Best case: Everyone agrees on a common adoption of an implementation for an RDS that is fully compliant with all applicable data protection laws and still provides for an ability to get access to that data if a legitimate interest in accessing a particular data set exists. Data retention will be reduced to the maximum allowable limit under the jurisdiction the registrar operates in (nothin new here, just re-stating what should already be the case), and collection will be limited to those data sets for which valid justifications exist at the time the service is requested. Legitimate accessors could be: LEAs of appropriate jurisdiction (either registrar or data subject), accredited/certified accessors, entities acting on behalf of data subject, etc. Heretic thought of the day: We will probably be looking at a thin/distributed model again, or at least a model where data does not leave certain jurisdictions without legitimate reasons/justification. For a possible example of how a GDPR compliant RDS might look, please have a look at: http://webwhois.nic.amsterdam/  and search for: /dejong.amsterdam/ for an example of a domain with data provided by a private individual, or /neuken.amsterdam/ for an example of a domain with data provided by an organization. Also note that certain requesters can be provided with access to full data whois under: http://nic.amsterdam/whois-privacy This would be one possible implementation of the tiered access model suggested by the EWG. I am not saying thisis the perfect model, but it is _a_ possible model that has already been given a nod by the dutch data privacy official. It does provide full access to certain parties with legitimate interest. Heretic thought of the day #2: It may be the case that we have looked at this entire issue from the wrong end. I know we agreed on the existing work plan, but instead of debating endlessly about purposes and legal vs. legitimate, we might have been better served by at first building a tight model and then look at what can and should be collected into this model and who would be given access to what and how. VG Am 14.02.2018 um 16:41 schrieb DANIEL NANGHAKA:

GDPR is one of the issues that calls for compliance. We should not neglect the other global issues. What we need is a bench mark then after follow the global compliance standards. GDPR is not the only. At the beginning of this WG, there was a review of the different Policies and laws which we cannot just throw away. GDPR should not make us loose our direction but we review the GDPR and discuss how it affects RDS.

On Wednesday, February 14, 2018, Chuck <consult@cgomes.com <mailto:consult@cgomes.com>> wrote:

I apologize for injecting this message way to late in the thread and for not responding to Alan Greenberg’s suggestion yesterday, but I was unavoidably offline for the last 18+ hours.

As of now, let’s change the title of this thread to ‘Using the GDPR as a basis for RDS Policy’.  For any future responses to earlier messages about this topic, please change the subject.

Note that I changed the subject in my reply.  Feel free to respond to this message with additional discussion about messages below.  I hope this works; if anyone has a different suggestion regarding how to do this, please feel free to communicate it.

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Paul Keating *Sent:* Wednesday, February 14, 2018 4:38 AM *To:* Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com>>; Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> *Cc:* RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Correct but they are the ones collecting the data so unless they are convinced of the need and legal ability they simply will not collect it.  Processing only comes after collection.

*From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>> on behalf of Dotzero <dotzero@gmail.com <mailto:dotzero@gmail.com>> *Date: *Tuesday, February 13, 2018 at 5:23 PM *To: *Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> *Cc: *RDS PDP WG <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>> *Subject: *Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Volcker,

Registrars are not the only constituency with a stake in this.

Michael Hammer

On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

Hi Mike,

no, sensible because a great number of registrars will be forced to deal with this anyway, because this will affect a great many of registrations and therefore it makes sense to take this as a basis. Of course we will then need to see if there need to be tweaks to accomodate for other jurisdictions, but as more as more countries are adopting similar regimes....

Sure it will be more restrictive than open access and some people may have a harder time than today getting at certain information, but with tiered access access would still be possible for those with overriding legitimate interests. That is the model the EU commission hinted at. Not the only model, but a working one.

