discussion -- SAC061 -- SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services
hi all, here’s a thread to talk about the SSAC comment on EWG initial report. here are a few questions. view them as a starting-point, not a rigid requirement. if you have a comment that falls outside of these questions, please go ahead and make your post. i’m just posting these to start conversation, not restrict it. - what’s the current status of the EWG work? - where are we in the process of establishing a registration data policy? - who, if anybody, has taken these SSAC recommendations on board? - is there anything that the GNSO, and/or the GNSO Council, should be doing in Singapore to help move this along? - are there any other questions people would like to raise about this comment? SAC061: SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf Recommendation 1: SSAC reiterates its recommendation from SAC055: The ICANN Board should explicitly defer any other activity (within ICANN’s remit) directed at finding a ‘solution’ to ‘the WHOIS problem’ until the registration data policy has been developed and accepted in the community. The EWG should clearly state its proposal for the purpose of registration data, and focus on policy issues over specific implementations. Recommendation 2: The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. Recommendation 3: SSAC recommends that the EWG state more clearly its positions on the following questions of data availability: A. Why is a change to public access justified? This explanation should describe the potential impact upon ordinary Internet users and casual or occasional users of the directory service. B. Does the EWG believe that access to data currently accessible in generic Top Level Domain (gTLD) WHOIS output should become restricted? If so, what fields and to what extent exactly? Under the EWG proposal, queries from non- authenticated requestors would return only “public data available to anyone, for C. Should all gTLD registries be required to provision their contact data into the Aggregated Registration Data Service (ARDS)? There may be jurisdictions that prohibit by law the export of personally identifiable information outside the jurisdiction. If so, the ARDS may not be a viable way to deliver data accuracy and compliance across all gTLDs. D. Does the EWG propose more types of sensitive registration data be provisioned into ARDS than are found in current gTLD WHOIS output? Recommendation 4: The SSAC suggests that the EWG address this recommendation from SAC058: “SSAC Report on Domain Name Registration Data Validation”3: As the ICANN community discusses validating contact information, the SSAC recommends that the following meta-questions regarding the costs and benefits of registration data validation should be answered: • What data elements need to be added or validated to comply with requirements or expectations of different stakeholders? • Is additional registration processing overhead and delay an acceptable cost for improving accuracy and quality of registration data? • Is higher cost an acceptable outcome for improving accuracy and quality? • Would accuracy improve if the registration process were to provide natural persons with privacy protection upon completion of multi-factored validation?
At the risk of not following protocols, I am going to plunge in. First, please note that while I sit on the EWG, my views expressed are only mine, and they often tend to be minority views. I am also a PhD student immersed in reading about the development of WHOIS from an information policy perspective, so may have additional somewhat nerdy minority views. But here goes, inline: On Feb 12, 2014, at 8:41 AM, Mike O'Connor <mike@haven2.com> wrote:
hi all,
here’s a thread to talk about the SSAC comment on EWG initial report.
here are a few questions. view them as a starting-point, not a rigid requirement. if you have a comment that falls outside of these questions, please go ahead and make your post. i’m just posting these to start conversation, not restrict it.
- what’s the current status of the EWG work? There will be another open session in Singapore to discuss, the final report is due in June at the London meeting. This is a strenuous deadline in my view, given research that ought to be done first.
- where are we in the process of establishing a registration data policy?
- who, if anybody, has taken these SSAC recommendations on board? All the recommendations have certainly been looked at, but in my view there was so little detail in the first report that really folks had much more to get their teeth into in the November draft…and the comment period has not closed for that as yet. Time to study those comments is too short, unless the EWG all quit their day jobs and go at it full time. In the meantime of course, we have Brazil, so that is not happening. The devil lies in the details, we need more time to look at comments on those details.
- is there anything that the GNSO, and/or the GNSO Council, should be doing in Singapore to help move this along? Given the long history of WHOIS debate, should there not be a big public discussion at some future face to face meeting? prior to the report going final?
- are there any other questions people would like to raise about this comment?
SAC061: SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services
http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf
Recommendation 1: SSAC reiterates its recommendation from SAC055: The ICANN Board should explicitly defer any other activity (within ICANN’s remit) directed at finding a ‘solution’ to ‘the WHOIS problem’ until the registration data policy has been developed and accepted in the community. The EWG should clearly state its proposal for the purpose of registration data, and focus on policy issues over specific implementations.
