Proposed Definition/Background for Authoritative
Hello All, While I will work with the smaller group on a more concise definition of "Authoritative," I wanted to provide these broad brush strokes on my perspective of this concept to the entire group. Authoritative Data used in the context of the RDS WG is intend to define the concept of which data shall deemed to be controlling(authoritative) when confronted with data elements that are NOT identical (i.e. are inconsistent). Currently there are multiple parties in the domain name eco system that possess (disseminate/make available) Whois data records associated with a domain name, some under ICANN contract (registries and registrars) and those that are not (i.e. third party proxy agents, historical whois aggregators, etc.) The "authoritativeness" of all Whois data elements are NOT necessary treated equal. The Registry is absolutely Authoritative in connection with the name servers published in the zone file. However, inconsistencies in other data elements can and do happen, i.e. Registrars that update domain name Whois locally without timely updating the information at the Registry, historical thin/thick registries; Registrants that provide false and inaccurate information; Registrant data that unintentional because outdate/inaccurate, etc. Standard Registry Agreements have legal provisions in their RRA which dictate which data will control (i.e. be authoritative). See for example the following provision from VeriSign's RRA: "2.11. Time. Registrar agrees that in the event of any dispute concerning the time of the entry of a domain name registration into the registry database, the time shown in the Verisign records shall control." In making a legal determination as to the "authoritativeness" of Whois data elements there are some rebuttable presumptions. Per the standard RRA, there should be a presumption of authoritativeness of the data in the Registry database. This presumption of authoritativeness can be challenged using data residing in the Registrar database in certain circumstances. Regarding third party aggregated historical Whois data elements, there is a widely accepted presumption within the industry that this data is historically accurate in the absent of any conflicting Registry/Registrar authoritative data. So for those members looking for a nice neat definition of "authoritative" sorry for this rambling soliloquy. I would also encourage WG members to read this currently pending ICANN reconsideration request dealing with the "authoritativeness" of whois data elements, see https://www.icann.org/resources/pages/reconsideration-17-1-smith-request-201 7-03-16-en Best regards, Michael
Thanks, Mike. A few notes to contribute as people consider "authoritative": Registries exist to be authoritative repositories of data; that's what they are designed to do. (So, for example, two different people can't register the same domain name, or so a domain won't resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers). The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won't be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome. So the current situation seems to be pretty simple, and is on the path to getting even simpler: 1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today. 2. If the registry is thin, the registry is authoritative for the thin data, and the contact data held by the registrar is authoritative. The remaining thin registries will go thick in a couple of years, which makes things simpler. However, the RDP WG could create complications. For example, in order to protect the personal data of natural persons, the WG could approve a model in which registrars hold back contact data from registries. That would effectively nullify the Thick WHOIS PDP... All best, --Greg (P.S.: the UDRP Rules say that the contact data in the "Registrar's WHOIS" must be relied upon for proceedings (i.e. the registrar is authoritative for contact data). That was written in 1999, back before thick gTLD registries even existed. I believe that language should eventually be changed to meet evolving reality.)) From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Michael D. Palage Sent: Tuesday, April 4, 2017 1:24 PM To: 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Hello All, While I will work with the smaller group on a more concise definition of "Authoritative," I wanted to provide these broad brush strokes on my perspective of this concept to the entire group. Authoritative Data used in the context of the RDS WG is intend to define the concept of which data shall deemed to be controlling(authoritative) when confronted with data elements that are NOT identical (i.e. are inconsistent). Currently there are multiple parties in the domain name eco system that possess (disseminate/make available) Whois data records associated with a domain name, some under ICANN contract (registries and registrars) and those that are not (i.e. third party proxy agents, historical whois aggregators, etc.) The "authoritativeness" of all Whois data elements are NOT necessary treated equal. The Registry is absolutely Authoritative in connection with the name servers published in the zone file. However, inconsistencies in other data elements can and do happen, i.e. Registrars that update domain name Whois locally without timely updating the information at the Registry, historical thin/thick registries; Registrants that provide false and inaccurate information; Registrant data that unintentional because outdate/inaccurate, etc. Standard Registry Agreements have legal provisions in their RRA which dictate which data will control (i.e. be authoritative). See for example the following provision from VeriSign's RRA: "2.11. Time. Registrar agrees that in the event of any dispute concerning the time of the entry of a domain name registration into the registry database, the time shown in the Verisign records shall control." In making a legal determination as to the "authoritativeness" of Whois data elements there are some rebuttable presumptions. Per the standard RRA, there should be a presumption of authoritativeness of the data in the Registry database. This presumption of authoritativeness can be challenged using data residing in the Registrar database in certain circumstances. Regarding third party aggregated historical Whois data elements, there is a widely accepted presumption within the industry that this data is historically accurate in the absent of any conflicting Registry/Registrar authoritative data. So for those members looking for a nice neat definition of "authoritative" sorry for this rambling soliloquy. I would also encourage WG members to read this currently pending ICANN reconsideration request dealing with the "authoritativeness" of whois data elements, see https://www.icann.org/resources/pages/reconsideration-17-1-smith-request-201... Best regards, Michael
From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, April 04, 2017 5:18 PM To: Michael D. Palage <michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Thanks, Mike. A few notes to contribute as people consider "authoritative": Registries exist to be authoritative repositories of data; that's what they are designed to do. (So, for example, two different people can't register the same domain name, or so a domain won't resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers). The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won't be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome. So the current situation seems to be pretty simple, and is on the path to getting even simpler: 1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today. I can't agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a *convenient* source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example: A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar. In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information. Scott * I think it's very important for us to agree on a definition of "authoritative", and that doesn't mean that we get to make one up. I've included mine (taken from the Oxford English dictionary) here.
+1 It is not every day that I quote the EWG conclusions, as there are quite a few with which I disagree. In this case though, it does seem to me we discussed this exhaustively, and reached the conclusion that the registrars were the authoritative source. From a data protection perspective, this is consistent. I believe it would be the common view that the entity closest to the individual on the data map would be the authority on the data, not the entity further down the chain of control, and not the data controller (in this case ICANN). I realize I am mixing technical perspectives with legal perspectives here but I believe it is useful to flesh out how the matter is analyzed from each point of view. cheers Stephanie P On 2017-04-05 07:10, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Greg Aaron *Sent:* Tuesday, April 04, 2017 5:18 PM *To:* Michael D. Palage <michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative
Thanks, Mike. A few notes to contribute as people consider “authoritative”:
Registries exist to be authoritative repositories of data; that’s what they are designed to do. (So, for example, two different people can’t register the same domain name, or so a domain won’t resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers).
The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won’t be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome.
So the current situation seems to be pretty simple, and is on the path to getting even simpler:
1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today.