Volker

Am 13.02.2018 um 17:04 schrieb Dotzero:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:*Volker Greimann [mailto:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world.  That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens.  As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow****Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com>  | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle.  It states what is legal.  It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_.   It’s like saying what’s outside the box.   The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.  ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect:  registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is  a condition of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/ <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/> for more.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Silver, Bradley via gnso-rds-pdp-wg *Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle).  But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018 7:07 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those purposes"*(the "purpose limitation") AND* 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be  defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing  would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack.  If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at212.484.6000 <tel:%28212%29%20484-6000>or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

--

Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018 Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka

----------------------------------------- /"Working for Africa" /-----------------------------------------

On Wed, Feb 14, 2018 at 05:14:28PM +0100, Volker Greimann wrote:

Heretic thought of the day: We will probably be looking at a thin/distributed model again, or at least a model where data does not leave certain jurisdictions without legitimate reasons/justification.

As I have argued repeatedly, the only justifications for centralisation and "thick" registries in the first place were (1) deficiencies in the whois protocol that made distributed operation hard and (2) bad-actor registrars who wouldn't keep their data in good shape. (1) is, of course, solved by ditching whois for a better protocol, which protocol we already have built and waiting for use. One could even put a whois "gloss" on such a protocol (which would in that case, of course, only hand out the minimal data), so that people's tools don't all break overnight. This is all well understood by anyone remotely familiar with network operations (cf. Scott H's excellent testbed). (2) is, of course, not solved at all by centralisation, since the (competent) bad actors just lie when they upload the data. There never was an advantage there, as anyone familiar with network fraud told people even at the time. So I don't think the idea is heretical at all. I think it's a good idea. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com