Recommendation 2: The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. It is my view that the risk assessment should be a broad, multi-stakeholder impact assessment, with (of course) a full security assessment. The NPL report on privacy/proxy abuse does not show disproportionate risk from privacy/proxy services, and in my view pushing for greater accuracy and transparency will drive bad actors to identity theft. Most casual registrants (i.e. the general public who are non-expert) are not equipped to protect their data, responsiblisation of that community (i.e. pushing the burden of vigilance onto small business, small institutions and individuals) is neither responsible regulatory action nor good security.
Recommendation 3: SSAC recommends that the EWG state more clearly its positions on the following questions of data availability:
A. Why is a change to public access justified? This explanation should describe the potential impact upon ordinary Internet users and casual or occasional users of the directory service. This is true, we need a full impact assessment and consultation to figure out the impact. It is presumptuous in the extreme for even ICANN alone, composed of certain stakeholders with vested interests, to attempt to speak for the global internet public. We have to find a way to determine what the impact on end users, scaled out for potential new uses and applications and users over a ten year frame, is going to be.
B. Does the EWG believe that access to data currently accessible in generic Top Level Domain (gTLD) WHOIS output should become restricted? If so, what fields and to what extent exactly? Under the EWG proposal, queries from non- authenticated requestors would return only “public data available to anyone, for Yes.
C. Should all gTLD registries be required to provision their contact data into the Aggregated Registration Data Service (ARDS)? There may be jurisdictions that prohibit by law the export of personally identifiable information outside the jurisdiction. If so, the ARDS may not be a viable way to deliver data accuracy and compliance across all gTLDs. Registrars and registries need to comply with data protection law. The ARDS should only get data that is not protected, until the ARDS can be proven to screen all accredited users (e.g. law enforcement authorities, IP enforcement actors, security professionals) for limited actions that comply with due process requirements in the jurisdiction of the registrants/registrars/registries where the data protection law applies (this will vary). Given the complexity and potential expense of sorting that one out, movement towards a single ARDS needs to be very slow and deliberate. Thought to data anonymization protocols and pseudonymous data analytics, as is done in health research protocols, could be fruitful.
D. Does the EWG propose more types of sensitive registration data be provisioned into ARDS than are found in current gTLD WHOIS output?
Recommendation 4: The SSAC suggests that the EWG address this recommendation from SAC058: “SSAC Report on Domain Name Registration Data Validation”3: As the ICANN community discusses validating contact information, the SSAC recommends that the following meta-questions regarding the costs and benefits of registration data validation should be answered:
• What data elements need to be added or validated to comply with requirements or expectations of different stakeholders? • Is additional registration processing overhead and delay an acceptable cost for improving accuracy and quality of registration data? • Is higher cost an acceptable outcome for improving accuracy and quality? It has to be. IF not, might as well remain with status quo. • Would accuracy improve if the registration process were to provide natural persons with privacy protection upon completion of multi-factored validation? Who is going to do the multi factor validation? what new risks/costs does this load on to the registrars, or the operators of an ARDS if the job falls to them? Why only natural persons, this is one of the jurisdictional headaches in that legal persons have a right in some places to privacy protection. Given that groups are often targets of hate crime (religious or ethnic groups, political dissidents, environmental activitists, etc.) if one were to do a risk analysis of stakeholders one might find that the registrants at highest risk are groups, not individuals (eg. reporters, in some jurisdictions). The fact is that individuals have legal rights to privacy right now, which may not be uniformly enforced in some jurisdictions.