*//*
I can’t agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a **convenient** source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example:
A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar.
In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information.
Scott
* I think it’s very important for us to agree on a definition of “authoritative”, and that doesn’t mean that we get to make one up. I’ve included mine (taken from the Oxford English dictionary) here.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
There are two different definitions of "authoritative" being used here. One is "where does the data come from," i.e. what is the original source. Stephanie and Scott are using this first definition. The second definition is "what is the data of record, which should be relied upon." I am using that second definition. I think the first concept is important to understand, but it cannot be used as the standard for a variety of legal, technical, and practical reasons. The history at ICANN, and recent policy-making, has been toward relying on thick registry data as the data of record, to be relied upon. My view was used by both the EWG and the Thick WHOIS PDP. Stephanie, I think you're wrong about what the EWG said. It did not use your definition, it used mine. The EWG said: "Requestors must be able to obtain authoritative data from the RDS in real-time when needed." And the EWG said: "the RDS is the authoritative data source and provides authoritative access." The EWG did not recommend that people be able to obtain certain kinds of data directly from registrars via RDS. Instead, the EWG said that RDS was to provide data from (thick) registries. The data in the registries is authoritative, and the RDS is the authoritative way to get that data held in the registries. The Thick WHOIS PDP WG recently looked at the issue of authoritativeness, and our WG should consider it carefully. That PDP WG used my definition, not Scott's. That PDP WG said that a thick registry is the authoritative repository of all data currently displayed in WHOIS. Quote below, with my notes in square brackets: "Here is the working definition used by the WG while analysing this issue: 'Authoritative, with respect to provision of Whois services, shall be interpreted as to signify the single database within a hierarchical database structure holding the data that is assumed to be the final authority regarding the question of which record shall be considered accurate and reliable in case of conflicting records; administered by a single administrative (agent) and consisting of data provided by the registrants of record through their registrars.' A proposed shorter version is 'the data set to be relied upon in case of doubt'. [In other words, the REGISTRY is the ultimate authority, not registrars.] Authoritativeness in a Thin Whois Environment Since the registrar alone holds most Whois data, its data is necessarily authoritative as to those data elements (e.g., name of registrant). For that data held by both registrar and registry (e.g., name of registrar), it appears that registry data is generally treated as authoritative, but the WG is not aware of any official ICANN policy statement on this. The WG observes that in the case of the Uniform Dispute Resolution Policy (UDRP), UDRP Providers treat the registrar Whois information as authoritative, which may be the result of the UDRP having been adopted prior to the emergence of thick gTLD registries. Authoritativeness in a Thick Whois Environment Most comments that addressed this question stated that registry data is considered authoritative in the thick environment. Only one stated that the registrar data was authoritative. Again, the WG is not aware of any official ICANN policy statement on this question. The WG notes that the registrar remains responsible for the accuracy of the data under either the thick or thin model, as the relationship with the registrant remains with the registrar. ..the WG assumes that any data collected by the registrar becomes authoritative only after it is incorporated in the registry database." [emphasis added] If anyone wants the registrars to remain the source of record for any data available throrugh an RDS, then: 1. That will sink the entire purpose of the thick registry effort, 2. It will make solving domain disputes harder than they are now, and 3. Registrars should be contractually required to serve RDS indefinitely. That's contrary to the thick policy, a goal of which was to get registrars out of the business of serving their own WHOIS (or RDAP, or whatever). All of which would be completely unnecessary and wasteful. All best, --Greg P.S.: Scott is using a corner case to support his argument. In 99.999% of cases, registrars do not "push expiration dates to registries". Registrars send in EPP Create commands and indicate a registration term in years. The registry time-stamps the create and expiration date based on the time the Create command is received. The registrar does not hold those dates authoritatively - the registry does. The only exception I know of is Verisign's obscure "ConsoliDate" product, which is available in .COM and .NET and is used infrequently by a small number of corporata cleints to add days to expiration dates. In any case, the Create date in a registry may not correspond to the date/time the registrant entered into the contract with the registrar. What really matters is the date recorded in the registry. From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Wednesday, April 5, 2017 10:05 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative +1 It is not every day that I quote the EWG conclusions, as there are quite a few with which I disagree. In this case though, it does seem to me we discussed this exhaustively, and reached the conclusion that the registrars were the authoritative source. From a data protection perspective, this is consistent. I believe it would be the common view that the entity closest to the individual on the data map would be the authority on the data, not the entity further down the chain of control, and not the data controller (in this case ICANN). I realize I am mixing technical perspectives with legal perspectives here but I believe it is useful to flesh out how the matter is analyzed from each point of view. cheers Stephanie P On 2017-04-05 07:10, Hollenbeck, Scott via gnso-rds-pdp-wg wrote: From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, April 04, 2017 5:18 PM To: Michael D. Palage <michael@palage.com><mailto:michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Thanks, Mike. A few notes to contribute as people consider "authoritative": Registries exist to be authoritative repositories of data; that's what they are designed to do. (So, for example, two different people can't register the same domain name, or so a domain won't resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers). The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won't be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome. So the current situation seems to be pretty simple, and is on the path to getting even simpler: 1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today. I can't agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a *convenient* source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example: A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar. In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information. Scott * I think it's very important for us to agree on a definition of "authoritative", and that doesn't mean that we get to make one up. I've included mine (taken from the Oxford English dictionary) here. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Greg, I was a member of the EWG. It's important to recall the context of the recommendations that you refer to below. The EWG recommended development of a single, centralized RDDS, *not* multiple thick registries. In that environment, there is only one source for public access, and it is, by definition, the only possible source. It's described as authoritative because there are no other options. Note that this recommendation was largely rejected by the community. The one example I provided was just that - one example, and it's not the one you expanded on in your "PS" below. I wasn't referring to the expiration date derived from the specified registration period. As the author of EPP, I know how that works very well. I was referring to the "Registrar Registration Expiration Date" as described in the CL&D policy: https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en This is a data element produced by the registrar and pushed to the registry solely for inclusion in a registry's RDDS. There are multiple mainstream examples where the registrar is the original creator or collector and the registry is just the last link in the chain of custody: Registrant contact information Admin contact information Billing contact information Technical contact information Registrar reseller information Is my view of "authoritative" counter to the direction of the thick WHOIS policy? Yes, it is. It recognizes that the data privacy landscape is changing and thick registries might not be viable in the future due to evolving data protection laws. Scott From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Wednesday, April 05, 2017 11:41 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative There are two different definitions of "authoritative" being used here. One is "where does the data come from," i.e. what is the original source. Stephanie and Scott are using this first definition. The second definition is "what is the data of record, which should be relied upon." I am using that second definition. I think the first concept is important to understand, but it cannot be used as the standard for a variety of legal, technical, and practical reasons. The history at ICANN, and recent policy-making, has been toward relying on thick registry data as the data of record, to be relied upon. My view was used by both the EWG and the Thick WHOIS PDP. Stephanie, I think you're wrong about what the EWG said. It did not use your definition, it used mine. The EWG said: "Requestors must be able to obtain authoritative data from the RDS in real-time when needed." And the EWG said: "the RDS is the authoritative data source and provides authoritative access." The EWG did not recommend that people be able to obtain certain kinds of data directly from registrars via RDS. Instead, the EWG said that RDS was to provide data from (thick) registries. The data in the registries is authoritative, and the RDS is the authoritative way to get that data held in the registries. The Thick WHOIS PDP WG recently looked at the issue of authoritativeness, and our WG should consider it carefully. That PDP WG used my definition, not Scott's. That PDP WG said that a thick registry is the authoritative repository of all data currently displayed in WHOIS. Quote below, with my notes in square brackets: "Here is the working definition used by the WG while analysing this issue: 'Authoritative, with respect to provision of Whois services, shall be interpreted as to signify the single database within a hierarchical database structure holding the data that is assumed to be the final authority regarding the question of which record shall be considered accurate and reliable in case of conflicting records; administered by a single administrative (agent) and consisting of data provided by the registrants of record through their registrars.' A proposed shorter version is 'the data set to be relied upon in case of doubt'. [In other words, the REGISTRY is the ultimate authority, not registrars.] Authoritativeness in a Thin Whois Environment Since the registrar alone holds most Whois data, its data is necessarily authoritative as to those data elements (e.g., name of registrant). For that data held by both registrar and registry (e.g., name of registrar), it appears that registry data is generally treated as authoritative, but the WG is not aware of any official ICANN policy statement on this. The WG observes that in the case of the Uniform Dispute Resolution Policy (UDRP), UDRP Providers treat the registrar Whois information as authoritative, which may be the result of the UDRP having been adopted prior to the emergence of thick gTLD registries. Authoritativeness in a Thick Whois Environment Most comments that addressed this question stated that registry data is considered authoritative in the thick environment. Only one stated that the registrar data was authoritative. Again, the WG is not aware of any official ICANN policy statement on this question. The WG notes that the registrar remains responsible for the accuracy of the data under either the thick or thin model, as the relationship with the registrant remains with the registrar. ..the WG assumes that any data collected by the registrar becomes authoritative only after it is incorporated in the registry database." [emphasis added] If anyone wants the registrars to remain the source of record for any data available throrugh an RDS, then: 1. That will sink the entire purpose of the thick registry effort, 2. It will make solving domain disputes harder than they are now, and 3. Registrars should be contractually required to serve RDS indefinitely. That's contrary to the thick policy, a goal of which was to get registrars out of the business of serving their own WHOIS (or RDAP, or whatever). All of which would be completely unnecessary and wasteful. All best, --Greg P.S.: Scott is using a corner case to support his argument. In 99.999% of cases, registrars do not "push expiration dates to registries". Registrars send in EPP Create commands and indicate a registration term in years. The registry time-stamps the create and expiration date based on the time the Create command is received. The registrar does not hold those dates authoritatively - the registry does. The only exception I know of is Verisign's obscure "ConsoliDate" product, which is available in .COM and .NET and is used infrequently by a small number of corporata cleints to add days to expiration dates. In any case, the Create date in a registry may not correspond to the date/time the registrant entered into the contract with the registrar. What really matters is the date recorded in the registry. From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Wednesday, April 5, 2017 10:05 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative +1 It is not every day that I quote the EWG conclusions, as there are quite a few with which I disagree. In this case though, it does seem to me we discussed this exhaustively, and reached the conclusion that the registrars were the authoritative source. From a data protection perspective, this is consistent. I believe it would be the common view that the entity closest to the individual on the data map would be the authority on the data, not the entity further down the chain of control, and not the data controller (in this case ICANN). I realize I am mixing technical perspectives with legal perspectives here but I believe it is useful to flesh out how the matter is analyzed from each point of view. cheers Stephanie P On 2017-04-05 07:10, Hollenbeck, Scott via gnso-rds-pdp-wg wrote: From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, April 04, 2017 5:18 PM To: Michael D. Palage <michael@palage.com><mailto:michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Thanks, Mike. A few notes to contribute as people consider "authoritative": Registries exist to be authoritative repositories of data; that's what they are designed to do. (So, for example, two different people can't register the same domain name, or so a domain won't resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers). The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won't be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome. So the current situation seems to be pretty simple, and is on the path to getting even simpler: 1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today. I can't agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a *convenient* source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example: A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar. In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information. Scott * I think it's very important for us to agree on a definition of "authoritative", and that doesn't mean that we get to make one up. I've included mine (taken from the Oxford English dictionary) here. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Dear Scott: My point was: where was the EWG's RDDS going to get data? From the registries, not directly from registrars. The "Registrar Registration Expiration Date" field is mention is relevant to just the three thin gTLD registries (.COM, .NET, .JOBS) -- the thin model that's going away (and has been for years). In the other 1,200+ gTLD registries, the expiration date is not provisioned by registrars, it's generated by the registries (as you know). So anyway, you're advocating that in the future, contact data should remain at registrars and never go to registries, and that ICANN should send all gTLDs to the thin model? After the community decided to go to an all-thick model in 2013, and Verisign just recently agreed to the thick implementation plan for .COM and .NET? To better understand, I would like your views on these questions: 1. How the thin registry model is required under privacy law. 2. An issue is personal data crossing from (being collected from) one jurisdiction to another. Under the evolving privacy laws you are concerned about, won't a registrar sometimes be barred from accepting domain registrations from registrants outside its jurisdiction? For example, how could GoDaddy, a U.S. registrar, accept registrations (and the accompanying contact data) from registrants in Europe? Could GoDaddy serve that contact data via an RDS under any circumstances? 3. What has changed in privacy law recently that overrides the considerations of privacy law that the EWG and the Thick PDP WG made? All best, --Greg From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] Sent: Wednesday, April 5, 2017 12:37 PM To: Greg Aaron <gca@icginc.com>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Greg, I was a member of the EWG. It's important to recall the context of the recommendations that you refer to below. The EWG recommended development of a single, centralized RDDS, *not* multiple thick registries. In that environment, there is only one source for public access, and it is, by definition, the only possible source. It's described as authoritative because there are no other options. Note that this recommendation was largely rejected by the community. The one example I provided was just that - one example, and it's not the one you expanded on in your "PS" below. I wasn't referring to the expiration date derived from the specified registration period. As the author of EPP, I know how that works very well. I was referring to the "Registrar Registration Expiration Date" as described in the CL&D policy: https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en This is a data element produced by the registrar and pushed to the registry solely for inclusion in a registry's RDDS. There are multiple mainstream examples where the registrar is the original creator or collector and the registry is just the last link in the chain of custody: Registrant contact information Admin contact information Billing contact information Technical contact information Registrar reseller information Is my view of "authoritative" counter to the direction of the thick WHOIS policy? Yes, it is. It recognizes that the data privacy landscape is changing and thick registries might not be viable in the future due to evolving data protection laws. Scott From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Wednesday, April 05, 2017 11:41 AM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative There are two different definitions of "authoritative" being used here. One is "where does the data come from," i.e. what is the original source. Stephanie and Scott are using this first definition. The second definition is "what is the data of record, which should be relied upon." I am using that second definition. I think the first concept is important to understand, but it