[gtld-tech] [weirds] Search Engines Indexing RDAP Server Content
Hollenbeck, Scott
shollenbeck at verisign.com
Wed Feb 3 12:05:19 UTC 2016
> -----Original Message-----
> From: gtld-tech-bounces at icann.org [mailto:gtld-tech-bounces at icann.org]
> On Behalf Of Francisco Arias
> Sent: Tuesday, February 02, 2016 7:24 PM
> To: gtld-tech at icann.org
> Subject: Re: [gtld-tech] [weirds] Search Engines Indexing RDAP Server
> Content
>
> I talked with Andrew about the email below and I think we clarified
> things. I thought I’ll share with the list the assessment that Gustavo
> and I did on the issue. Andrew, please feel free to correct me.
>
> Gustavo and I double checked the draft RDAP profile and do not see any
> element in there that is leading to expose more data than what the
> current Whois is, e.g., a domain name links to a few entities (e.g.,
> registrant, registrar, admin, and tech contacts), a registrar, and zero
> or more name servers.
>
> The search page
> (https://www.google.co.uk/search?q=site:rdg.afilias.info) appears to be
> the result of crawling links from the first link that appears there
> (http://rdg.afilias.info/rdap/help). The help page contains links to
> search and lookup examples that return several objects with their
> directly-related objects, which are in turn shown in the search
> results. This could have happened in web-Whois if someone were to
> publish a page containing example queries.
>
> In other words, the alluded behavior is not something enabled by RDAP
> or the profile.
>
> Please let me know if we are missing something.
It's not about exposing more data. It's about making it even easier for that data to be extracted, indexed, archived, and accessed. Unauthenticated RDAP and the current profile proposal continue the WHOIS practice of making PII easily accessible to anyone who asks (including search engines). The fact that the issue isn't new doesn't make it any less of an issue.
Scott
More information about the gtld-tech
mailing list