I suspect this may be enough to kick off discussion, Mikey. Kind regards, Stephanie Perrin
_______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
Dear Mikey: As Stephanie notes, the EWG plans to issue its final report at (before?) ICANN London in June. At that point the community will find out exactly what the EWG proposes, with hopefully a full explanation of why. Then the GNSO, the Board, and the community will need to decide whether the EWG's proposals are good ones or not. I assume that there will be a formal public comment period for the EWG's final report; the GNSO should confirm that in Singapore. I'm an expert on WHOIS, and I found the EWG's interim report to be so impenetrable that it resisted interim comment (sorry, Stephanie!). When the EWG was formed, ICANN said "The working group's results will feed into the GNSO's bottom-up, policy development process where all community interests will be encouraged to participate in the decision-making." If I have any personal advice for the GNSO, it is not to accept any fait accomplis. The EWG is to propose policies, and I suggest that those proposals shouldn't be allowed to take on a life of their own and be considered done deals or the only alternatives. Part of the process should be a careful exploration of the implications and impacts of the proposed policies, and what alternative proposals may be proposed. The EWG is doing some due diligence, but it has to finish its work soon and the GNSO will need to assume responsibility for further diligence and studies. Where are things with establishing a registration data policy? That is an interesting question. The EWG's initial report did not do a good job IMHO at proposing policies. Here's how SSAC061 put the problem; I think it is worth reiterating: "The EWG, in parallel to proposing a new model for the purpose of registration data, discussed several 'system designs' for access to the data and proposed one model, calling for a centralized registration data repository. That approach poses a quandary: policies are expressions of goals and should articulate the problems the community designed them to solve. Until proposed registration data policies and their justifications are stated clearly, it is not possible to comment definitively on their security and stability consequences. And until the community accepts the policies, it is difficult to discuss whether proposed delivery options will satisfy the goals in a suitably secure and stable manner.. Improving and ensuring security and stability require balancing risks, benefits, and costs. While it is understood that the EWG Initial Report is a first attempt by the EWG to address these issues, the SSAC does not believe adequate explanations of the perceived benefits, risks, or costs, or how they were balanced has been provided. The EWG Initial Report describes some proposed solutions but does not always discuss why those solutions are justified. Instead, the report focuses on a specific outcome: a specific system with many features. The EWG Initial Report did not state what alternatives it considered and rejected and did not indicate the EWG's methodology for developing its recommendations. Some of the items in the EWG's list of "Desired Features and Design Principles" (pages 20-27) may be seen within the community as new policies, and some are feature requests and implementation choices that may be only some of the possible ways to execute on the policies. If the ICANN community does not accept some of the proposed policies, the features and implementation choices will necessarily change. The SSAC believes a centralized meta-registry (e.g., the ARDS) is not the only solution to problems stated by the WHOIS Review Team, and it is unclear whether that specific solution will create net improvements when weighed against the risks. " http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf I personally will read that EWG final report to see if the EWG proposes a coherent set of WHOIS policies and under what basis the EWG justifies them. Based on the EWG's November interim report and its response to the initial public comments, the EWG apparently believes that the centralized model (ARDS) is the way to go. I personally believe that that idea should receive robust debate and due diligence. Among other things, SSAC recommended that a risk assessment be carried out. "The EWG agrees that risk/impact assessment should be conducted" (https://www.icann.org/en/groups/other/gtld-directory-services/summary-respo nse-initial-12nov13-en.pdf), but AFAIK that risk assessment has not yet been planned because we first need to see what the EWG final report says. And then see above -- the scope of any risk assessments may be dependent on what the GNSO thinks. For example, if it is determined that the centralized ARDS idea is a non-starter for overriding policy or legal reasons, then why would anyone do a risk assessment of its implementation? In any case, I suggest the GSNO track and help direct the creation of risk assessments at the appropriate points. In the meantime, ICANN has issued an RFI on behalf of the EWG: "to identify any organizations capable of accrediting users of the new [centralized] Registration Directory Service (RDS) now under consideration to replace the current WHOIS system....With this Request for Information, the EWG seeks to solicit responses from organizations that currently issue system access credentials to authorized members of their own community, using defined acceptance criteria...The purpose of this RFI is purely informational - that is, to inform the development of policies and procedures that may follow the EWG's Final Report. As a result, potential Respondents responding to any future RFP for the EWG Project will not be bound by the estimates, prices, or other information provided in response to this RFI." https://www.icann.org/en/news/announcements/announcement-2-10feb14-en.htm So that's an interesting thing. All best, --Greg From: gnso-ssr-bounces@icann.org [mailto:gnso-ssr-bounces@icann.org] On