Greg There was no contractual obligation for uniformity in the whois output until the introduction of the 2013 contract. The lack of uniformity etc., was not a matter of "failure" by registrars to do anything - there was nothing agreed for them to do or adhere to nor any contractual obligation to do it. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:04, "gnso-rds-pdp-wg on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote: Dear Andrew: Well... no. We can certainly agree that a move to RDAP is sorely needed. But deficiencies in the WHOIS protocol were not the problem. Rather it was failure by many registrars to implement properly and uniformly -- not just "bad actors" but the many more that were inattentive or not competent. The Thick WHOIS PDP laid out the reasons for going thick. They included: "Historically, the centralized databases of thick Whois registries are operated under a single administrator that sets conventions and standards for submission and display, archival/restoration and security have proven easier to manage. By contrast, registrars set their own conventions and standards for submission and display, archival/restoration and security registran tinformation under a thin Whois model.... The thin model is thus criticized for introducing variability among Whois services, which can be problematic for legitimate forms of automation. It is this problem that prompted the IRTP B Working Group to recommend requiring thick Whois across incumbent registries - in order to improve security, stability and reliability of the domain transfer process... A thick Whois model also offers attractive archival and restoration properties.... A thick Whois model also reduces the degree of variability in display formats. Furthermore, a thick registry is better positioned to take measures to analyze and improve data quality since it has all the data at hand." In other words: security, stability, and usability reasons. The accuracy of the data is a completely separate matter. A distributed system relies on the competence, robustness, and good faith of all the parties involved. Centralizing some aspects can mitigate failures, incompetence, and bad faith. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: Wednesday, February 14, 2018 5:13 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy On Wed, Feb 14, 2018 at 05:14:28PM +0100, Volker Greimann wrote: > > Heretic thought of the day: We will probably be looking at a > thin/distributed model again, or at least a model where data does not > leave certain jurisdictions without legitimate reasons/justification. As I have argued repeatedly, the only justifications for centralisation and "thick" registries in the first place were (1) deficiencies in the whois protocol that made distributed operation hard and (2) bad-actor registrars who wouldn't keep their data in good shape. (1) is, of course, solved by ditching whois for a better protocol, which protocol we already have built and waiting for use. One could even put a whois "gloss" on such a protocol (which would in that case, of course, only hand out the minimal data), so that people's tools don't all break overnight. This is all well understood by anyone remotely familiar with network operations (cf. Scott H's excellent testbed). (2) is, of course, not solved at all by centralisation, since the (competent) bad actors just lie when they upload the data. There never was an advantage there, as anyone familiar with network fraud told people even at the time. So I don't think the idea is heretical at all. I think it's a good idea. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Greg That's not entirely the registrar's fault. In order to offer 30 days grace the registrar has to renew the domain with the registry and then delete it if they don't get paid, so registry shows +1 year in some cases. Nameserver records - those should be in sync - again I'm not sure if that's entirely a registrar issue or a joint one. And tbh I really don't think that this conversation is helping anyone - the RrSG has been working the RySG on addressing operational issues together. If you're still affiliated with a registry please join. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:31, "Greg Aaron" <gca@icginc.com> wrote: Michele: Not talking about that so much (although the PDP did address it). The bigger problem, as you know, was that some registrars serve different data for a domain than the registry is -- such as expiration dates that do not match, and differing nameserver records. That kind of thing is still happening with .com and .net records. -----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 9:21 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy Greg There was no contractual obligation for uniformity in the whois output until the introduction of the 2013 contract. The lack of uniformity etc., was not a matter of "failure" by registrars to do anything - there was nothing agreed for them to do or adhere to nor any contractual obligation to do it. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:04, "gnso-rds-pdp-wg on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote: Dear Andrew: Well... no. We can certainly agree that a move to RDAP is sorely needed. But deficiencies in the WHOIS protocol were not the problem. Rather it was failure by many registrars to implement properly and uniformly -- not just "bad actors" but the many more that were inattentive or not competent. The Thick WHOIS PDP laid out the reasons for going thick. They included: "Historically, the centralized databases of thick Whois registries are operated under a single administrator that sets conventions and standards for submission and display, archival/restoration and security have proven easier to manage. By contrast, registrars set their own conventions and standards for submission and display, archival/restoration and security registran tinformation under a thin Whois model.... The thin model is thus criticized for introducing variability among Whois services, which can be problematic for legitimate forms of automation. It is this problem that prompted the IRTP B Working Group to recommend requiring thick Whois across incumbent registries - in order to improve security, stability and reliability of the domain transfer process... A thick Whois model also offers attractive archival and restoration properties.... A thick Whois model also reduces the degree of variability in display formats. Furthermore, a thick registry is better positioned to take measures to analyze and improve data quality since it has all the data at hand." In other words: security, stability, and usability reasons. The accuracy of the data is a completely separate matter. A distributed system relies on the competence, robustness, and good faith of all the parties involved. Centralizing some aspects can mitigate failures, incompetence, and bad faith. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: Wednesday, February 14, 2018 5:13 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy On Wed, Feb 14, 2018 at 05:14:28PM +0100, Volker Greimann wrote: > > Heretic thought of the day: We will probably be looking at a > thin/distributed model again, or at least a model where data does not > leave certain jurisdictions without legitimate reasons/justification. As I have argued repeatedly, the only justifications for centralisation and "thick" registries in the first place were (1) deficiencies in the whois protocol that made distributed operation hard and (2) bad-actor registrars who wouldn't keep their data in good shape. (1) is, of course, solved by ditching whois for a better protocol, which protocol we already have built and waiting for use. One could even put a whois "gloss" on such a protocol (which would in that case, of course, only hand out the minimal data), so that people's tools don't all break overnight. This is all well understood by anyone remotely familiar with network operations (cf. Scott H's excellent testbed). (2) is, of course, not solved at all by centralisation, since the (competent) bad actors just lie when they upload the data. There never was an advantage there, as anyone familiar with network fraud told people even at the time. So I don't think the idea is heretical at all. I think it's a good idea. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Greg Your previous email said expiry date. Now you're saying that's not the issue. Anyway if registrars are outputting junk in whois then that's a matter you can raise with contractual compliance Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 15:35, "Greg Aaron" <gca@icginc.com> wrote: No, I'm not talking about the "registrar expiration date" and renewal date stuff. I'm talking more serious variances. Such as variances in a domain's delegated nameservers that are not attributable to race conditions, and failures to update contact data up to the registry. Recently I even saw a registrar who gave multiple different IANA ID numbers for itself in its WHOIS output, depending on various factors. That kind of thing is ridiculous and it happens. Flipping this to a private venue isn’t the answer. It's a public issue that one PDP already addressed, and has come up here again. The point is that thick registries provide advantages by acting as authoritative repositories of data and by serving authoritative RDS. -----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 9:34 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy Greg That's not entirely the registrar's fault. In order to offer 30 days grace the registrar has to renew the domain with the registry and then delete it if they don't get paid, so registry shows +1 year in some cases. Nameserver records - those should be in sync - again I'm not sure if that's entirely a registrar issue or a joint one. And tbh I really don't think that this conversation is helping anyone - the RrSG has been working the RySG on addressing operational issues together. If you're still affiliated with a registry please join. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:31, "Greg Aaron" <gca@icginc.com> wrote: Michele: Not talking about that so much (although the PDP did address it). The bigger problem, as you know, was that some registrars serve different data for a domain than the registry is -- such as expiration dates that do not match, and differing nameserver records. That kind of thing is still happening with .com and .net records. -----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 9:21 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy Greg There was no contractual obligation for uniformity in the whois output until the introduction of the 2013 contract. The lack of uniformity etc., was not a matter of "failure" by registrars to do anything - there was nothing agreed for them to do or adhere to nor any contractual obligation to do it. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:04, "gnso-rds-pdp-wg on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote: Dear Andrew: Well... no. We can certainly agree that a move to RDAP is sorely needed. But deficiencies in the WHOIS protocol were not the problem. Rather it was failure by many registrars to implement properly and uniformly -- not just "bad actors" but the many more that were inattentive or not competent. The Thick WHOIS PDP laid out the reasons for going thick. They included: "Historically, the centralized databases of thick Whois registries are operated under a single administrator that sets conventions and standards for submission and display, archival/restoration and security have proven easier to manage. By contrast, registrars set their own conventions and standards for submission and display, archival/restoration and security registran tinformation under a thin Whois model.... The thin model is thus criticized for introducing variability among Whois services, which can be problematic for legitimate forms of automation. It is this problem that prompted the IRTP B Working Group to recommend requiring thick Whois across incumbent registries - in order to improve security, stability and reliability of the domain transfer process... A thick Whois model also offers attractive archival and restoration properties.... A thick Whois model also reduces the degree of variability in display formats. Furthermore, a thick registry is better positioned to take measures to analyze and improve data quality since it has all the data at hand." In other words: security, stability, and usability reasons. The accuracy of the data is a completely separate matter. A distributed system relies on the competence, robustness, and good faith of all the parties involved. Centralizing some aspects can mitigate failures, incompetence, and bad faith. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: Wednesday, February 14, 2018 5:13 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy On Wed, Feb 14, 2018 at 05:14:28PM +0100, Volker Greimann wrote: > > Heretic thought of the day: We will probably be looking at a > thin/distributed model again, or at least a model where data does not > leave certain jurisdictions without legitimate reasons/justification. As I have argued repeatedly, the only justifications for centralisation and "thick" registries in the first place were (1) deficiencies in the whois protocol that made distributed operation hard and (2) bad-actor registrars who wouldn't keep their data in good shape. (1) is, of course, solved by ditching whois for a better protocol, which protocol we already have built and waiting for use. One could even put a whois "gloss" on such a protocol (which would in that case, of course, only hand out the minimal data), so that people's tools don't all break overnight. This is all well understood by anyone remotely familiar with network operations (cf. Scott H's excellent testbed). (2) is, of course, not solved at all by centralisation, since the (competent) bad actors just lie when they upload the data. There never was an advantage there, as anyone familiar with network fraud told people even at the time. So I don't think the idea is heretical at all. I think it's a good idea. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Greg Sorry, but you're not making any sense. If you believe that a registrar is not meeting their contractual obligations in relation to whois output, which is clearly mandated in the contract then that is a contractual compliance issue. Also referring to all registrars as being incompetent isn't going to win you any friends. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 16:03, "Greg Aaron" <gca@icginc.com> wrote: Michele, you and Volker pointed to the well-known issue of registrar expiration dates varying from the one provided by the registry due to autorenewal and other well-known situations. I know all about those and why they are reasonable I'm pointing to date variances that are not due to those, and are more due to complete incompetence or registrars who are playing games. Dats aside, there are many other problems like the others I mentioned. Systems that reasonably facilitate better delivery and compliance are certainly better than those that depend upon one-off and unreliable mechanisms. Making compliance dependent on the labor of community members is neither necessary nor reliable. The point is, again, that thick registries provide advantages by acting as authoritative repositories of data and by serving authoritative RDS. -----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 10:46 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy Greg Your previous email said expiry date. Now you're saying that's not the issue. Anyway if registrars are outputting junk in whois then that's a matter you can raise with contractual compliance Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 15:35, "Greg Aaron" <gca@icginc.com> wrote: No, I'm not talking about the "registrar expiration date" and renewal date stuff. I'm talking more serious variances. Such as variances in a domain's delegated nameservers that are not attributable to race conditions, and failures to update contact data up to the registry. Recently I even saw a registrar who gave multiple different IANA ID numbers for itself in its WHOIS output, depending on various factors. That kind of thing is ridiculous and it happens. Flipping this to a private venue isn’t the answer. It's a public issue that one PDP already addressed, and has come up here again. The point is that thick registries provide advantages by acting as authoritative repositories of data and by serving authoritative RDS. -----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 9:34 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy Greg That's not entirely the registrar's fault. In order to offer 30 days grace the registrar has to renew the domain with the registry and then delete it if they don't get paid, so registry shows +1 year in some cases. Nameserver records - those should be in sync - again I'm not sure if that's entirely a registrar issue or a joint one. And tbh I really don't think that this conversation is helping anyone - the RrSG has been working the RySG on addressing operational issues together. If you're still affiliated with a registry please join. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:31, "Greg Aaron" <gca@icginc.com> wrote: Michele: Not talking about that so much (although the PDP did address it). The bigger problem, as you know, was that some registrars serve different data for a domain than the registry is -- such as expiration dates that do not match, and differing nameserver records. That kind of thing is still happening with .com and .net records. -----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 9:21 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy Greg There was no contractual obligation for uniformity in the whois output until the introduction of the 2013 contract. The lack of uniformity etc., was not a matter of "failure" by registrars to do anything - there was nothing agreed for them to do or adhere to nor any contractual obligation to do it. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:04, "gnso-rds-pdp-wg on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote: Dear Andrew: Well... no. We can certainly agree that a move to RDAP is sorely needed. But deficiencies in the WHOIS protocol were not the problem. Rather it was failure by many registrars to implement properly and uniformly -- not just "bad actors" but the many more that were inattentive or not competent. The Thick WHOIS PDP laid out the reasons for going thick. They included: "Historically, the centralized databases of thick Whois registries are operated under a single administrator that sets conventions and standards for submission and display, archival/restoration and security have proven easier to manage. By contrast, registrars set their own conventions and standards for submission and display, archival/restoration and security registran tinformation under a thin Whois model.... The thin model is thus criticized for introducing variability among Whois services, which can be problematic for legitimate forms of automation. It is this problem that prompted the IRTP B Working Group to recommend requiring thick Whois across incumbent registries - in order to improve security, stability and reliability of the domain transfer process... A thick Whois model also offers attractive archival and restoration properties.... A thick Whois model also reduces the degree of variability in display formats. Furthermore, a thick registry is better positioned to take measures to analyze and improve data quality since it has all the data at hand." In other words: security, stability, and usability reasons. The accuracy of the data is a completely separate matter. A distributed system relies on the competence, robustness, and good faith of all the parties involved. Centralizing some aspects can mitigate failures, incompetence, and bad faith. All best, --Greg -----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: Wednesday, February 14, 2018 5:13 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy On Wed, Feb 14, 2018 at 05:14:28PM +0100, Volker Greimann wrote: > > Heretic thought of the day: We will probably be looking at a > thin/distributed model again, or at least a model where data does not > leave certain jurisdictions without legitimate reasons/justification. As I have argued repeatedly, the only justifications for centralisation and "thick" registries in the first place were (1) deficiencies in the whois protocol that made distributed operation hard and (2) bad-actor registrars who wouldn't keep their data in good shape. (1) is, of course, solved by ditching whois for a better protocol, which protocol we already have built and waiting for use. One could even put a whois "gloss" on such a protocol (which would in that case, of course, only hand out the minimal data), so that people's tools don't all break overnight. This is all well understood by anyone remotely familiar with network operations (cf. Scott H's excellent testbed). (2) is, of course, not solved at all by centralisation, since the (competent) bad actors just lie when they upload the data. There never was an advantage there, as anyone familiar with network fraud told people even at the time. So I don't think the idea is heretical at all. I think it's a good idea. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

