[TSG-Access-RD] [Ext] Re: Bulk Data, Bulk Query, WhoWas and Charter scope

Jody Kolker jkolker at godaddy.com
Mon Jan 7 21:09:41 UTC 2019 

<<
1. How do RDAP clients learn the URL of ICANN's RDAP service?

	- an entry in the "links" object with an appropriate relation value (which may need to
	be registered with IANA since I don't see one that's applicable) seems like it would
	work.
>>

Why would ICANN's RDAP service need to be published publicly anywhere?  My understanding was that ICANN's service would only be used to access private data.  Anyone approved to access private data would need to be approved by ICANN.  When the client is approved to receive private data, the RDAP address could be included in the approval communication.

Thanks,
Jody Kolker


-----Original Message-----
From: TSG-Access-RD <tsg-access-rd-bounces at icann.org> On Behalf Of Gavin Brown
Sent: Monday, January 7, 2019 6:31 AM
To: Hollenbeck, Scott <shollenbeck at verisign.com>; andy at hxr.us
Cc: tsg-access-rd at icann.org
Subject: Re: [TSG-Access-RD] [Ext] Re: Bulk Data, Bulk Query, WhoWas and Charter scope

As I understand it, Francisco is proposing that:

1. Registries and registrars would provide RDAP services which provide
redacted* responses to all clients - except ICANN.

2. ICANN would provide an RDAP service, only available to authenticated and authorised parties, which would act as a proxy: queries sent to that RDAP service would be forwarded to the registry/registrar, which would return an unredacted response to ICANN, which would then return that response to the client.

We want an in-band solution that allows an RDAP client to perform a normal RDAP query, receive a redacted response from the registry/registrar, and, when non-public data is required, re-query the ICANN service for that data.

If the above is correct, then the we need to address the following
questions:

1. How do RDAP clients learn the URL of ICANN's RDAP service?

	- an entry in the "links" object with an appropriate relation value (which may need to
	be registered with IANA since I don't see one that's applicable) seems like it would
	work.

2. How do registries/registrars authenticate ICANN as a client which is allowed to receive unredacted records?

	- there are a number of solutions here, from simple IP-based
	access control to HTTP and TLS-based authentication solutions.

3. When forwarding an RDAP request, how does ICANN provide (in-band) the
registry/registrar:

	i. which (if not all) non-public data that's been requested
	ii. the purpose for which the data has been requested
	iii. the identity of the requesting client

	- IIRC the RDAP RFCs would allow the use of HTTP request parameters for this.
	Otherwise HTTP header fields could be used.

5. How do RDAP clients authenticate with ICANN?

	- again there are a number of solutions. ICANN can directly identify and authenticate
	clients, but could also use OAuth2/OpenID Connect to allow third-party
	authentication.

	I assume that the authorisation process (determining whether the client is permitted
	to receive the data they are requesting) would all be handled internally to ICANN
	and would therefore not require any sort of interoperable protocol.

G.

* unless the subject has opted in to having their information included in responses

On 04/01/2019 19:55, Hollenbeck, Scott via TSG-Access-RD wrote:
>> -----Original Message-----
>> From: Andrew Newton <andy at hxr.us>
>> Sent: Friday, January 4, 2019 1:04 PM
>> To: Hollenbeck, Scott <shollenbeck at verisign.com>
>> Cc: francisco.arias at icann.org; tsg-access-rd at icann.org
>> Subject: [EXTERNAL] Re: Re: Re: [TSG-Access-RD] [Ext] Re: Bulk Data, 
>> Bulk Query, WhoWas and Charter scope
>>
>> On Fri, Jan 4, 2019 at 12:56 PM Hollenbeck, Scott 
>> <shollenbeck at verisign.com> wrote:
>>>
>>
>>>> But I disagree. :)
>>>> I client seeking non-public data would use the non-public data 
>>>> query mechanism and the answer from that should contain both 
>>>> non-public data and public data. Why would it not?
>>>
>>> I believe Francisco mentioned that ICANN does not want/intend to 
>>> provide
>> a public-facing interface for queries that will return public data.
>>
>> Why would they filter out the public data from an authenticated query?
>> I'm not sure what Francisco said, but perhaps the intent was that 
>> they do not intend to be a service for unauthenticated queries.
> 
> Hence the need for clarity.
> 
> Scott
> 

--
Gavin Brown
Chief Technology Officer
CentralNic Group plc (LSE:CNIC)
Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/
+44.7548243029

CentralNic Group plc is a company registered in England and Wales with
company number 8576358. Registered Offices: 35-39 Moorgate, London,
EC2R 6AR.

More information about the TSG-Access-RD mailing list