Behalf Of Mike O'Connor Sent: Wednesday, February 12, 2014 8:41 AM To: GNSO SSR List Subject: [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services hi all, here's a thread to talk about the SSAC comment on EWG initial report. here are a few questions. view them as a starting-point, not a rigid requirement. if you have a comment that falls outside of these questions, please go ahead and make your post. i'm just posting these to start conversation, not restrict it. - what's the current status of the EWG work? - where are we in the process of establishing a registration data policy? - who, if anybody, has taken these SSAC recommendations on board? - is there anything that the GNSO, and/or the GNSO Council, should be doing in Singapore to help move this along? - are there any other questions people would like to raise about this comment? SAC061: SSAC Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf Recommendation 1: SSAC reiterates its recommendation from SAC055: The ICANN Board should explicitly defer any other activity (within ICANN's remit) directed at finding a 'solution' to 'the WHOIS problem' until the registration data policy has been developed and accepted in the community. The EWG should clearly state its proposal for the purpose of registration data, and focus on policy issues over specific implementations. Recommendation 2: The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. Recommendation 3: SSAC recommends that the EWG state more clearly its positions on the following questions of data availability: A. Why is a change to public access justified? This explanation should describe the potential impact upon ordinary Internet users and casual or occasional users of the directory service. B. Does the EWG believe that access to data currently accessible in generic Top Level Domain (gTLD) WHOIS output should become restricted? If so, what fields and to what extent exactly? Under the EWG proposal, queries from non- authenticated requestors would return only "public data available to anyone, for C. Should all gTLD registries be required to provision their contact data into the Aggregated Registration Data Service (ARDS)? There may be jurisdictions that prohibit by law the export of personally identifiable information outside the jurisdiction. If so, the ARDS may not be a viable way to deliver data accuracy and compliance across all gTLDs. D. Does the EWG propose more types of sensitive registration data be provisioned into ARDS than are found in current gTLD WHOIS output? Recommendation 4: The SSAC suggests that the EWG address this recommendation from SAC058: "SSAC Report on Domain Name Registration Data Validation"3: As the ICANN community discusses validating contact information, the SSAC recommends that the following meta-questions regarding the costs and benefits of registration data validation should be answered: . What data elements need to be added or validated to comply with requirements or expectations of different stakeholders? . Is additional registration processing overhead and delay an acceptable cost for improving accuracy and quality of registration data? . Is higher cost an acceptable outcome for improving accuracy and quality? . Would accuracy improve if the registration process were to provide natural persons with privacy protection upon completion of multi-factored validation?
thanks Stephanie and Greg for kicking this thread off so well. let me add another dimension to the discussion — i’m going to combine a couple of fuzzy terms to coin a new one and see if it sticks. “Policy Architecture” i’m involved in several WG’s that touch (or depend on) Whois, or its replacement. the most interesting puzzler is the IRTP-C PDP, which introduced the notion of “inter REGISTRANT transfer” to the existing inter REGISTRAR transfer policy. IRTP-C is now in the implementation process and there are turning out to be a lot of dependencies in there. one of the fundamental notions that IRTP-C introduced was the idea that registrars need determine whether the transfer is just inter-registrar, or whether it’s also inter-registrant. the question is, how will registrars determine whether the registrant is changing or not? one answer, which works in thick Whois environments, is to go look at whois data at the registry and see if registrant data is changing. if it is, then it’s an inter-REGISTRANT transfer and new safeguards apply. if not, it’s just an inter-registrar transfer. when we wrote that section of the report, we knew that it was hard to do that — but we were (correctly) counting on some things changing fairly soon. sure enough, the Thick Whois PDP has just been approved by the Board, which means that “go look at registry data” option will exist for all TLDs. the puzzler for me is who looks after these meta-level dependencies? what if Thick Whois had gone the other way? what if the EWG process concludes that registrars can’t look at that data? who minds that “architectural” framework in the policy-making process? mikey PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
That does raise interesting questions. First one I have, is do all registrars get to look at all data, or do they only get to look at a particular transaction? I would hope the latter, because that would be compliant with data protection law, if they get to look at all data that would not, in my view, be compliant. It would have been easy to engineer a consent mechanism in there to get around this problem, which would be normal in other commercial transactions, and would also perform a security function. The second question of course, remains begging in my view, with respect to the EWG work. How on earth are we going to accredit actors to look at the ARDS? Do all registrars get to look at all data all the time, if not how is it going to be policed? How many miscreant registrars are there out there? AS always, pardon the naivete of my questions. Stephanie On 2014-02-16, at 8:29 AM, Mike O'Connor wrote:
thanks Stephanie and Greg for kicking this thread off so well.