cannot be used as the standard for a variety of legal, technical, and practical reasons. The history at ICANN, and recent policy-making, has been toward relying on thick registry data as the data of record, to be relied upon. My view was used by both the EWG and the Thick WHOIS PDP. Stephanie, I think you're wrong about what the EWG said. It did not use your definition, it used mine. The EWG said: "Requestors must be able to obtain authoritative data from the RDS in real-time when needed." And the EWG said: "the RDS is the authoritative data source and provides authoritative access." The EWG did not recommend that people be able to obtain certain kinds of data directly from registrars via RDS. Instead, the EWG said that RDS was to provide data from (thick) registries. The data in the registries is authoritative, and the RDS is the authoritative way to get that data held in the registries. The Thick WHOIS PDP WG recently looked at the issue of authoritativeness, and our WG should consider it carefully. That PDP WG used my definition, not Scott's. That PDP WG said that a thick registry is the authoritative repository of all data currently displayed in WHOIS. Quote below, with my notes in square brackets: "Here is the working definition used by the WG while analysing this issue: 'Authoritative, with respect to provision of Whois services, shall be interpreted as to signify the single database within a hierarchical database structure holding the data that is assumed to be the final authority regarding the question of which record shall be considered accurate and reliable in case of conflicting records; administered by a single administrative (agent) and consisting of data provided by the registrants of record through their registrars.' A proposed shorter version is 'the data set to be relied upon in case of doubt'. [In other words, the REGISTRY is the ultimate authority, not registrars.] Authoritativeness in a Thin Whois Environment Since the registrar alone holds most Whois data, its data is necessarily authoritative as to those data elements (e.g., name of registrant). For that data held by both registrar and registry (e.g., name of registrar), it appears that registry data is generally treated as authoritative, but the WG is not aware of any official ICANN policy statement on this. The WG observes that in the case of the Uniform Dispute Resolution Policy (UDRP), UDRP Providers treat the registrar Whois information as authoritative, which may be the result of the UDRP having been adopted prior to the emergence of thick gTLD registries. Authoritativeness in a Thick Whois Environment Most comments that addressed this question stated that registry data is considered authoritative in the thick environment. Only one stated that the registrar data was authoritative. Again, the WG is not aware of any official ICANN policy statement on this question. The WG notes that the registrar remains responsible for the accuracy of the data under either the thick or thin model, as the relationship with the registrant remains with the registrar. ..the WG assumes that any data collected by the registrar becomes authoritative only after it is incorporated in the registry database." [emphasis added] If anyone wants the registrars to remain the source of record for any data available throrugh an RDS, then: 1. That will sink the entire purpose of the thick registry effort, 2. It will make solving domain disputes harder than they are now, and 3. Registrars should be contractually required to serve RDS indefinitely. That's contrary to the thick policy, a goal of which was to get registrars out of the business of serving their own WHOIS (or RDAP, or whatever). All of which would be completely unnecessary and wasteful. All best, --Greg P.S.: Scott is using a corner case to support his argument. In 99.999% of cases, registrars do not "push expiration dates to registries". Registrars send in EPP Create commands and indicate a registration term in years. The registry time-stamps the create and expiration date based on the time the Create command is received. The registrar does not hold those dates authoritatively - the registry does. The only exception I know of is Verisign's obscure "ConsoliDate" product, which is available in .COM and .NET and is used infrequently by a small number of corporata cleints to add days to expiration dates. In any case, the Create date in a registry may not correspond to the date/time the registrant entered into the contract with the registrar. What really matters is the date recorded in the registry. From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Wednesday, April 5, 2017 10:05 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative +1 It is not every day that I quote the EWG conclusions, as there are quite a few with which I disagree. In this case though, it does seem to me we discussed this exhaustively, and reached the conclusion that the registrars were the authoritative source. From a data protection perspective, this is consistent. I believe it would be the common view that the entity closest to the individual on the data map would be the authority on the data, not the entity further down the chain of control, and not the data controller (in this case ICANN). I realize I am mixing technical perspectives with legal perspectives here but I believe it is useful to flesh out how the matter is analyzed from each point of view. cheers Stephanie P On 2017-04-05 07:10, Hollenbeck, Scott via gnso-rds-pdp-wg wrote: From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Greg Aaron Sent: Tuesday, April 04, 2017 5:18 PM To: Michael D. Palage <michael@palage.com><mailto:michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org><mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Thanks, Mike. A few notes to contribute as people consider "authoritative": Registries exist to be authoritative repositories of data; that's what they are designed to do. (So, for example, two different people can't register the same domain name, or so a domain won't resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers). The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won't be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome. So the current situation seems to be pretty simple, and is on the path to getting even simpler: 1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today. I can't agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a *convenient* source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example: A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar. In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information. Scott * I think it's very important for us to agree on a definition of "authoritative", and that doesn't mean that we get to make one up. I've included mine (taken from the Oxford English dictionary) here. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Points below as appropriate (from my perspective). Scott From: Greg Aaron [mailto:gca@icginc.com] Sent: Wednesday, April 05, 2017 2:26 PM To: Hollenbeck, Scott <shollenbeck@verisign.com>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Dear Scott: My point was: where was the EWG's RDDS going to get data? From the registries, not directly from registrars. [SAH] ...and validators (see page 112 of the final report for a figure of the model), but yes, you're correct about registrar data flowing through the registry. However, see page 115 where it's noted that "To maintain redundant systems and eliminate the single point of failure, the data must reside at multiple locations (i.e., Validator, Registrar, Registry, Escrow Provider, and RDS Provider)". Anyway... The "Registrar Registration Expiration Date" field is mention is relevant to just the three thin gTLD registries (.COM, .NET, .JOBS) -- the thin model that's going away (and has been for years). In the other 1,200+ gTLD registries, the expiration date is not provisioned by registrars, it's generated by the registries (as you know). [SAH] Not quite. The "Registrar Registration Expiration Date" is also published by thick registries. You can see an example (that happens to be blank) by doing a WHOIS query for a thick registry .info domain like "pir.info". This is not the same thing as the registry-produced expiration date! So anyway, you're advocating that in the future, contact data should remain at registrars and never go to registries, and that ICANN should send all gTLDs to the thin model? After the community decided to go to an all-thick model in 2013, and Verisign just recently agreed to the thick implementation plan for .COM and .NET? [SAH] No, that's not what I'm suggesting. I'm suggesting that there will be situations in which some registrars will push data to registries in much the same way the thick model works today, and other registrars will not be able to do so completely due to a need to comply with local laws or regulations. We may ultimately need to consider how an RDDS works when some data must remain with the registrar. To better understand, I would like your views on these questions: 1. How the thin registry model is required under privacy law. [SAH] It's not. 2. An issue is personal data crossing from (being collected from) one jurisdiction to another. Under the evolving privacy laws you are concerned about, won't a registrar sometimes be barred from accepting domain registrations from registrants outside its jurisdiction? For example, how could GoDaddy, a U.S. registrar, accept registrations (and the accompanying contact data) from registrants in Europe? Could GoDaddy serve that contact data via an RDS under any circumstances? [SAH] Being barred may well be the case unless the registrar sets up shop in Europe and is willing to comply with the requirements for doing so. 3. What has changed in privacy law recently that overrides the considerations of privacy law that the EWG and the Thick PDP WG made? [SAH] One example: http://europa.eu/rapid/press-release_MEMO-17-15_en.htm There's also an existing ICANN process for dealing with conflicts that acknowledges that exceptions may be made: https://whois.icann.org/en/icann-procedure-handling-whois-conflicts-privacy-... All best, --Greg [SAH] Likewise!
