Thanks for this contribution -- it's useful. A couple nits: On Mon, Mar 27, 2017 at 02:07:26PM -0500, John Bambenek via gnso-rds-pdp-wg wrote:
Even if I had a wiretap on the right whois server, whois is over UDP so it can be spoofed. So I can have little confidence in what I get.
Whois is not UDP-based, it's TCP-based. See RFC 3912. None of that helps, though, because in the current era getting hold of random TCP connections all over the Internet is a trivial matter anyway, so there'd be little consequence in knowing what IP address in the world asked for the data.
Now I can run an intelligence op, and for the price of one national security letter, not only do I know if the adversary looked at my stuff, I know exactly WHO did the looking and what IP they came from.
It's slightly better, because you can in fact tell not only what IP they came from but also whether that IP appears to be widely correlated with the credentials used to make the request. Of course, it all _also_ means that LEOs and so on who do these lookups end up leaving some trail of their activity. To me, that's a good thing, but YMMV. Best regards. A -- Andrew Sullivan ajs@anvilwalrusden.com