let me add another dimension to the discussion — i’m going to combine a couple of fuzzy terms to coin a new one and see if it sticks. “Policy Architecture”
i’m involved in several WG’s that touch (or depend on) Whois, or its replacement. the most interesting puzzler is the IRTP-C PDP, which introduced the notion of “inter REGISTRANT transfer” to the existing inter REGISTRAR transfer policy. IRTP-C is now in the implementation process and there are turning out to be a lot of dependencies in there.
one of the fundamental notions that IRTP-C introduced was the idea that registrars need determine whether the transfer is just inter-registrar, or whether it’s also inter-registrant. the question is, how will registrars determine whether the registrant is changing or not? one answer, which works in thick Whois environments, is to go look at whois data at the registry and see if registrant data is changing. if it is, then it’s an inter-REGISTRANT transfer and new safeguards apply. if not, it’s just an inter-registrar transfer.
when we wrote that section of the report, we knew that it was hard to do that — but we were (correctly) counting on some things changing fairly soon. sure enough, the Thick Whois PDP has just been approved by the Board, which means that “go look at registry data” option will exist for all TLDs.
the puzzler for me is who looks after these meta-level dependencies? what if Thick Whois had gone the other way? what if the EWG process concludes that registrars can’t look at that data? who minds that “architectural” framework in the policy-making process?
mikey
PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
_______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
Sorry forgot to answer your key question....as you pointed out in Buenos Aires from the mike, some people are doing all the work in the working groups. Absent that connective tissue, I have not seen any other mechanism. There is a lot of material to cover....hard to catch everything, if you are just sitting around reading all the minutes and notices etc. Transparency is not enough.... cheers Stephanie On 2014-02-16, at 8:42 AM, Stephanie Perrin wrote:
That does raise interesting questions. First one I have, is do all registrars get to look at all data, or do they only get to look at a particular transaction? I would hope the latter, because that would be compliant with data protection law, if they get to look at all data that would not, in my view, be compliant. It would have been easy to engineer a consent mechanism in there to get around this problem, which would be normal in other commercial transactions, and would also perform a security function. The second question of course, remains begging in my view, with respect to the EWG work. How on earth are we going to accredit actors to look at the ARDS? Do all registrars get to look at all data all the time, if not how is it going to be policed? How many miscreant registrars are there out there? AS always, pardon the naivete of my questions. Stephanie On 2014-02-16, at 8:29 AM, Mike O'Connor wrote:
thanks Stephanie and Greg for kicking this thread off so well.
let me add another dimension to the discussion — i’m going to combine a couple of fuzzy terms to coin a new one and see if it sticks. “Policy Architecture”
i’m involved in several WG’s that touch (or depend on) Whois, or its replacement. the most interesting puzzler is the IRTP-C PDP, which introduced the notion of “inter REGISTRANT transfer” to the existing inter REGISTRAR transfer policy. IRTP-C is now in the implementation process and there are turning out to be a lot of dependencies in there.
one of the fundamental notions that IRTP-C introduced was the idea that registrars need determine whether the transfer is just inter-registrar, or whether it’s also inter-registrant. the question is, how will registrars determine whether the registrant is changing or not? one answer, which works in thick Whois environments, is to go look at whois data at the registry and see if registrant data is changing. if it is, then it’s an inter-REGISTRANT transfer and new safeguards apply. if not, it’s just an inter-registrar transfer.
when we wrote that section of the report, we knew that it was hard to do that — but we were (correctly) counting on some things changing fairly soon. sure enough, the Thick Whois PDP has just been approved by the Board, which means that “go look at registry data” option will exist for all TLDs.
the puzzler for me is who looks after these meta-level dependencies? what if Thick Whois had gone the other way? what if the EWG process concludes that registrars can’t look at that data? who minds that “architectural” framework in the policy-making process?