Thanks, Scott. So a system where all registries allow thick records, but some domain records are thin and some are thick, basically depending upon where the registrar is? Or where the registrant is? Or both? All best, --Greg Domain Name: PIR.ORG Registry Domain ID: D96207-LROR Registrar WHOIS Server: [field is blank, because the registry is the authoritative source of data, and the registrar does not serve WHOIS data itself for domains in this thick TLD] Registrar URL: http://www.godaddy.com Updated Date: 2017-02-20T01:51:21Z Creation Date: 1996-02-18T05:00:00Z Registry Expiry Date: 2018-02-19T05:00:00Z Registrar Registration Expiration Date: [field is blank, as it is irrelevant and the Registry Expiry Date is to be relied upon] From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] Sent: Wednesday, April 5, 2017 2:55 PM To: Greg Aaron <gca@icginc.com>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Points below as appropriate (from my perspective). Scott From: Greg Aaron [mailto:gca@icginc.com] Sent: Wednesday, April 05, 2017 2:26 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Dear Scott: My point was: where was the EWG's RDDS going to get data? From the registries, not directly from registrars. [SAH] ...and validators (see page 112 of the final report for a figure of the model), but yes, you're correct about registrar data flowing through the registry. However, see page 115 where it's noted that "To maintain redundant systems and eliminate the single point of failure, the data must reside at multiple locations (i.e., Validator, Registrar, Registry, Escrow Provider, and RDS Provider)". Anyway... The "Registrar Registration Expiration Date" field is mention is relevant to just the three thin gTLD registries (.COM, .NET, .JOBS) -- the thin model that's going away (and has been for years). In the other 1,200+ gTLD registries, the expiration date is not provisioned by registrars, it's generated by the registries (as you know). [SAH] Not quite. The "Registrar Registration Expiration Date" is also published by thick registries. You can see an example (that happens to be blank) by doing a WHOIS query for a thick registry .info domain like "pir.info". This is not the same thing as the registry-produced expiration date! So anyway, you're advocating that in the future, contact data should remain at registrars and never go to registries, and that ICANN should send all gTLDs to the thin model? After the community decided to go to an all-thick model in 2013, and Verisign just recently agreed to the thick implementation plan for .COM and .NET? [SAH] No, that's not what I'm suggesting. I'm suggesting that there will be situations in which some registrars will push data to registries in much the same way the thick model works today, and other registrars will not be able to do so completely due to a need to comply with local laws or regulations. We may ultimately need to consider how an RDDS works when some data must remain with the registrar. To better understand, I would like your views on these questions: 1. How the thin registry model is required under privacy law. [SAH] It's not. 1. An issue is personal data crossing from (being collected from) one jurisdiction to another. Under the evolving privacy laws you are concerned about, won't a registrar sometimes be barred from accepting domain registrations from registrants outside its jurisdiction? For example, how could GoDaddy, a U.S. registrar, accept registrations (and the accompanying contact data) from registrants in Europe? Could GoDaddy serve that contact data via an RDS under any circumstances? [SAH] Being barred may well be the case unless the registrar sets up shop in Europe and is willing to comply with the requirements for doing so. 1. What has changed in privacy law recently that overrides the considerations of privacy law that the EWG and the Thick PDP WG made? [SAH] One example: http://europa.eu/rapid/press-release_MEMO-17-15_en.htm There's also an existing ICANN process for dealing with conflicts that acknowledges that exceptions may be made: https://whois.icann.org/en/icann-procedure-handling-whois-conflicts-privacy-... All best, --Greg [SAH] Likewise!
