[TSG-Access-RD] [Ext] Re: ICANN as a proxy

Francisco Arias francisco.arias at icann.org
Mon Dec 17 19:06:58 UTC 2018 

1. Correct, the requirement is for ICANN to be the only authorizing body for "each" request for non-public data. Even more, the requestor is expected to have to provide some sort of justification with each query. This justification would be considered in order to provide or not the authorization for each query.

2. Please see #1 re: authorization. Now, regarding accreditation and authentication, there is no requirement given to us. We should support a model in which there is one or more accreditation bodies. We should also support a model in which there is one or more authentication bodies. (I'm calling accreditation to the process to have a user verified it complies with TBD requirements for potential access to data and being given initial set of access credentials. I'm assuming the accreditation and the authentication bodies could be separated, but if we think this is too complicated then, we can suggest they are the same).

3. I was referring to queries for non-public data; they would follow the existing mechanisms. There would not be any authentication/authorization involved in the process to respond to these.

4. ICANN could act as a bootstrap server if that is needed for the solution we develop to work. Another option could be for all the responses from contracted parties to end-users (i.e., responses that only include public data) to include a notice or remark explaining how to request access to non-public data, which could also include relevant link(s). ICANN could have its own RDAP base URL where queries for non-public data could be sent. This wouldn't change the bootstrapping.

-- 
Francisco

On 12/17/18, 10:27 AM, "Andrew Newton" <andy at hxr.us> wrote:

    On Mon, Dec 17, 2018 at 1:13 PM Francisco Arias
    <francisco.arias at icann.org> wrote:
    >
    > To be clear, the requirement given to us is that ICANN would be the only authorizing body for each request for non-public data. Requests for public data should not be changed (i.e., the client, following the bootstrapping algorithm queries the authoritative server for the data). So, not all the RDAP queries.
    >
    >
    
    Francisco,
    
    Thanks for the clarification. But I do have a few further questions:
    
    1. You said ICANN is the only authorizing body for "each" request.
    Does this mean a client cannot be issued an authorization token than
    cannot be used repeatedly in a given time period (e.g. token is good
    for 5 minutes or 5 days)?
    2. Does this mean ICANN cannot delegate authorization to other
    parties, such as national law enforcement or third party agencies?
    3. When you say the client follows the standard bootstrapping process,
    I assume that this comes after obtaining authorization from ICANN. Is
    that correct?
    4. Would ICANN act as a bootstrap server?
    
    -andy

More information about the TSG-Access-RD mailing list