mikey
PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
_______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
_______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
The 2013 RAA says that when a domain is transferred between registrars, OR when a domain is transferred between registrants, "both Whois information and the corresponding customer account holder contact information related to such Registered Name" must be verified and validated. So it must happen with inter-registrar AND inter-registrant transfers. http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13 -en.htm#whois-accuracy Registrars who have signed the 2013 RAA sponsor most of the gTLD domains that exist. The community must understand what the current policies are, see if proposed new policies are superior, what the implications of any new proposals are, etc. If the EWG final report doesn't lay out all of that, then the GSNO will have to make sure it's done, because it's tasked with making/approving the policies that come out of the EWG work. I suspect that there are dependencies that have not been documented and discussed yet. And I note that the " central repository" of WHOIS policies is not complete. http://whois.icann.org All best, --Greg From: gnso-ssr-bounces@icann.org [mailto:gnso-ssr-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Sunday, February 16, 2014 8:57 AM To: Mike O'Connor Cc: GNSO SSR List Subject: Re: [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services Sorry forgot to answer your key question....as you pointed out in Buenos Aires from the mike, some people are doing all the work in the working groups. Absent that connective tissue, I have not seen any other mechanism. There is a lot of material to cover....hard to catch everything, if you are just sitting around reading all the minutes and notices etc. Transparency is not enough.... cheers Stephanie On 2014-02-16, at 8:42 AM, Stephanie Perrin wrote: That does raise interesting questions. First one I have, is do all registrars get to look at all data, or do they only get to look at a particular transaction? I would hope the latter, because that would be compliant with data protection law, if they get to look at all data that would not, in my view, be compliant. It would have been easy to engineer a consent mechanism in there to get around this problem, which would be normal in other commercial transactions, and would also perform a security function. The second question of course, remains begging in my view, with respect to the EWG work. How on earth are we going to accredit actors to look at the ARDS? Do all registrars get to look at all data all the time, if not how is it going to be policed? How many miscreant registrars are there out there? AS always, pardon the naivete of my questions. Stephanie On 2014-02-16, at 8:29 AM, Mike O'Connor wrote: thanks Stephanie and Greg for kicking this thread off so well. let me add another dimension to the discussion - i'm going to combine a couple of fuzzy terms to coin a new one and see if it sticks. "Policy Architecture" i'm involved in several WG's that touch (or depend on) Whois, or its replacement. the most interesting puzzler is the IRTP-C PDP, which introduced the notion of "inter REGISTRANT transfer" to the existing inter REGISTRAR transfer policy. IRTP-C is now in the implementation process and there are turning out to be a lot of dependencies in there. one of the fundamental notions that IRTP-C introduced was the idea that registrars need determine whether the transfer is just inter-registrar, or whether it's also inter-registrant. the question is, how will registrars determine whether the registrant is changing or not? one answer, which works in thick Whois environments, is to go look at whois data at the registry and see if registrant data is changing. if it is, then it's an inter-REGISTRANT transfer and new safeguards apply. if not, it's just an inter-registrar transfer. when we wrote that section of the report, we knew that it was hard to do that - but we were (correctly) counting on some things changing fairly soon. sure enough, the Thick Whois PDP has just been approved by the Board, which means that "go look at registry data" option will exist for all TLDs. the puzzler for me is who looks after these meta-level dependencies? what if Thick Whois had gone the other way? what if the EWG process concludes that registrars can't look at that data? who minds that "architectural" framework in the policy-making process? mikey PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com <http://www.haven2.com/> , HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.) _______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr _______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
hi Greg, you raise a couple of interesting questions. 1) in the case of a thin registry, how does the gaining registrar do that 2013 RAA verification and validation? it’s my understanding that job is easier if both registrars are under the 2013 RAA, because then they are both obligated to provide uniform Whois display. so a script could be written to pull that data from the losing registrar and that script could count on success. but what if the losing registrar isn’t a signatory to 2013 RAA yet? that looks like another in that pile of dependencies, no? 2) what about all the European registrars (like Michele) who <stirring up a hornet’s nest> haven’t signed the 2013 RAA yet because of the conflict with European privacy law? yet another dependency, i bet. OK. what i’ve learned from this topic so far is; - EWG still has substantial work to do, which certainly won’t be finished by Singapore — but maybe London - we should wait to see how SAC061 advice is incorporated into that EWG report before trying to decide what the next step is for the GNSO - so again, maybe London fair summary? is there anything in SAC061 the GNSO should look at in Singapore? mikey On Feb 16, 2014, at 3:30 PM, Greg Aaron <greg@illumintel.com> wrote:
The 2013 RAA says that when a domain is transferred between registrars, OR when a domain is transferred between registrants, “both Whois information and the corresponding customer account holder contact information related to such Registered Name” must be verified and validated. So it must happen with inter-registrar AND inter-registrant transfers. http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13... Registrars who have signed the 2013 RAA sponsor most of the gTLD domains that exist.
