gomes, Chuck cgomes at verisign.com
Thu Mar 23 08:59:26 UTC 2017 

Allison,



Have you reviewed the EWG Report? If not, I encourage you to do so.  A large number of experts believe it can work.



If we decide to recommend gated access for some data elements and for some parties, it will be up to us to develop policy and implementation procedures and Phases 2 & 3 regarding gate keepers so it is way too early to assume who the gate keepers will be.



Chuck



From: allison nixon [mailto:elsakoo at gmail.com]
Sent: Thursday, March 23, 2017 4:50 AM
To: Gomes, Chuck <cgomes at verisign.com>
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>; Andrew Sullivan <ajs at anvilwalrusden.com>
Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")



No, im referring to this token idea. And really any gated system, i am quite suspicious of, if the gatekeepers will demonstrate a fundamental lack of understanding of how whois is useful here and now.

Considering the prevalent attitudes I've seen on this list, the gatekeepers will likely be people who think keeping falsified whois data private is more important than anything else. It shows either a lack of care or some measure of ignorance as to larger realities relating to losses and even privacy itself.

I think very few people who work with whois for investigations know what the actual prevalent attitudes are within this group. If they lose a sane way to make whois based decisions, they are not going to tolerate it.



On Mar 23, 2017 4:20 AM, "Gomes, Chuck" <cgomes at verisign.com<mailto:cgomes at verisign.com>> wrote:

   What system are you referring to Allison? Are you saying that RDAP is not workable?



   Chuck



   From: gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> [mailto:gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org>] On Behalf Of allison nixon
   Sent: Thursday, March 23, 2017 4:01 AM
   To: Andrew Sullivan <ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>>
   Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
   Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] "access to whois" vs supporting a service (was Re: a suggestion for "purpose in detail")



   This suggested system is not workable because the daily use of whois does not conceptually fit within that framework. Several of us who work with whois on a daily basis have already described use cases that are made impossible by that system, so there's no need to go into the same details all over again.



   On Wed, Mar 22, 2017 at 1:24 PM, Andrew Sullivan <ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>> wrote:

      Hi,

      On Wed, Mar 22, 2017 at 09:33:22AM -0700, John Horton wrote:

      > My biggest fear
      > is that in the monitoring that companies like mine do for banks, payment
      > providers, e-commerce companies, etc. that helps determine whether a
      > merchant is who they say they are, and whether they are engaged in other
      > bad activity (i.e., laundering money) will be unable to obtain access to
      > the Whois records we need in order to preserve the integrity of the
      > payments system, protect payment providers from risk, and derivatively
      > protect consumers.

      Modulo the inclusion of "Whois" in the above, that all seems
      reasonable.  What you are saying is that you need a mechanism by which
      you can create risk analyses with respect to some domain name.  But,

      > In other words, my fear is that we'll lose access to
      > Whois records, which we need for that purpose.

      this does not follow.

      Consider, for instance, that RDAP works via http(s), and that we have
      several kinds of authentication and authorization mechanisms related
      to https, and such things can be federated.  It is a short hop from
      that knowledge to understanding that someone(s) could operate a
      service that authenticates service providers like you, using tokens
      provided by the to-be-evaluated domain names.  A payment provider or
      whatever, when offering service to a customer, could obtain from that
      customer a token of consent allowing it to obtain the relevant data
      from the registries and registrars in question.  That token could then
      be provided to the authorization service, which would then
      authenticate your request to the RDAP servers and they could provide
      you the data you request.  This is by no means an impossible task --
      every time you apply for insurance online or log into a payment
      provider via Google or Facebook or Amazon, you're doing this.  This is
      a technique that is already deployed all over the Internet where real
      money is involved, so I fail to see how it could not be used in our
      case.  (In addition, you may not actually need the particulars of an
      individual -- it might be enough for you to be able to tell whether
      the domain and people behind it are related in some important ways to
      some other domain.  But we're getting ahead of ourselves in the use
      case description here.)

      This is also why separating the collection of data from questions
      about display and so on is necessary: we need to understand as a group
      the compelling use cases that the RDS data can support.  I agree that
      reputation-of-vendor systems are among those uses, and that we ought
      therefore to include support of such things in what we think we want
      the system to be able to support.

      Of course, all of this does represent some cost to you -- your
      existing service would need to change to reflect the new business
      logic and access rules and mechanisms and so on.  But I don't think
      this WG has so far accepted, "But that's how we do it now," as a
      legitimate purpose.

      Best regards,

      A


      --
      Andrew Sullivan
      ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>
      _______________________________________________
      gnso-rds-pdp-wg mailing list
      gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
      https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg







   --

   _________________________________
   Note to self: Pillage BEFORE burning.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170323/a32df101/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list