[council] WHOIS study group report attached

[Liz Gasster <liz.gasster@xxxxxxxxx>]

Council members:

Attached please find the final report of the WHOIS study group, which was 
convened by the Council on 27 March to examine the study recommendations 
suggested by the public (and later augmented with study suggestions recommended 
by the Government Advisory Committee), and to make a recommendation to the 
Council.

Also, in the course of discussions on further studies of WHOIS, study 
participants asked for more information on IRIS and specifically more 
information about what it would take to implement IRIS from both a technical 
and policy perspective.  Steve Crocker has provided an email response (also 
attached), and has also offered to participate in a Q & A or broader 
discussion, at which SSAC experts could have a dialogue with the GNSO Council 
and constituency representatives.  Staff would be happy to coordinate such a 
conversation at the Council's request.

The WHOIS study group would be glad to answer questions about the report and 
our deliberation process.

Thanks, Liz Gasster

Study group participants:


Jordi Iparraguirre

Ken Stubbs

David Maher

Steve Metalitz

Lee Eulgen

Steve DelBianco

Tony Harris

Tim Ruiz

Paul Stahura

James Bladel

Stéphane Van Gelder

Norbert Klein

Robin Gross

Danny Younger

Beau Brendler
Wendy Seltzer
Liz Gasster - staff

Attachment: GNSO WHOIS Study Group report to the Council final 22 May.pdf
Description: GNSO WHOIS Study Group report to the Council final 22 May.pdf

--- Begin Message ---

• To: Liz Gasster <liz.gasster@xxxxxxxxx>
• Subject: Re: Response to Request regarding WHOIS and IRIS -- resend with editing error corrected
• From: Steve Crocker <steve@xxxxxxxxxxxx>
• Date: Tue, 20 May 2008 11:57:57 -0700
• Cc: Steve Crocker <steve@xxxxxxxxxxxx>, Denise Michel <denise.michel@xxxxxxxxx>, "David M. Piscitello" <dave@xxxxxxxxxxx>, James Galvin <galvin@xxxxxxxxxx>
• In-reply-to: <05B243F724B2284986522B6ACD0504D7079680A614@EXVPMBX100-1.exc.icann.org>
• References: <10621FF8-9AC9-4ECB-A7F7-C1595AC79839@shinkuro.com> <DD101162-465E-4916-89A4-84325AC5E3ED@shinkuro.com> <05B243F724B2284986522B6ACD0504D7079680A614@EXVPMBX100-1.exc.icann.org>
• Thread-index: Aci6q3sKgPhcZmSFQV2Jjp/scONs3w==
• Thread-topic: Response to Request regarding WHOIS and IRIS -- resend with editing error corrected

We'd be delighted to discuss, and we're open to any format that best serves the 
purpose.  We can arrange face to face meeting in Paris if desired, a phone call 
before then, or a sequence of exchanges.  I sense from your note there will be 
a desire to delve into details.  It would be helpful to have a few questions in 
advance to so we bring the right people or have references ready at hand.  The 
questions can be a grab bag quickly gathered.  There's no need to go through a 
careful process to organize them.

Give us some idea of how many people will be involved on your side and what 
questions you want to explore and we'll rise to the occasion.

I've cc'd Dave and Jim to facilitate scheduling and organization on our side.

Cheers,

Steve




On May 20, 2008, at 11:36 PM, Liz Gasster wrote:

Hi Steve, thanks again for persevering on providing input.  The group really 
appreciated your additional information.  They would like to discuss this 
further, where they could ask questions and have a give-and-take, either on a 
call that we set up for this purpose, or if this is easier for you, perhaps in 
a meeting in Paris (I would also need to check with Avri and Chuck on this).  
There is something about examining the WHOIS of the future that is less charged 
than discussing the WHOIS of today (hope springs eternal).

Thoughts?  Thanks so much, Liz

From: Steve Crocker [mailto:steve@xxxxxxxxxxxx]
Sent: Monday, May 19, 2008 4:26 PM
To: Gasster Liz; Liz Gasster
Cc: Steve Crocker; Denise Michel
Subject: Response to Request regarding WHOIS and IRIS -- resend with editing 
error corrected

[Resending with editing error fixed.  Sigh.  Will respond to your note 
separately.

From: Steve Crocker <steve@xxxxxxxxxxxx<mailto:steve@xxxxxxxxxxxx>>
Date: May 20, 2008 1:02:51 AM GMT+08:00
To: Liz Gasster <liz.gasster@xxxxxxxxx<mailto:liz.gasster@xxxxxxxxx>>
Cc: Steve Crocker <steve@xxxxxxxxxxxx<mailto:steve@xxxxxxxxxxxx>>, Denise 
Michel <denise.michel@xxxxxxxxx<mailto:denise.michel@xxxxxxxxx>>
Subject: Re: Request regarding WHOIS and IRIS

On May 19, 2008, at 11:57 PM, Liz Gasster wrote:
Hi Steve, sorry to be a pest.  The last call is tomorrow (Tuesday) at 11:00 
eastern.  Should I assume there will be no additional information provided?  I 
just want to be able to tell the group something definitive.