The community must understand what the current policies are, see if proposed new policies are superior, what the implications of any new proposals are, etc. If the EWG final report doesn’t lay out all of that, then the GSNO will have to make sure it’s done, because it’s tasked with making/approving the policies that come out of the EWG work. I suspect that there are dependencies that have not been documented and discussed yet. And I note that the “ central repository” of WHOIS policies is not complete. http://whois.icann.org
All best, --Greg
From: gnso-ssr-bounces@icann.org [mailto:gnso-ssr-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Sunday, February 16, 2014 8:57 AM To: Mike O'Connor Cc: GNSO SSR List Subject: Re: [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services
Sorry forgot to answer your key question....as you pointed out in Buenos Aires from the mike, some people are doing all the work in the working groups. Absent that connective tissue, I have not seen any other mechanism. There is a lot of material to cover....hard to catch everything, if you are just sitting around reading all the minutes and notices etc. Transparency is not enough.... cheers Stephanie On 2014-02-16, at 8:42 AM, Stephanie Perrin wrote:
That does raise interesting questions. First one I have, is do all registrars get to look at all data, or do they only get to look at a particular transaction? I would hope the latter, because that would be compliant with data protection law, if they get to look at all data that would not, in my view, be compliant. It would have been easy to engineer a consent mechanism in there to get around this problem, which would be normal in other commercial transactions, and would also perform a security function. The second question of course, remains begging in my view, with respect to the EWG work. How on earth are we going to accredit actors to look at the ARDS? Do all registrars get to look at all data all the time, if not how is it going to be policed? How many miscreant registrars are there out there? AS always, pardon the naivete of my questions. Stephanie On 2014-02-16, at 8:29 AM, Mike O'Connor wrote:
thanks Stephanie and Greg for kicking this thread off so well.
let me add another dimension to the discussion — i’m going to combine a couple of fuzzy terms to coin a new one and see if it sticks. “Policy Architecture”
i’m involved in several WG’s that touch (or depend on) Whois, or its replacement. the most interesting puzzler is the IRTP-C PDP, which introduced the notion of “inter REGISTRANT transfer” to the existing inter REGISTRAR transfer policy. IRTP-C is now in the implementation process and there are turning out to be a lot of dependencies in there.
one of the fundamental notions that IRTP-C introduced was the idea that registrars need determine whether the transfer is just inter-registrar, or whether it’s also inter-registrant. the question is, how will registrars determine whether the registrant is changing or not? one answer, which works in thick Whois environments, is to go look at whois data at the registry and see if registrant data is changing. if it is, then it’s an inter-REGISTRANT transfer and new safeguards apply. if not, it’s just an inter-registrar transfer.
when we wrote that section of the report, we knew that it was hard to do that — but we were (correctly) counting on some things changing fairly soon. sure enough, the Thick Whois PDP has just been approved by the Board, which means that “go look at registry data” option will exist for all TLDs.
the puzzler for me is who looks after these meta-level dependencies? what if Thick Whois had gone the other way? what if the EWG process concludes that registrars can’t look at that data? who minds that “architectural” framework in the policy-making process?
mikey
PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
_______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
_______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr
PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
Dear Mikey: Regarding #1: gTLD transfers have generally worked over the years because all registrars have provided contact data via WHOIS. There has been pain because the data was not always uniform in format, and not all registrars provide thick data via port 43, but generally the contact data was obtainable and life went on. IRTP helped and the 2013 RAA irons out format issues. Regarding #2: See above; transfers will muddle on in the meantime. I note that the Board asked that the EWG address key questions posed in SAC055. So when the EWG's final report comes out, it would be logical to compare it to both SAC055 and SAC061. All best, --Greg From: Mike O'Connor [mailto:mike@haven2.com] Sent: Sunday, February 16, 2014 7:35 PM To: Greg Aaron Cc: Stephanie Perrin; GNSO SSR List Subject: Re: [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services hi Greg, you raise a couple of interesting questions. 1) in the case of a thin registry, how does the gaining registrar do that 2013 RAA verification and validation? it's my understanding that job is easier if both registrars are under the 2013 RAA, because then they are both obligated to provide uniform Whois display. so a script could be written to pull that data from the losing registrar and that script could count on success. but what if the losing registrar isn't a signatory to 2013 RAA yet? that looks like another in that pile of dependencies, no? 2) what about all the European registrars (like Michele) who <stirring up a hornet's nest> haven't signed the 2013 RAA yet because of the conflict with European privacy law? yet another dependency, i bet. OK. what i've learned from this topic so far is; - EWG still has substantial work to do, which certainly won't be finished by Singapore - but maybe London - we should wait to see how SAC061 advice is incorporated into that EWG report before trying to decide what the next step is for the GNSO - so again, maybe London fair summary? is there anything in SAC061 the GNSO should look at in Singapore? mikey On Feb 16, 2014, at 3:30 PM, Greg Aaron <greg@illumintel.com> wrote: The 2013 RAA says that when a domain is transferred between registrars, OR when a domain is transferred between registrants, "both Whois information and the corresponding customer account holder contact information related to such Registered Name" must be verified and validated. So it must happen with inter-registrar AND inter-registrant transfers. http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13 -en.htm#whois-accuracy Registrars who have signed the 2013 RAA sponsor most of the gTLD domains that exist. The community must understand what the current policies are, see if proposed new policies are superior, what the implications of any new proposals are, etc. If the EWG final report doesn't lay out all of that, then the GSNO will have to make sure it's done, because it's tasked with making/approving the policies that come out of the EWG work. I suspect that there are dependencies that have not been documented and discussed yet. And I note that the " central repository" of WHOIS policies is not complete. http://whois.icann.org All best, --Greg From: gnso-ssr-bounces@icann.org [mailto:gnso-ssr-bounces@icann.org] On Behalf Of Stephanie Perrin Sent: Sunday, February 16, 2014 8:57 AM To: Mike O'Connor Cc: GNSO SSR List Subject: Re: [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services Sorry forgot to answer your key question....as you pointed out in Buenos Aires from the mike, some people are doing all the work in the working groups. Absent that connective tissue, I have not seen any other mechanism. There is a lot of material to cover....hard to catch everything, if you are just sitting around reading all the minutes and notices etc. Transparency is not enough.... cheers Stephanie On 2014-02-16, at 8:42 AM, Stephanie Perrin wrote: That does raise interesting questions. First one I have, is do all registrars get to look at all data, or do they only get to look at a particular transaction? I would hope the latter, because that would be compliant with data protection law, if they get to look at all data that would not, in my view, be compliant. It would have been easy to engineer a consent mechanism in there to get around this problem, which would be normal in other commercial transactions, and would also perform a security function. The second question of course, remains begging in my view, with respect to the EWG work. How on earth are we going to accredit actors to look at the ARDS? Do all registrars get to look at all data all the time, if not how is it going to be policed? How many miscreant registrars are there out there? AS always, pardon the naivete of my questions. Stephanie On 2014-02-16, at 8:29 AM, Mike O'Connor wrote: thanks Stephanie and Greg for kicking this thread off so well. let me add another dimension to the discussion - i'm going to combine a couple of fuzzy terms to coin a new one and see if it sticks. "Policy Architecture" i'm involved in several WG's that touch (or depend on) Whois, or its replacement. the most interesting puzzler is the IRTP-C PDP, which introduced the notion of "inter REGISTRANT transfer" to the existing inter REGISTRAR transfer policy. IRTP-C is now in the implementation process and there are turning out to be a lot of dependencies in there. one of the fundamental notions that IRTP-C introduced was the idea that registrars need determine whether the transfer is just inter-registrar, or whether it's also inter-registrant. the question is, how will registrars determine whether the registrant is changing or not? one answer, which works in thick Whois environments, is to go look at whois data at the registry and see if registrant data is changing. if it is, then it's an inter-REGISTRANT transfer and new safeguards apply. if not, it's just an inter-registrar transfer. when we wrote that section of the report, we knew that it was hard to do that - but we were (correctly) counting on some things changing fairly soon. sure enough, the Thick Whois PDP has just been approved by the Board, which means that "go look at registry data" option will exist for all TLDs. the puzzler for me is who looks after these meta-level dependencies? what if Thick Whois had gone the other way? what if the EWG process concludes that registrars can't look at that data? who minds that "architectural" framework in the policy-making process? mikey PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com <http://www.haven2.com/> , HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.) _______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr _______________________________________________ Gnso-ssr mailing list Gnso-ssr@icann.org https://mm.icann.org/mailman/listinfo/gnso-ssr PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE: OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
participants (3)
-
Greg Aaron -
Mike O'Connor -
Stephanie Perrin