proposal to waive publication of whois data

KathrynKL at AOL.COM KathrynKL at AOL.COM
Fri Dec 8 03:49:21 CET 2006


 
All, I support what Robin, Avri and  Wendy have written.  It adhers to the 
purpose of Whois approved by the GNSO  Council and it moves things in the right 
direction.  
 
The fact is that neither phone numbers nor email addresses have any  
mandatory publication -- not for companies or individuals or the range of  
noncommercial and hobby interests in between.  If we did have mandatory  publication 
requirements for phone numbers and email addresses, then I am  certain you would 
find business and IP creating a range of uses and arguing that  they are all 
crucial to their profit  -- as they do today with Whois.   The fact is that with 
unlisted and partially listed phone numbers, email and  chatroom identifies, 
business and IP must make due with supoenas and due process  (and they seem to 
survive and still have a profit).
 
Danny, I don't have a problem with supoenas and due process.  Years  ago, the 
US government wanted AT&T, then the monopoly telephone provider in  the US to 
provide unlimited access to wiretap calls in the US.  The General  Counsel (a 
former trial attorney at Nuremberg) said No.  He said that the  telephone 
system would only thrive if people and businesses believed their  privacy would 
be protected and he negotiated the US wiretap laws that set a  standard and 
model for privacy in the communication system.
 
We don't have that balance of privacy and process in the Whois system and  we 
badly need I see  no reason for Whois to be different.  Law  enforcement 
needs to get thousands of subpoenas for unlisted numbers, to wiretap  calls and to 
direct ISPs to hand over the identities behind email and chat room  names.  
It is the way we protect human rights organizations, individuals,  political 
and community organizations (even unpopular ones) and even businesses  (who 
often suffer from unfair competition practices). That's the balance and the  
protection of privacy. 
 
I think this proposal gets it right, and I think it is consistent with the  
decision made by the entire convened NCUC meeting in Marrakech -- a group with  
even more policy authority than the policy committee.  We spent a lot of  
time on this issue and we agreed that due process and subpoenas should be the  
position of the NCUC.  This proposal should, of course, be presented for  
discussion, as it is here.  But to me it adheres to the principles this  
constituency has supported with huge amount of blood, sweat and tears for close  to half 
a decade.
 
Best, Kathy
,

Today, Avri Doria of NomCom, Wendy Seltzer of ALAC, and myself  have made 
a proposal to no longer publish whois data on the net. The  "Stability 
and Security proposal" is attached and below. Ross Rader of the  
Registrars also supports this proposal. It should cause a  stir.....

Since Biz & IPR continue to make proposals to frustrate  privacy and the 
security of Internet users, we thought we'd make a proposal  of our own.

Robin

====================

RETHINKING THE ROLE  OF ICANN AND THE GTLD WHOIS TO ENHANCE THE SECURITY 
AND STABILITY OF THE  DNS


A PROPOSAL FOR THE GNSO TASK FORCE ON WHOIS  SERVICES

PREPARED DECEMBER, 2006

BACKGROUND

I) The purpose  of Whois

It is widely accepted that the primary original uses of the gTLD  Whois 
service is to use it for the purpose of coordinating technical actors  as 
they seek to resolve operational issues related to the security and  
stability of the DNS and a well-functioning internet.

Present day  examples of this are many;

● Network operators and service providers use  Whois data to prevent or 
detect sources of security attacks of their  networks and servers;
● Emergency response and network abuse teams use Whois  data to identify 
sources of spam and denial of service attacks and  incidents;
● Commercial internet providers use Whois data to support  technical 
operations of ISPs and network administrators;
● ISPs and Web  hosting companies use Whois data to identify when a 
domain name has been  deleted, and remove redundant DNS information from 
ISP name  servers

The importance of this original purpose was reaffirmed in the  GNSO 
council's recommended definition on the purpose of Whois:

"The  purpose of the gTLD Whois service is to provide information 
sufficient to  contact a responsible party for a particular gTLD domain 
name who can  resolve, or reliably pass on data to a party who can 
resolve, issues related  to the configuration of the records associated 
with the domain name within a  DNS name server."

The scope of use has increased considerably beyond this  over time, a 
subject that has already been substantially considered by the  GNSO Whois 
Task Force and Council. The scope of use of the internet has also  
changed over time, as have the management tools used to administer these  
uses.

In each of these examples, the truly useful information is not  the 
contact information for the domain name registrant in question, it is  
the name server information for the name in question. Unfortunately,  
neither is reliable or truly useful in any real way because  
authoritative information about DNS resources doesn’t live in a gTLD  
database, it lives inside the DNS itself.

The validity of the data in  a gTLD Whois database has no impact on the 
operational integrity of the  DNS.

Due to this disconnect between these two systems, network systems  
managers rarely rely on gTLD Whois service when they seek to investigate  
or resolve serious network operations and technical coordination issues.  
An entirely different set of tools and resources that relies on  
authoritative data have evolved that support the requirements of these  
types of users. For example, a network administrator might use “dig” or  
“nslookup” to determine the source of a DNS problem or the network  
location of a mail server being abused to send spam email. All of these  
tools are publicly available at no charge, internet standards based, and  
in widespread use.

Furthermore, from a network management  perspective, not only is the data 
in the DNS more authoritative (and  therefore useful), it is also more 
comprehensive. A typical DNS record can  include information about the 
network location of any and all web servers,  email servers and other 
resources associated with a specific domain name –  at all sub-levels 
associated with the specific DNS entry (i.e., the second,  third and 
fourth levels of the domain hostname). The gTLD whois service  contains 
none of this important information.

When DNS data is used in  conjunction with the IP Address Whois data 
sourced from providers like ARIN  or RIPE, a network administrator is 
able to form a fully authoritative view  of not only the services 
associated with a specific domain name, but also  the identity of the 
entity that physically hosts those resources and how to  contact that 
entity. All of this data exists outside the gTLD Whois  system.

II) ICANN’s Role

The scope and authority of ICANN’s  policy-making responsibilities is 
limited by its bylaws;

The mission  of The Internet Corporation for Assigned Names and Numbers 
("ICANN") is to  coordinate, at the overall level, the global Internet's 
systems of unique  identifiers, and in particular to ensure the stable 
and secure operation of  the Internet's unique identifier systems. In 
particular, ICANN:

1.  Coordinates the allocation and assignment of the three sets of unique  
identifiers for the Internet, which are:

a. Domain names (forming a  system referred to as "DNS");

b. Internet protocol ("IP") addresses and  autonomous system ("AS") 
numbers; and

c. Protocol port and parameter  numbers.

2. Coordinates the operation and evolution of the DNS root name  server 
system.

3. Coordinates policy development reasonably and  appropriately related 
to these technical functions.

ICANN’s role is  primarily that of a technical coordinator and developer 
of policy to support  that coordination.

III) ICANN’s Scope

There are many other uses of  gTLD Whois - most or all of which have been 
documented by the GNSO Whois  Task Force . Creating policy to manage, 
influence, prevent or encourage most  of this use is out of scope for ICANN.

IV) Technical coordination in the  real world

Most technical coordination of DNS administration, abuse and  network 
management issues occurs without ICANN’s involvement. Private sector  
coordination is more likely through CERT, NANOG, Reg-OPS and other  
forums, than those operated by ICANN. These initiatives are often ad hoc  
and key players do often not understand the importance and value of  
participation. This is an area where small improvements in the overall  
level of cooperation between the various initiatives would lead to  
substantial improvement in the overall security of the internet and DNS  
infrastructure.


POLICY IMPLICATIONS

Given that the  original beneficiaries of the gTLD Whois service have 
developed superior  alternate methods of coordinating their activities, 
and that the remaining  uses of this service are out of scope relative to 
ICANN’s scope and mission,  and that the abuse of this data has caused a 
significant barrier to the  security of millions of Internet users, we 
propose the following;

1)  that ICANN waive all Whois publication requirements for gTLD 
registries and  registrars;
a. If the Whois publication requirements cannot be waived for the  
registries and registrar, then registrars should be limited to only  
publishing contact information for the person or entity responsible for  
managing the authoritative DNS server;

2) that ICANN immediately  undertake to create a study of where it might 
best contribute to  coordinating the network management activities of 
registration interests,  network operators and service providers and law 
enforcement agencies. This  should be done with the goal of ensuring that 
emergency response and  technical abuse prevention is well coordinated 
and the overall interests of  internet users are appropriately protected 
by a secure and functional domain  name system.

3) That ICANN undertake to develop a statement of best  practices that 
registration interests should apply when working with law  enforcement 
interests, network operators and other legitimate parties  concerned with 
public safety, legislative enforcement, network management  and abuse, 
and the protection of critical information technology  infrastructure.


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20061207/50ca47ae/attachment.html>


More information about the Ncuc-discuss mailing list