Registrar Registration Expiration Date: [field is blank, as it is irrelevant and the Registry Expiry Date is to be relied upon]
We've strayed from the original discussion of "authoritative", but I do want to respond to the comment enclosed in brackets above. In this specific case the "Registrar Registration Expiration Date" field is blank because it doesn't have a value assigned by the registrar, not because it's irrelevant. Here's one concrete example where a registrar might want to provide a value for this field: There is a registrar today who offers a 100 year domain registration service*. If someone signs up for this service, the registrar can register and renew a domain with the registry for no more than 10 years at a time. If the registrar is so inclined to push the information to the registry, and if the registry supports it (the operator of .org apparently does), it is possible to display both the 100 year expiration date and the registry's 10-years-or-less expiration date in the registry's WHOIS service. I'm not a fan of seeing this type of information in a registry's RDDS. It's confusing to data consumers (witness this email thread), and it's a prime example of the type of information that is better published by the registrar entity that is responsible for producing and managing it. Scott * https://www.networksolutions.com/domain-name-registration/popup-100-yr-term.... From: Greg Aaron [mailto:gca@icginc.com] Sent: Wednesday, April 05, 2017 4:08 PM To: Hollenbeck, Scott <shollenbeck@verisign.com>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Thanks, Scott. So a system where all registries allow thick records, but some domain records are thin and some are thick, basically depending upon where the registrar is? Or where the registrant is? Or both? All best, --Greg Domain Name: PIR.ORG Registry Domain ID: D96207-LROR Registrar WHOIS Server: [field is blank, because the registry is the authoritative source of data, and the registrar does not serve WHOIS data itself for domains in this thick TLD] Registrar URL: http://www.godaddy.com Updated Date: 2017-02-20T01:51:21Z Creation Date: 1996-02-18T05:00:00Z Registry Expiry Date: 2018-02-19T05:00:00Z Registrar Registration Expiration Date: [field is blank, as it is irrelevant and the Registry Expiry Date is to be relied upon] From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] Sent: Wednesday, April 5, 2017 2:55 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Points below as appropriate (from my perspective). Scott From: Greg Aaron [mailto:gca@icginc.com] Sent: Wednesday, April 05, 2017 2:26 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Dear Scott: My point was: where was the EWG's RDDS going to get data? From the registries, not directly from registrars. [SAH] ...and validators (see page 112 of the final report for a figure of the model), but yes, you're correct about registrar data flowing through the registry. However, see page 115 where it's noted that "To maintain redundant systems and eliminate the single point of failure, the data must reside at multiple locations (i.e., Validator, Registrar, Registry, Escrow Provider, and RDS Provider)". Anyway... The "Registrar Registration Expiration Date" field is mention is relevant to just the three thin gTLD registries (.COM, .NET, .JOBS) -- the thin model that's going away (and has been for years). In the other 1,200+ gTLD registries, the expiration date is not provisioned by registrars, it's generated by the registries (as you know). [SAH] Not quite. The "Registrar Registration Expiration Date" is also published by thick registries. You can see an example (that happens to be blank) by doing a WHOIS query for a thick registry .info domain like "pir.info". This is not the same thing as the registry-produced expiration date! So anyway, you're advocating that in the future, contact data should remain at registrars and never go to registries, and that ICANN should send all gTLDs to the thin model? After the community decided to go to an all-thick model in 2013, and Verisign just recently agreed to the thick implementation plan for .COM and .NET? [SAH] No, that's not what I'm suggesting. I'm suggesting that there will be situations in which some registrars will push data to registries in much the same way the thick model works today, and other registrars will not be able to do so completely due to a need to comply with local laws or regulations. We may ultimately need to consider how an RDDS works when some data must remain with the registrar. To better understand, I would like your views on these questions: 1. How the thin registry model is required under privacy law. [SAH] It's not. 2. An issue is personal data crossing from (being collected from) one jurisdiction to another. Under the evolving privacy laws you are concerned about, won't a registrar sometimes be barred from accepting domain registrations from registrants outside its jurisdiction? For example, how could GoDaddy, a U.S. registrar, accept registrations (and the accompanying contact data) from registrants in Europe? Could GoDaddy serve that contact data via an RDS under any circumstances? [SAH] Being barred may well be the case unless the registrar sets up shop in Europe and is willing to comply with the requirements for doing so. 3. What has changed in privacy law recently that overrides the considerations of privacy law that the EWG and the Thick PDP WG made? [SAH] One example: http://europa.eu/rapid/press-release_MEMO-17-15_en.htm There's also an existing ICANN process for dealing with conflicts that acknowledges that exceptions may be made: https://whois.icann.org/en/icann-procedure-handling-whois-conflicts-privacy-... All best, --Greg [SAH] Likewise!
Good Morning, Sorry to continue this "straying", but to add another point of clarity to relevance of Registrar Expiration Date. Please note of the, sometimes annual, difference in Registry/Registrar expiration dates for auto-renew registries. If a domain was purchased on 2016MAR31 for one year (both Ry/Rr expiration dates are the same); on 2017MAR31 without an explicit delete request, the registry will auto-renew domain for another year, now Ry and Rr dates are one year different and will remain so until the registrant decides to renew, decides to delete or the auto-renew grace period ends. Thanks Roger From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Hollenbeck, Scott via gnso-rds-pdp-wg Sent: Thursday, April 06, 2017 6:07 AM To: 'gca@icginc.com' <gca@icginc.com>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative
Registrar Registration Expiration Date: [field is blank, as it is irrelevant and the Registry Expiry Date is to be relied upon]
We've strayed from the original discussion of "authoritative", but I do want to respond to the comment enclosed in brackets above. In this specific case the "Registrar Registration Expiration Date" field is blank because it doesn't have a value assigned by the registrar, not because it's irrelevant. Here's one concrete example where a registrar might want to provide a value for this field: There is a registrar today who offers a 100 year domain registration service*. If someone signs up for this service, the registrar can register and renew a domain with the registry for no more than 10 years at a time. If the registrar is so inclined to push the information to the registry, and if the registry supports it (the operator of .org apparently does), it is possible to display both the 100 year expiration date and the registry's 10-years-or-less expiration date in the registry's WHOIS service. I'm not a fan of seeing this type of information in a registry's RDDS. It's confusing to data consumers (witness this email thread), and it's a prime example of the type of information that is better published by the registrar entity that is responsible for producing and managing it. Scott * https://www.networksolutions.com/domain-name-registration/popup-100-yr-term.... From: Greg Aaron [mailto:gca@icginc.com] Sent: Wednesday, April 05, 2017 4:08 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Thanks, Scott. So a system where all registries allow thick records, but some domain records are thin and some are thick, basically depending upon where the registrar is? Or where the registrant is? Or both? All best, --Greg Domain Name: PIR.ORG Registry Domain ID: D96207-LROR Registrar WHOIS Server: [field is blank, because the registry is the authoritative source of data, and the registrar does not serve WHOIS data itself for domains in this thick TLD] Registrar URL: http://www.godaddy.com Updated Date: 2017-02-20T01:51:21Z Creation Date: 1996-02-18T05:00:00Z Registry Expiry Date: 2018-02-19T05:00:00Z Registrar Registration Expiration Date: [field is blank, as it is irrelevant and the Registry Expiry Date is to be relied upon] From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com] Sent: Wednesday, April 5, 2017 2:55 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Points below as appropriate (from my perspective). Scott From: Greg Aaron [mailto:gca@icginc.com] Sent: Wednesday, April 05, 2017 2:26 PM To: Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>>; 'stephanie.perrin@mail.utoronto.ca' <stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>>; 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> Subject: [EXTERNAL] RE: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative Dear Scott: My point was: where was the EWG's RDDS going to get data? From the registries, not directly from registrars. [SAH] ...and validators (see page 112 of the final report for a figure of the model), but yes, you're correct about registrar data flowing through the registry. However, see page 115 where it's noted that "To maintain redundant systems and eliminate the single point of failure, the data must reside at multiple locations (i.e., Validator, Registrar, Registry, Escrow Provider, and RDS Provider)". Anyway... The "Registrar Registration Expiration Date" field is mention is relevant to just the three thin gTLD registries (.COM, .NET, .JOBS) -- the thin model that's going away (and has been for years). In the other 1,200+ gTLD registries, the expiration date is not provisioned by registrars, it's generated by the registries (as you know). [SAH] Not quite. The "Registrar Registration Expiration Date" is also published by thick registries. You can see an example (that happens to be blank) by doing a WHOIS query for a thick registry .info domain like "pir.info". This is not the same thing as the registry-produced expiration date! So anyway, you're advocating that in the future, contact data should remain at registrars and never go to registries, and that ICANN should send all gTLDs to the thin model? After the community decided to go to an all-thick model in 2013, and Verisign just recently agreed to the thick implementation plan for .COM and .NET? [SAH] No, that's not what I'm suggesting. I'm suggesting that there will be situations in which some registrars will push data to registries in much the same way the thick model works today, and other registrars will not be able to do so completely due to a need to comply with local laws or regulations. We may ultimately need to consider how an RDDS works when some data must remain with the registrar. To better understand, I would like your views on these questions: 1. How the thin registry model is required under privacy law. [SAH] It's not. 2. An issue is personal data crossing from (being collected from) one jurisdiction to another. Under the evolving privacy laws you are concerned about, won't a registrar sometimes be barred from accepting domain registrations from registrants outside its jurisdiction? For example, how could GoDaddy, a U.S. registrar, accept registrations (and the accompanying contact data) from registrants in Europe? Could GoDaddy serve that contact data via an RDS under any circumstances? [SAH] Being barred may well be the case unless the registrar sets up shop in Europe and is willing to comply with the requirements for doing so. 3. What has changed in privacy law recently that overrides the considerations of privacy law that the EWG and the Thick PDP WG made? [SAH] One example: http://europa.eu/rapid/press-release_MEMO-17-15_en.htm There's also an existing ICANN process for dealing with conflicts that acknowledges that exceptions may be made: https://whois.icann.org/en/icann-procedure-handling-whois-conflicts-privacy-... All best, --Greg [SAH] Likewise!
