[gtld-tech] [weirds] Search Engines Indexing RDAP Server Content

Francisco Arias francisco.arias at icann.org
Fri Jan 29 22:39:29 UTC 2016 

On 1/29/16, 9:25 AM, "gtld-tech-bounces at icann.org on behalf of Andrew Sullivan" <gtld-tech-bounces at icann.org on behalf of asullivan at dyn.com> wrote:



>(Sticking to this list 'cause I happen to be subscribed here.)
>
>On Fri, Jan 29, 2016 at 04:54:49PM +0000, Francisco Arias wrote:
>> In all the cross-posting, it seems you may have left out the list where people have currently in scope doing something about this https://community.icann.org/display/gTLDRDS/Next-Generation+gTLD+Registration+Directory+Services+to+Replace+Whois
>> 
>
>While that's a fair point to make, I think part of Scott's observation
>is that we're learning there's a technical mistake in treating all
>registry data services as though they're interchangeable.  Because
>Whois doesn't provide links, it doesn't ecourage crawlers to build an
>independent database of linked data the way RDAP does.  So, without
>privacy protections, deploying RDAP as though it's just
>Whois-on-the-web actually introduces new vulnerabilities.
>
>That seems important to take into consideration in the new profile,
>regardless of what the policy documents say.  Surely the policy
>documents do not require the introduction of new data vulnerabilities
>just because the policy implies that?


In the gTLD world we have a set of services called Registration Data Directory Services (RDDS) comprised of WHOIS (port-43) and web-Whois (i.e., an HTML web page). RDAP is intended to join the group and eventually, WHOIS would go away.

The behavior described as vulnerability has the same potential to appear in the so-called web-Whois that has been there for years and it is not being proposed to disappear in neither gTLD registries nor registrars. As John said, perhaps the issue is how the alluded RDAP service was implemented.

"Beauty is in the eye of the beholder”. What you call a vulnerability others may call it a feature. Please don’t get me wrong, this is not about what I think. The fact of the matter is that gTLD contracts state that all information must be shown in RDDS services, period. If we don’t like it, there is the RDS policy development process that is tasked, among other things, to revisit differentiated access. With the exception of Scott, I don’t see any of the people that have complained about the lack of differentiated access in RDDS in the RDS list at https://community.icann.org/pages/viewpage.action?pageId=56986659. If you care about this issue, please participate in RDS.

Regards,

-- 
Francisco

More information about the gtld-tech mailing list