[registrars] Public display of data versus controlled access

["Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>]

Hello All,

I still think the public display of important information such as create
and expiry dates is a poor system design.

I haven't seen any hosting, ISP, telcos that display this information
about the terms of their services.

See http://whois.ausregistry.com.au for what I think is a reasonable
amount of information about domains  for public display.

Our registrants have not expressed any problems with this solution.   It
was a change from the previous model of full disclosure of information,
and users of the service did need to change their processes.  We heard
all the same arguments that are appearing on this list.   But the change
has been successfully managed in Australia to the net benefit of the
registrant.  Australia has much the same structure as the rest of the
world with ISPs, hosting companies, law enforcement, friends etc.

However I can understand that many organisations have begun to rely on
the WHOIS service for their information.

This is really the core problem with changing WHOIS.  Each group,
whether it is ISPs, intellectual property, law enforcement, secondary
market players, corporate brand registrars, have complained that they
have come to rely on the current WHOIS model for their business
processes.   The real issue is that no-one wants to change their
existing software and services.   In essence most people don't like
change.

Essentially I am proposing a redesign of the system to better protect
registrants for the long term.

I accept that ISPs, friends etc may want to be able to help a registrant
with their domain names.

There are solutions to all those problems that don't require the public
display of the information.

For example the EPP protocol and most registrars support the concepts of
multiple contacts.  Any official contact for a domain name should be
able to retrieve additional information.   Most ISPs/web hosts will be
listed as the technical contact for the domain name.

A third party should also be able to request full information on the
provision of an access code.  For example with the .au registry, the
<info> command returns only basic information without authentication.
If you provide the access-code you get the full record.

So my approach is:

(1) Define the purpose of the PUBLIC display of information correctly

(2) Review which fields should be made PUBLIC

(3) Define appropriate access control mechanisms that allow third
parties to retrieve non-public information, which could be tiered:
- public access (e.g to registrar of record, tech contact info)
- ISP access (e.g to create/expiry dates)
- law enforcement access  (e.g to full contact records)
Etc

The new protocols such as IRIS etc can help standardise a model for the
industry.
Thus an ISP could use a single tool to retrieve expiry dates from any
registrar with the appropriate credentials.   It is time to retire
port-43 WHOIS as the standard tool.

(4) Develop a transition plan from current system to new design
- e.g for existing domains continue to allow legacy system access
- for new second level domains and new tlds operate under new system
- allow a 6 month transition period


Again - lets concentrate on (1) and (2) initially.  Then work on (3) and
(4).

(3) is an interesting area - and I am confident that the major use cases
that members o f the registrars constituency have identified can be
handled.

When I think domain name information, I think credit card information -
and look at systems that exist to protect this information.   I do have
a bias towards stronger security.   It seems to me that everything else
online has some level of higher security than domain names.  Even free
email addresses have higher security - I have no way to looking up
information on a hotmail email address for example.

The other approach is to think of domain name information like
whitepages phone books (without opt-out).  Ie the model of say 20 years
ago.   Lots of organisations use telephone whitepages to find out all
sorts of information about people.   Yellowpages however are quite
different - as businesses want to be found and provide relevant business
addresses and phone numbers.   Phonebook=WHOIS, and Yellowpages=WWW.




Regards,
Bruce Tonkin