[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

[Hollenbeck, Scott]

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of John Bambenek via gnso-rds-pdp-wg
Sent: Wednesday, February 21, 2018 9:22 AM
To: Volker Greimann <vgreimann at key-systems.net>
Cc: gnso-rds-pdp-wg at icann.org
Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP



Often when we send in abuse reports to registries, those abuse reports are forwarded to criminals whole and entire with our names and contact information. That has lead to immediate attacks on the complaintant. For instance, some have been swatted (spoofed calls to police to generate and armed response where they kick in doors guns drawn). This has become so common place, many people either have stopped abuse complaints all together or use aliases to talk to registries.



In a gated RDS, you will need to know exactly who we are and inherently know what we are looking at. Considering the history of the exact class of people who will have access to that information, what will YOU do to protect OUR privacy and security? Or can we expect now even our RDS queries will be forwarded to criminals also?



I have one approach documented in an Internet-Draft that describes how RDAP can work with federated authentication. It describes a “do not track” identity claim that tells the RDS operator that the end user is authorized for just the kind of protection that you’re describing. It’s technically possible if supported by operational policy.



Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180221/848cbab4/attachment-0001.html>