Actually, its a little bit more involved. The thinking here was moreso about location than not. If memory serves, the term 'authoritative' in context of the EWG's RDS really means the one and only place from whence reliable domain name data may be *accessed*. There is a presumption that there would be multiple sources for the data in that RDDS repository. FWIW, it is accepted that the upstream collection/collector maintains fealty to process; know your customer, data accuracy etc. etc. all rolled in. But the repository itself - the storage place - imprints 'authoritative' on the data resident there. -Carlton ============================== *Carlton A Samuels* *Mobile: 876-818-1799Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Wed, Apr 5, 2017 at 10:41 AM, Greg Aaron <gca@icginc.com> wrote:
There are two different definitions of “authoritative” being used here. One is “where does the data come from,” i.e. what is the original source. Stephanie and Scott are using this first definition. The second definition is “what is the data of record, which should be relied upon.” I am using that second definition. I think the first concept is important to understand, but it cannot be used as the standard for a variety of legal, technical, and practical reasons. The history at ICANN, and recent policy-making, has been toward relying on thick registry data as the data of record, to be relied upon. My view was used by both the EWG and the Thick WHOIS PDP.
Stephanie, I think you’re wrong about what the EWG said. It did not use your definition, it used mine. The EWG said: “Requestors must be able to obtain authoritative data from the RDS in real-time when needed.” And the EWG said: “the RDS is the authoritative data source and provides authoritative access.” The EWG did not recommend that people be able to obtain certain kinds of data directly from registrars via RDS. Instead, the EWG said that RDS was to provide data from (thick) registries. The data in the registries is authoritative, and the RDS is the authoritative way to get that data held in the registries.
The Thick WHOIS PDP WG recently looked at the issue of authoritativeness, and our WG should consider it carefully. That PDP WG used my definition, not Scott’s. That PDP WG said that a thick registry is the authoritative repository of all data currently displayed in WHOIS. Quote below, with my notes in square brackets:
“Here is the working definition used by the WG while analysing this issue: ‘Authoritative, with respect to provision of Whois services, shall be interpreted as to signify the single database within a hierarchical database structure holding the data that is assumed to be the final authority regarding the question of which record shall be considered accurate and reliable in case of conflicting records; administered by a single administrative (agent) and consisting of data provided by the registrants of record through their registrars.’ A proposed shorter version is ‘the data set to be relied upon in case of doubt’. [In other words, the REGISTRY is the ultimate authority, not registrars.]
Authoritativeness in a Thin Whois Environment
Since the registrar alone holds most Whois data, its data is necessarily authoritative as to those data elements (e.g., name of registrant). For that data held by both registrar and registry (e.g., name of
registrar), it appears that registry data is generally treated as authoritative, but the WG is not aware of any official ICANN policy statement on this. The WG observes that in the case of the Uniform Dispute Resolution Policy (UDRP), UDRP Providers treat the registrar Whois information as authoritative, which may be the result of the UDRP having been adopted prior to the emergence of thick gTLD registries.
Authoritativeness in a Thick Whois Environment
Most comments that addressed this question stated that registry data is considered authoritative in the thick environment. Only one stated that the registrar data was authoritative. Again, the WG is
not aware of any official ICANN policy statement on this question. The WG notes that the registrar remains responsible for the accuracy of the data under either the thick or thin model, as the relationship with the registrant remains with the registrar. ..*the WG assumes that any data collected by the registrar becomes authoritative only after it is incorporated in the registry database*.” [emphasis added]
If anyone wants the registrars to remain the source of record for any data available throrugh an RDS, then:
1. That will sink the entire purpose of the thick registry effort, 2. It will make solving domain disputes harder than they are now, and 3. Registrars should be contractually required to serve RDS indefinitely. That’s contrary to the thick policy, a goal of which was to get registrars out of the business of serving their own WHOIS (or RDAP, or whatever).
All of which would be completely unnecessary and wasteful.
All best,
--Greg
P.S.: Scott is using a corner case to support his argument. In 99.999% of cases, registrars do not ”push expiration dates to registries”. Registrars send in EPP Create commands and indicate a registration term in years. The registry time-stamps the create and expiration date based on the time the Create command is received. The registrar does not hold those dates authoritatively – the registry does. The only exception I know of is Verisign’s obscure “ConsoliDate” product, which is available in .COM and .NET and is used infrequently by a small number of corporata cleints to add days to expiration dates. In any case, the Create date in a registry may not correspond to the date/time the registrant entered into the contract with the registrar. What really matters is the date recorded in the registry.
