|
Now that we’re into the New Year and deadline for public comment on the proposed new .CA whois policy nears and now that my term as a CIRA Director enters its home stretch, I wanted to take some time to elaborate further on my Unsanctioned Whois Concepts post from long ago and revise it somewhat.
Last summer when the Whois Policy revision came into scope I spent some time trying to ponder the dilemma that is “whois”.
I realized that the core issue of our problems is that we only have “one-way authentication”, especially in the .CA ccTLD. Under .CA every single registration is actually “vetted” by the registry and in the gTLDs there is a growing sentiment toward this given the “post 9/11” mentality and it shows up in initiatives like FOISA.
What happens in this situation is we spend a lot of effort validating what goes into the database but near zero effort controlling what gets retrieved out. This is where the problems of machine harvesting and all its attendant consequences come from.
In the real world a lot of this is mitigated by controlling who queries the data: Every time somebody accesses my credit rating a line item shows up to that effect. Every once in awhile I run my own credit check just to see who’s been running credit checks on me.
On the other hand, if I want to drive a car, I have to have a license plate and that plate is visible for all to see and it makes me accountable for pretty well anything that car does.
We have the technology to build similar real world controls and balances into the Whois database now. Last summer I wrote a paper called Balancing Privacy & Accountability within .CA Whois Reform [PDF] and in it I posited the concept of what I called “Whois/Who”.
It basically described a system where we closed the loop on both sides of the transaction, by matching the validation we already do with .CA registrants on input with validating and authenticating “Querying Parties” (QP’s) . By providing accountability in both directions you could provide digests to registrants describing who looked up their records and why. You could also trace any given email sent via a whois record lookup to the party who queried the record by using one-time email addresses and a forwarder at the Registry (the .CA registry is already thick and carries out comparable functions today).
The idea went nowhere. Maybe it’s a bad one. It seems the will of the Board at this present juncture is to fulfill the privacy requirements under PIPEDA and is happy to stop there. As a Registrar and the guy who mans the Abuse desk around easyDNS, I’m not thrilled with the proposed new system which essentially allows for anonymous registrations for “individuals”. As a domain registrant who hates getting spam and DRoC “invoices” I will probably take advantage of it for my personal .CA names.
Shortly before the holidays I came across a thread on Slashdot about i-names and it brought to mind an earlier exposure I had to sxip, both of which are Extensible Identity Protocols and both implement the framework within which all of the ideas I described under Whois/Who could be implemented. Sxip goes one further in allowing identity data to be stored anywhere, users could run their own homesites and store their own data and create their own dissemination policies.
I believe these types of protocols are where the future of Whois will (hopefully) end up. Unfortunately CIRA isn’t availing itself of the opportunity to get really ambitious with Whois Reform while it has it on the agenda this time, but in CIRA’s defense, the exigencies of bringing the entire data collection and dissemination issues of the Whois database under PIPEDA compliance was the main concern.
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Mark, these are good ideas, just that they are ahead of their time as far as the industry will accept them as common practice.
In the 6 years I have had the opportunity to work with you in some professional capacity, I have yet to hear a bad idea come from you.
I agree with you that the mixture of accountability and privacy concerns do not always seem to meet in the middle with regard to whois data.
This continues to be an area that many are in agreement that evolution is needed, yet the best road seems to be untravelled.
Registrars seem to be presented with the burden of registrant detail validation, and are becoming more motivated to do so as policies become more clear on what their responsibilities are with regard to registrant data.
Many of the registrars operate as a side business to a hosting company or other enterprise. Most of the others that have domain registration as a core focus appear to operate at narrow margins in the price competitive market that Domain Registrations have become.
The by-product of this added accountability, validation, and other requirements upon registrars, is that it creates additional technical and administrative overhead, translating into more operational cost.
To offset this, many of the registrars that build out systems for better whois management also appear to use that development time to create private registration or proxy registration systems.
While this helps to offset development costs, and help create sytems that aid the registrar in supporting the whois requirements, another thing that happens is that proxy or private registration happens as well.
My preference as an individual registrant, using a domain name for personal use, would be to not have my personal information exposed. I would like to know when someoone looks up my information, and for what purpose it was requested, and who they were. I believe that this would create a framework of accountability reduce SPAM and other adverse contact harvesting derivitives.
For a domain that is aquired for the purpose of electronic commerce, however, I feel that I would want people to be able to see the registration information on my domain name as a way to validate that I am a real business entity so that they can transact with me, and be confident and comfortable to do so. The tradeoff as a registrant is that this exposes the email addresses and other contact information to contact harvesting.
Neither scenario is utopian, and I think that these are just two types of registrants and registration situations, and there are certainly many more scenarios and use cases that should be addressed as this evolves.
But, whatever direction things go toward, I am grateful that there are intelligent people who continue reminding the world that there are better solutions ahead.