[gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Rubens Kuhl rubensk at nic.br
Fri Feb 16 17:32:12 UTC 2018 

Nathalie,

If accuracy and or completeness is an indicator, one possibility would be display whether information was supplied to registrar. Something like this:
Field: Supplied to registrar, failed syntax check
Field: Supplied to registrar, passed syntax check
Field: Supplied to registrar, no syntax check performed
Field: Not provided

This would allow the same decision making without having the information neither presented or sent to processing by registry (unless registry requires it).




Rubens










> Em 16 de fev de 2018, à(s) 13:56:000, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> escreveu:
> 
> Inaccurate and/or incomplete data could be an indicator of an untrustworthy website.
> 
> Sent from my iPhone
> 
> On Feb 16, 2018, at 10:33 AM, Steve Crocker <steve at shinkuro.com <mailto:steve at shinkuro.com>> wrote:
> 
>> Thanks for the quick response.  See brief comments inline below.
>> 
>> Steve
>> 
>> 
>> On Fri, Feb 16, 2018 at 10:22 AM, nathalie coupet <nathaliecoupet at yahoo.com <mailto:nathaliecoupet at yahoo.com>> wrote:
>> Good morning Steve,
>> 
>> According to the Webster's definition of 'trustworthy':
>> 
>> Definition of trustworthy
>> 
>> : worthy of confidence : dependable <https://www.merriam-webster.com/dictionary/dependable> a trustworthy guide trustworthy information
>> : Legal Definition of trustworthy
>> 
>> : worthy of confidence; specifically : being or deriving from a source worthy of belief or consideration for evidentiary purposes
>> 
>> An end-user would be interested in knowing through a whois look-up whether
>> 1) the website she is about to connect with comes from a source she approves of
>> 
>> What do you have in mind for determining whether a website is one she approves of?  I assume you have in mind the person accessing the website will be making the determination as to whether she approves of it.  What information do you have in mind to put in front of her to help her make that determination?
>> 
>> I don't see how to make this work in an operational way.
>> 
>> 
>> 2) the identity of its owner/content provider (if it's the same person) is the same as the one indicated in the WHOIS field; in order to be the victim of a hijacked website
>> 
>> If I understand what you have in mind, you want to know if the person who has control of the website is the same as the one indicated in the registrant field of the whois record.  This is much closer to being well defined and turned into an operationally feasible process, but even so there are some hurdles.  The person who has control of the domain name, i.e. the account holder, may or may not be the same as the person responsible for the content of a website hosted under that domain name.  But I assume you will feel at least somewhat better served if the registrant info does indeed match the account holder.
>> 
>> 3) the website is dependable: doesn't look suspicious, will not inject malicious codes or perform other nefarious activities, such as phishing and spam.
>> 
>> These are broad and subjective terms.  I suspect reputation services will be more useful than depending on whois information.
>> 
>> 
>> Steve
>> 
>> 
>> 
>> 
>> 
>> 
>> There are other uses that I have not mentioned, but that;s another topic
>> 1) a victim of diffamation, revenge porn, cyberbullying would be able to indentify the perpetrator
>> 2) the possibility identification of the perpretator would lead to more accountability online, etc...
>> 
>> 
>> 
>> Nathalie
>> 
>> 
>> On Friday, February 16, 2018 10:02 AM, Steve Crocker <steve at shinkuro.com <mailto:steve at shinkuro.com>> wrote:
>> 
>> 
>> Nathalie,
>> 
>> Can you be more specific about "trustworthiness of a website?"  Trust has many facets.  Do you have a more precise definition in mind?
>> 
>> Thanks,
>> 
>> Steve
>> 
>> 
>> On Fri, Feb 16, 2018 at 12:19 AM, nathalie coupet via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>> To technical people on this list:
>> In a tiered-system with authenticated access, how could the general public satisfy authentication requirements and what would those be, in order to have access to information about the trustworthiness of a website (what would this data be)?
>> Would it be possible to mandate someone who is duly authorized within the registrar to look up the data on her behest? Is there a way to automatize this process?
>> 
>> Personal thought: I keep on thinking we will find a silver bullet in the principles set by the law of the sea, the mechanisms of the EEZ or natural law. Still looking.
>> 
>> Thanks,
>> 
>> Nathalie
>> 
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180216/e9192a7f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180216/e9192a7f/signature-0001.asc>

More information about the gnso-rds-pdp-wg mailing list