[gtld-tech] [weirds] Search Engines Indexing RDAP Server Content

Andrew Sullivan asullivan at dyn.com
Sat Jan 30 02:49:10 UTC 2016

On Fri, Jan 29, 2016 at 10:39:29PM +0000, Francisco Arias wrote:
> The behavior described as vulnerability has the same potential to
> appear in the so-called web-Whois that has been there for years and
> it is not being proposed to disappear in neither gTLD registries nor
> registrars.

Poppycock.  The RDAP provides, on purpose, links among the objects in
its responses.  Web whois basically provides a terminal-scrape of what
people would get if they still knew how to type whois at a command
line.  Since crawlers respond automatically to the very
machine-readable markup that RDAP was precisely designed to emit, this
means that crawlers that were never intending to catalogue the entire
whois will now do so as a matter of course.

> "Beauty is in the eye of the beholder”. What you call a
> vulnerability others may call it a feature. 

Yes.  And when my customers are giving me their information and I am
forced by contractual terms with ICANN to deploy that in a way that
causes a whole new class of people to suck all that up into
widely-searchable machine-readable archives, that seems to me to be a
new [feature|vulnerability] that I was never in a position to warn
people about and to which they didn't agree.  

> The fact of the matter is that gTLD contracts state that all
> information must be shown in RDDS services, period. If we don’t like
> it, there is the RDS policy development process that is tasked,
> among other things, to revisit differentiated access. 

With respect, what you are claiming is that the procedure is being
followed and therefore this is ok.  I am claiming that Scott has
uncovered a new consequence of the policy that seems to have
consequences for the implementation, and that needs to be taken into
consideration.  I'm reasonably willing to believe that, if it turned
out using RDAP caused you accidentally to forego your first-born
child, we'd be having a different discussion about the
implementation.  So where, exactly, does the line fall here?

> With the exception of Scott, I don’t see any of the people that have
> complained about the lack of differentiated access in RDDS in the
> RDS list at
> https://community.icann.org/pages/viewpage.action?pageId=56986659. If
> you care about this issue, please participate in RDS.

I have submitted my name, but I have to admit that part of the
difficulty in getting permission to spend yet more time on this is the
absurd way that ICANN develops policies around things affecting the
Internet: anyone who wants to be a "participant" has to promise to
join inconveniently-timed phone calls (well, ok, Internet-carried
phone calls), fly to far away places for face to face meetings, and so
on.  If one could actually participate in Internet policy discussions
using, you know, the Internet, it might be somewhat easier to justify

Best regards,


Andrew Sullivan
asullivan at dyn.com

More information about the gtld-tech mailing list