*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org] *On Behalf Of *Stephanie Perrin *Sent:* Wednesday, April 5, 2017 10:05 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative
+1
It is not every day that I quote the EWG conclusions, as there are quite a few with which I disagree. In this case though, it does seem to me we discussed this exhaustively, and reached the conclusion that the registrars were the authoritative source. From a data protection perspective, this is consistent. I believe it would be the common view that the entity closest to the individual on the data map would be the authority on the data, not the entity further down the chain of control, and not the data controller (in this case ICANN). I realize I am mixing technical perspectives with legal perspectives here but I believe it is useful to flesh out how the matter is analyzed from each point of view.
cheers Stephanie P
On 2017-04-05 07:10, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg- bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Greg Aaron *Sent:* Tuesday, April 04, 2017 5:18 PM *To:* Michael D. Palage <michael@palage.com> <michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative
Thanks, Mike. A few notes to contribute as people consider “authoritative”:
Registries exist to be authoritative repositories of data; that’s what they are designed to do. (So, for example, two different people can’t register the same domain name, or so a domain won’t resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers).
The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won’t be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome.
So the current situation seems to be pretty simple, and is on the path to getting even simpler:
1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today.
I can’t agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a **convenient** source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example:
A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar.
In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information.
Scott
* I think it’s very important for us to agree on a definition of “authoritative”, and that doesn’t mean that we get to make one up. I’ve included mine (taken from the Oxford English dictionary) here.
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Isn't the question of WHAT is authoritative the question here? WHO is authoritative is another discussion. My view is that authoritative means what is either what is entered by the domain owner (or given via proxy for whois privacy, which should be free to all entities) or an identical copy of it kept in sync with any changes made by the owner as they are made. In so far as "accurate" data is required, it should be after verification of the data by the consumer for whatever fields have to go through verification. On 4/5/2017 9:05 AM, Stephanie Perrin wrote:
+1
It is not every day that I quote the EWG conclusions, as there are quite a few with which I disagree. In this case though, it does seem to me we discussed this exhaustively, and reached the conclusion that the registrars were the authoritative source. From a data protection perspective, this is consistent. I believe it would be the common view that the entity closest to the individual on the data map would be the authority on the data, not the entity further down the chain of control, and not the data controller (in this case ICANN). I realize I am mixing technical perspectives with legal perspectives here but I believe it is useful to flesh out how the matter is analyzed from each point of view.
cheers Stephanie P
On 2017-04-05 07:10, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Greg Aaron *Sent:* Tuesday, April 04, 2017 5:18 PM *To:* Michael D. Palage <michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative
Thanks, Mike. A few notes to contribute as people consider “authoritative”:
Registries exist to be authoritative repositories of data; that’s what they are designed to do. (So, for example, two different people can’t register the same domain name, or so a domain won’t resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers).
The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won’t be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome.
So the current situation seems to be pretty simple, and is on the path to getting even simpler:
1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today.
*/ /*
I can’t agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a **convenient** source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example:
A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar.
In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information.
Scott
* I think it’s very important for us to agree on a definition of “authoritative”, and that doesn’t mean that we get to make one up. I’ve included mine (taken from the Oxford English dictionary) here.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I agree with the position that the core question is: WHAT/WHICH fields need to be authoritative? The WHO, /and especially the HOW for verification/, are other discussions, mostly involving a discussion between ICANN, Registries, and Registrars. Sam L. On 4/5/2017 1:30 PM, John Bambenek via gnso-rds-pdp-wg wrote:
Isn't the question of WHAT is authoritative the question here? WHO is authoritative is another discussion.
My view is that authoritative means what is either what is entered by the domain owner (or given via proxy for whois privacy, which should be free to all entities) or an identical copy of it kept in sync with any changes made by the owner as they are made. In so far as "accurate" data is required, it should be after verification of the data by the consumer for whatever fields have to go through verification.
< rest deleted>
The phrase "Registries exist to be authoritative repositories of data" needs to be carved in stone over the entrance to these rds discussion. * Being simple minded, the tasks here are: "what data" and "access under what terms". The complexities around those two tasks are the core work of this rds-wg. * Issues of accuracy are (operationally) a Registrar-Registry issue. They have to be addressed at that level. Registries depend on Registrars for the primary data from domain name registrants. o ICANN and this wg may have views on how issues of accuracy are addressed but that is a supplementary issue, and not the core issue here. ....my two cents here....as a registrant Sam L. ------------------------------------------------------------------------ On 4/5/2017 7:10 AM, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:* gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Greg Aaron *Sent:* Tuesday, April 04, 2017 5:18 PM *To:* Michael D. Palage <michael@palage.com>; 'RDS PDP WG' <gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] Proposed Definition/Background for Authoritative
Thanks, Mike. A few notes to contribute as people consider “authoritative”:
Registries exist to be authoritative repositories of data; that’s what they are designed to do. (So, for example, two different people can’t register the same domain name, or so a domain won’t resolve to the wrong nameservers.) Domain registries are generally considered authoritative for at least the thin data. (Domain, sponsoring registrar, dates, statuses, nameservers.) The registry creates or is the original recorder of record for most of those fields (domain, sponsoring registrar, dates). And the registry is authoritative for status and nameserver data, using them to enable and control resolution, or to prevent certain actions from taking place in the registry (such as deletions, and registrar-to-registrar transfers).
The Thick WHOIS PDP decided that all gTLD registries should be thick. One reason was to ensure that there won’t be any more disagreements (discrepancies) between what the registrar says the data is and what the registry says it is (and as seen via WHOIS or a successor system). Another reason was to hold contact data in one place reliably, so it could be served from one (authoritative) place; as a consequence registrar port 43 service will eventually go away. In other words, all registries should become authoritative for all the data we see in WHOIS, if they are not already. That was the desired policy and operational outcome.
So the current situation seems to be pretty simple, and is on the path to getting even simpler:
1. If the registry is thick, the registry is authoritative for all data we see in WHOIS today.
*//*
I can’t agree with the conclusion that thick registries are authoritative for all the data they possess. Being the last holder in a chain of custody makes them a **convenient** source of access to certain data elements, but they are not the original, authoritative* (able to be trusted as being accurate or true; reliable) source. An example:
A registrar creates an agreement with a registrant. That agreement has an expiration date. The registrar pushes this expiration date to the registry for publication in an RDDS. The registry has no direct contact or relationship with the registrant or the agreement between the registrant and the registrar.
In this and similar indirect data collection situations, the registry is just the last holder in the chain of custody. The registrar is the original source of the data, and is thus a more accurate and reliable source of information.
Scott
* I think it’s very important for us to agree on a definition of “authoritative”, and that doesn’t mean that we get to make one up. I’ve included mine (taken from the Oxford English dictionary) here.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也 ------------------------------------------------ Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: Lanfran@Yorku.ca Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852
participants (8)
-
Carlton Samuels -
Greg Aaron -
Hollenbeck, Scott -
John Bambenek -
Michael D. Palage -
Roger D Carney -
Sam Lanfranco -
Stephanie Perrin