I must have missed this note when it was original sent back in March. Chuck asked me to address one of the questions posed below. Scott

-----Original Message----- From: Gomes, Chuck Sent: Monday, April 24, 2017 7:48 AM To: Hollenbeck, Scott <shollenbeck@verisign.com> Subject: FW: [EXTERNAL] Re: [gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

FYI Scott.

Chuck

-----Original Message----- From: theo geurts [mailto:gtheo@xs4all.nl] Sent: Thursday, March 02, 2017 4:21 PM To: Gomes, Chuck <cgomes@verisign.com>; Greg Aaron <gca@icginc.com> Cc: gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

Thanks, Chuck.

I think it is important that we as a WG understand that gated access could be a recommendation. But it does not single out any other solutions/recommendations, but to get to that point, we should keep exploring.

To give this some more color. In 2016 we assisted paloaltonetworks.com and shadow server taking down the Prince of Persia malware that went undetected and roamed the internet for ten years (that's a long time folks) http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince- of-persia-game-over/

So the actual WHOIS data was useless in a sense we were dealing with stolen identities. But we were able to map out the botnet controller network through the WHOIS and coordinated with more Registrars to sinkhole the entire lot.

Again the WHOIS data was useless in this case as it was fake, could have passed every syntax or WHOIS cross-validation check.

So instead of gated access, why not aim for an RDS that used anonymized unique identifiers that are available for everyone?

We already have "anonymized unique identifiers" in the form of contact identifiers, sometimes also known as "handles" (but not to be confused with handle system (RFC 3650) identifiers). For example, a WHOIS query for a particular domain to one particular thick RDDS registry service will return a registrant identifier of "C270-LRMS" in addition to the more identifiable information that we're all familiar with. RDAP also supports these identifiers, so they are available for purposes as we see fit to recommend. Scott