That is happening because there is no exact policy definition for those dates and both sides see these stats differently. The registrar will increase the expiration date by one year after it has received payment, executed the renewal request at the registry and received confirmation from the registry that the registration period has been extended. As this can happen during renew grace, the domain may show as expired even though it is still connected and not deleted. The registry will increase the expiration date on the occurence of the expiration date, regardless of whether it has received a renewal request or not, essentially treating the renew grace period as a delete grace period. The domain may not have been renewed by the registrar and the registrar may delete the domain at any time if it is not renewed in time by the registrant despite the expiration date showing a time in the future. And I agree, this does cause some level of customer confusion. Volker Am 15.02.2018 um 15:28 schrieb Greg Aaron:

Michele: Not talking about that so much (although the PDP did address it). The bigger problem, as you know, was that some registrars serve different data for a domain than the registry is -- such as expiration dates that do not match, and differing nameserver records. That kind of thing is still happening with .com and .net records.

-----Original Message----- From: Michele Neylon - Blacknight [mailto:michele@blacknight.com] Sent: Thursday, February 15, 2018 9:21 AM To: Greg Aaron <gca@icginc.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy

Greg

There was no contractual obligation for uniformity in the whois output until the introduction of the 2013 contract. The lack of uniformity etc., was not a matter of "failure" by registrars to do anything - there was nothing agreed for them to do or adhere to nor any contractual obligation to do it.

Regards

Michele

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/02/2018, 14:04, "gnso-rds-pdp-wg on behalf of Greg Aaron" <gnso-rds-pdp-wg-bounces@icann.org on behalf of gca@icginc.com> wrote:

Dear Andrew:

Well... no. We can certainly agree that a move to RDAP is sorely needed. But deficiencies in the WHOIS protocol were not the problem. Rather it was failure by many registrars to implement properly and uniformly -- not just "bad actors" but the many more that were inattentive or not competent.

The Thick WHOIS PDP laid out the reasons for going thick. They included:

"Historically, the centralized databases of thick Whois registries are operated under a single administrator that sets conventions and standards for submission and display, archival/restoration and security have proven easier to manage. By contrast, registrars set their own conventions and standards for submission and display, archival/restoration and security registran tinformation under a thin Whois model.... The thin model is thus criticized for introducing variability among Whois services, which can be problematic for legitimate forms of automation. It is this problem that prompted the IRTP B Working Group to recommend requiring thick Whois across incumbent registries - in order to improve security, stability and reliability of the domain transfer process... A thick Whois model also offers attractive archival and restoration properties.... A thick Whois model also reduces the degree of variability in display formats. Furthermore, a thick registry is better positioned to take measures to analyze and improve data quality since it has all the data at hand."

In other words: security, stability, and usability reasons.

The accuracy of the data is a completely separate matter.

A distributed system relies on the competence, robustness, and good faith of all the parties involved. Centralizing some aspects can mitigate failures, incompetence, and bad faith.

All best, --Greg

-----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: Wednesday, February 14, 2018 5:13 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy

On Wed, Feb 14, 2018 at 05:14:28PM +0100, Volker Greimann wrote: > > Heretic thought of the day: We will probably be looking at a > thin/distributed model again, or at least a model where data does not > leave certain jurisdictions without legitimate reasons/justification.

As I have argued repeatedly, the only justifications for centralisation and "thick" registries in the first place were (1) deficiencies in the whois protocol that made distributed operation hard and (2) bad-actor registrars who wouldn't keep their data in good shape.

(1) is, of course, solved by ditching whois for a better protocol, which protocol we already have built and waiting for use. One could even put a whois "gloss" on such a protocol (which would in that case, of course, only hand out the minimal data), so that people's tools don't all break overnight. This is all well understood by anyone remotely familiar with network operations (cf. Scott H's excellent testbed).

(2) is, of course, not solved at all by centralisation, since the (competent) bad actors just lie when they upload the data. There never was an advantage there, as anyone familiar with network fraud told people even at the time.

So I don't think the idea is heretical at all. I think it's a good idea.

Best regards,

A

-- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg