<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [nc-impwhois] Melbourne IT WHOIS implementation comments
Bruce,
ACCURACY
I agree with your suggestions regarding 1 and 2. And excellent suggestion
regarding 3.
I would also suggest that further definition of a valid "complaint about
WHOIS accuracy" is needed. I'm concerned about frivolous submission of
complaints that could quickly overwhelm a registrar's current resources to
deal with them in a timely manner. Some complaints we receive are simply
based on the fact that the complainant received no response to their
attempts to email someone.
For example, someone could submit a complaint about the accuracy of the
WHOIS data of Microsoft.com. If the sponsoring registrar's employees
dealing with these complaints use the email method, then if someone at
Microsoft does not respond within 15 days the domain could potentially be
put on hold. I cringe at the thought of the potential litigation that would
ensue as a result.
That is an extreme example, but very possible. Large organizations with
floods of communication to deal with on a daily basis may not be
immediately responsive to emails or postal communications. Large registrars
who face floods of WHOIS accuracy complaints will certainly handle it
through a production line like process and may not always catch potentially
high profile complaints.
I suggest that any complaint about WHOIS accuracy be accompanied by
documentary proof of the inaccuracy, such as from one of the accredited
authentication agencies. If a complaint is received without documentary
proof, then the process in 3 would be optional.
Tim
-------- Original Message --------
Subject: [nc-impwhois] Melbourne IT WHOIS implementation comments
From: "Bruce Tonkin" <Bruce.Tonkin@melbourneit.com.au>
Date: Thu, January 16, 2003 1:15 am
To: <nc-impwhois@dnso.org>
Hello All,
Here are some Melbourne IT comments on implementation of the WHOIS
recommendations.
ACCURACY
(1) Transfers Task Force Recommendation (WHOIS update at renewal)
"Registrars must require Registrants to review and validate all WHOIS
data upon renewal of a registration. (effectively an extension of RAA
clause 3.7.7.1 above) The specifics of required validation remain to
be determined by this Task Force or another appropriate body."
This is implementable IF:
- the registrar presents the WHOIS data to the registrant at time of
renewal (via website, fax, or postal message) = REVIEW - the
registrant is required to confirm that the data is still current, or
update the information, and warrant that the information is still
correct = VALIDATE
It is not feasible for the Registrar to validate the data (e.g make
phone calls to registrant, ring post office to confirm address exists
etc). A registrar may optionally use various heuristic techniques to
do some data validation (e.g check that a USA city existing within a
particular USA state) - but such techniques are not applicable
uniformly across the globe. In general it is in the registrars best
interests to get accurate data as it increases the chance of a
successful renewal - so there are commercial incentives here for
clever registrars.
I suggest rewording to:
"Upon renewal of a domain name, a registrar must present to the
Registrant the current WHOIS information, and remind the registrant
that provision of false WHOIS information can be grounds for
cancellation of their domain name registration. Registrants must
review their WHOIS data, make any corrections, and warrant that the
data is correct to the Registrar."
(2) Transfers Task Force recommendation (Redemption Grace Period
issue) "When registrations are deleted on the basis of submission of
false contact data or non-response to registrar inquiries, the
redemption grace period -- once implemented -- should be applied.
However, the redeemed domain name should not be included in the zone
file until accurate and verified contact information is available. The
details of this procedure are under investigation in the Names
Council's deletes task force."
The principle is OK.
The wording of "accurate and verified" needs to be updated in the
context of the recommendation that relates to correction of data
following a complaint. See below:
(3) Transfers Task Force recommendation (Data correction following a
complaint) "When registrars send inquiries to registrants regarding
the accuracy of data under clause 3.7.8 of the RRA, they should
require not only that registrants respond to inquiries within 15 days
but that the response be accompanied by documentary proof of the
accuracy of the "corrected" data submitted, and that a response
lacking such documentation may be treated as a failure to respond."
This recommendation is not implementable in its current form.
Implementation of this will depend on the business model of the
individual registrar and the level of service/price paid for the
domain name. For example a registrar that charges $6 for a domain
name, would likely only send an email message to the registrant to
update the information. A registrar that charges $1000 for a domain
name to a large corporate client would likely use every means possible
to contact the registrant (phone call, send letter, send a staff
member to visit in person etc).
The 15 day period also relates to the implementation. It should be
extended to 30 days if the registrar chooses to use postal mail to
communicate with the registrant.
In terms of requiring documentary proof - other than just storing the
documentary proof - registrars are not authentication agencies (they
collect information and store it in a registry) - they do not have
skilled staff capable of detecting whether a document is real or a
forgery, nor could they be expected to have staff with knowledge of
all types of documents across all countries.
The recommendation needs to identify a cost effective minimum
implementation.
There are two components:
- contact of the registrant
- correction of information
Contacting the registrant is a common problem for registrars at the
time of renewal, and various methods are used. Most registrars use a
final step of placing the name in REGISTRAR HOLD status (the name is
locked and removed from the zonefile).
I will suggest the minimum implementation:
IN RESPONSE TO A COMPLAINT ABOUT WHOIS DATA
First phase:
CONTACT phase
- registrar sends an email to all contact points available in the
WHOIS (e.g registrant, admin, technical and billing) to request the
information be corrected - if no response is received after 15 days
the name should be placed in REGISTRAR-HOLD status (or equivalent) -
the registrar can continue to try to contact the registrant using
various other means, but normally the registrant of an active name
will contact the registrar themselves - the name would remain in
REGISTRAR-HOLD status until the contact information is updated, or the
name is deleted from the registry for lack of renewal - this protects
the registrant from any attempts at domain name hijacking, and also
protects the community from any unsatisfactory practices resulting
from the use of the domainname for a website or email
CORRECTION phase
- registrar must present to the Registrant the current WHOIS
information, and remind the registrant that provision of false WHOIS
information can be grounds for cancellation of their domain name
registration. Registrants must review their WHOIS data, make any
corrections, and warrant that the data is correct to the Registrar. -
if within 60 days of updating the information, an independent
authenticating party provides confirmation (a list of accredited
authenticating parties to be defined, and a mechanism for them to
securely communicate with registrars electronically) that the contact
information is still incorrect - then the name will be placed on
REGISTRAR-HOLD (or equivalent) until that authenticating party
certifies that the information is correct. The cost of the
authenticating party would be borne by the complainant. This clearly
separates the registrar role of data collection and not
authentication. - ICANN will need to accredit authentication parties
in the same way that UDRP providers are accredited. - The data
accuracy complainant will need to pay the costs of the authenticating
party verifying that the contact information is incorrect. - The
Registrant will need to pay the costs of an authenticating party to
verify the corrected information. Could be a different authenticating
party to the one used by the data accuracy complainant. - a Registrar
will be entitled to charge for the costs of updating WHOIS information
via an accredited authentication agency (as their is likely to be
manual processes involved).
Thus I suggest the following rewording of this recommendation:
"(a) Upon receiving a complaint about WHOIS accuracy, a registrar must
at a minimum send an email to all contact points available in the
WHOIS (including registrant, admin, technical and billing) requesting
the WHOIS contact information be updated. If no response is received
after 15 days a Registrar must place a name in REGISTRAR-HOLD (or
equivalent) status, until the registrant has updated the WHOIS
information. If a registrar uses postal means to communicate with
the registrant, then the 15 days is extended to 30 days before the
name is placed in REGISTRAR-HOLD status.
(b) Once contact is established, the registrar must present to the
Registrant the current WHOIS information, and remind the registrant
that provision of false WHOIS information can be grounds for
cancellation of their domain name registration. Registrants must
review their WHOIS data, make any corrections, and warrant that the
data is correct to the Registrar.
(c) If within 60 days of the contact information being updated, an
accredited authentication agency informs the Registrar that the data
is incorrect, then the name will be placed in REGISTRAR-HOLD status
until the registrant provides contact information that has been
verified by an accredited authentication agency.
BULK ACCESS
Melbourne IT supports the recommendation. Some further clarification
of the definition of "marketing activities" would be useful.
Regards,
Bruce Tonkin
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|