Thanks, Liz


Liz,

Apologies and thanks for the nudge.  We drafted a response a while ago and 
there's been some very active discussion in the background.  We didn't complete 
the internal discussions we had in mind, but the direction is clear so I am 
sending you this on my own and a pretty good sense that it represents our sense 
of the right approach.  This is a bit lengthy because I am including some 
background and commentary.  The short, bulletized version is

o The WHOIS system is broken

o A complete revision is needed

o The revision must lay out the desired policies

o The technical foundation should fit the desired policies, if feasible.  As a 
reasonably informed guess, IRIS, developed by the IETF, is likely to fit the 
need.

o A substantial technical examination is needed.  This is beyond SSAC's 
capabilities.  We recommend GNSO ask staff to initiate an effort similar to the 
way RSTEP studies are carried out.

Here's the full response.

You originally asked:


From: Liz Gasster
Sent: Thursday, April 17, 2008 12:45 PM
To: Crocker Steve
Cc: Denise Michel
Subject: Request regarding WHOIS and IRIS

Hello Steve,

The GNSO Council has a “WHOIS study group” underway, to consider what if any 
studies, surveys or other fact-finding research or analysis should be conducted 
that would be constructive in further informing the policy debate on WHOIS.  We 
have already solicited study suggestions from the public and we are in the 
process of discussing different views about what studies might be useful, if 
any.  The group would like to get some more information about what it would 
take to implement IRIS from both a technical and policy perspective.  I’m not 
sure if this would be of interest, but would you have a thought about whether 
this is something that someone from the SSAC might like to participate in, for 
example, to give a short overview and answer questions?  This might be too 
short notice, but our next call is Tuesday the 22nd at 11 EST, and we will 
probably meet several more times at the same interval weekly.

The participants in the group, in addition to ICANN staff, are as follows:

Jordi Iparraguirre - gTLD Registry C
Ken Stubbs - gTLD Registry C
David Maher - gTLD Registry C
Steve Metalitz  - IPC
Lee Eulgen -IPC
Steve DelBianco - CBUC
Tony Harris - ISP
Tim Ruiz - Registrar
Paul Stahura - Registrar
James Bladel - Registrar
Krista Papac - Registrar
Stéphane Van Gelder - Registrar
Eric Brunner-Williams -Registrar
Danny Younger
Beau Brendler
Wendy Seltzer - ALAC Liaison on the ICANN Board

Thanks so much for considering,

Liz


Our bottom line conclusion is that the current whois system is broken and needs 
to be replaced completely.  The underlying technical structure should be 
replaced with an appropriate database-oriented approach, and the policies about 
what information is included, what level of accuracy is required and what 
access should be provided to whom should be approached with a clean slate.  The 
technical foundations are probably in the best shape with the work on 
CRISP/IRIS in the IETF.

A different but also relevant wrinkle is the consequences of IDNs.  So far as 
we have been able to see, despite an enormous effort to bring IDNs into the 
domain name system, essentially no thought has been given to internationalizing 
the whois database.

The magnitude of the change we're advocating requires substantial time and 
effort.  It obviously cannot happen overnight, so there is plenty of room to 
argue about what to do in the interim.  However, those discussions will take on 
very different tenor if it's clear where things are going in the medium to long 
term future.

As you know, we formally commented to the GNSO in

[SAC027]:  SSAC Comment to GNSO regarding WHOIS studies (7 February 2008)
http://www.icann.org/committees/security/sac027.pdf

The full text is relevant to this discussion, so I am including it in its 
entirety below.




7 February 2008

SAC027: SSAC Comment to GNSO regarding WHOIS studies

The Security and Stability Advisory Committee thanks the GNSO for the 
opportunity to
comment on future studies related to WHOIS. SSAC has conducted studies on WHOIS 
in
the past (SAC 014, Information Gathering Using Domain Name Registration Records 
28
September 2006, and SAC 023, Is the WHOIS Service a Source for email Addresses 
for
Spammers? 23 October 2007) and believes additional studies may prove valuable.

SSAC members have and will continue to work with the GNSO to provide a viable 
and
scalable solution to the administration and access of domain name registration
information. To do so, we believe it is useful to consider the following 
matters:

• To date, little progress has been made towards the development of a formal
directory service for the Internet. While the development of technical standards
for the Internet is not an ICANN activity, the ICANN community would benefit
from the use of a formal directory service.

• In the absence of a formal directory service, the Internet community has
attempted to "make do" with available protocols/services. The adaptation of the
WHOIS protocol by the domain name registration community is a noteworthy
example.

• Considerable technical shortcomings prevent WHOIS services from satisfying the
needs of the domain name community in areas of authentication, data accuracy,
data confidentiality, and data integrity. SSAC observes that it is unlikely 
that this
rudimentary protocol could be improved to overcome these shortcomings.

• The limitations of the WHOIS protocol and variability among WHOIS
implementations and services contribute to the poor quality of domain name
registration data currently available.

• The domain name registration community has focused its attention on
compensating for (3) through policy definition and enforcement. However, policy
alone will not provide the Internet community with a secure and reliable 
directory
service capability that is able to satisfy the needs of diverse Internet
constituencies. SSAC believes that this objective can only be achieved through a
combination of policy development and implementation of a standard, uniform
directory service that provides authentication, data confidentiality, data 
accuracy
and data integrity services.

On these bases, SSAC recommends the following:

1. The GNSO should continue current and proposed work to resolve legal and
privacy issues within the existing WHOIS framework. SSAC believes that studies
that catalog legitimate uses as well as abuses of domain registration 
information,
continued studies regarding privacy, and studies that consider finer-grained 
access
and role-based access control models for WHOIS can help the community
establish requirements for the administration of domain registration 
information.

2. ICANN should take aggressive measures with respect to improving registration
data accuracy and integrity. Future agreements should include data accuracy and
integrity (e.g., archival and restoration) guidelines and should include 
provisions
for sanctions or other penalties for those who do not comply with these
guidelines.

3. The ICANN community should adopt an Internet standard directory service as an
initial step toward deprecating the use of the WHOIS protocol in favor of a more
complete directory service. SSAC encourages the ICANN community to study the
standards developed by the IETF's Cross Registry Information Service Protocol
(CRISP) Working Group. In particular, SSAC urges the GNSO to consider the
requirements for CRISP identified in RFC 3707 and the set of RFCs associated
with the Internet Registry Information Service (IRIS) (RFCs 3981 - 3983) which
appear to provide sufficient features and services to meet the needs of the 
domain
registration community.

4. ICANN should work with all TLD registry operators to develop a timeline and
transition plan for migrating from the current WHOIS service to a successor
Internet “domain” directory service.

SSAC looks forward to participating in these activities.


With all of the above as background, here is our suggestion for the GNSO at 
this point.

In response to SSAC's Comment to GNSO regarding WHOIS studies (7 February 2008, 
at http://www.icann.org/committees/security/sac023.pdf), a GNSO Council WHOIS 
study group has asked SSAC to provide more information about what it would take 
to implement IRIS from both a technical and policy perspective.

We are pleased that the GNSO intends to pursue this study topic and have the 
following additional comments to offer.

In SAC023, we recommended that the ICANN community adopt an Internet standard 
directory service. We also suggested that the community review the Internet 
Registry Information Service (IRIS) standards developed by the IETF's Cross 
Registry Information Service Protocol (CRISP) Working Group.  We further 
suggested that the community should study at least three important features 
provided by many directory services, assess the utility of these features in 
the context of domain name administration, and include provisions for these 
features in policy development.

Auditing: SSAC believes that most constituencies would benefit from having a 
detailed auditing capability with respect to access to registration records. 
SSAC has consistently regarded a domain name as an asset. Thus, the registrant 
should be able to know who’s checked his record. LEAs, IP attorneys, brand 
defenders, business constituents, and general public may all have a legitimate 
reason in some context to know who’s checked a record. This implies identity 
verification but it doesn’t have to be linked to tiered access. SSAC believes 
this is a desirable feature and the community should consider how to 
incorporate it into a policy.

Access control: Having an access control model should not be controversial and 
SSAC believes this should also be incorporated into policy. The finer points of 
how access controls are applied, to whom they are applied, and for what purpose 
(e.g., privacy) merit further discussion. But a consensus policy should at 
least reflect the community's awareness that “access controls are needed, and 
in principle, there are legitimate purposes for LEAs, IP attorneys, brand 
defenders, business constituents, and general public to access registration 
records”. Most importantly, the access model should accommodate these purposes 
to the extent they are permitted by applicable laws. A benefit of a 
well-defined access control model is that you could, in principle, apply 
privacy controls to individuals according whatever the prevailing privacy laws 
demand.

Data integrity (accuracy): We believe it is imperative that a directory service 
study should consider data accuracy and abuse prevention. The substitution of a 
directory service for WHOIS does not assure improved accuracy, but SSAC 
believes that a re-examination of the ways current registration practices are 
exploited, including consideration of methods to corroborate contact and 
billing information registrants submit prior to including a domain name in a 
TLD zone file, are necessary irrespective of whether WHOIS persists or a 
successor directory service is adopted.

Careful deliberation of these features alone requires the focused attention of 
individuals who have extensive directory service expertise and are also very 
familiar with domain name registration processes, and this list is but a sample 
of the issues that should be factors in policy development.  The level of 
effort required for such work exceeds the resources SSAC can bring to bear.  
Instead, we recommend there should be a focused technical effort similar to the 
way the RSTEP process is run for examination of proposed registry service 
changes.  We recommend GNSO ask the ICANN staff to create such an effort on 
behalf of the GNSO WHOIS process.

--- End Message ---