I probably should have qualified this a
bit more for posting on the RC list. It is actually a response to some other
threads on the Whois Coordination list that was originally set up by Ross. But
I wanted to share our observations with the RC in general as well.
Tim
-----Original Message-----
From: owner-registrars@dnso.org
[mailto:owner-registrars@dnso.org] On Behalf
Of Tim Ruiz
Sent: Wednesday, June 11, 2003
6:19 AM
To: Registrars@dnso.org
Subject: [registrars] Some
observations
Web Based Whois Services - Public Access
We provide a web based whois, as required by our RAA. We have decided to make
it near live, although that is not required. The reason is that our customers
have indicated a need for it. For example, if they are applying for
a digital certificate and need to make changes that are immediately
visible to the certificate authority, they can make those changes and refer the
authority to our web whois, where those changes are visible almost immediately.
If a registrar should choose to make their web whois more flexible, search by
last name, geographic location, etc. they could certainly do so, and even
charge for that (like WhoBIZ for example) if they like. There is nothing
preventing that. It would be simpler to do with a web interface than it would
be with port 43.
Web based Whois services can also be made relatively secure from scripting/data
mining.
This is all the general public really needs to meet Mike's concern about
verifying the actual registrant, admin, etc. of a domain name. There is also
the potential to make it as flexible as desired without any new technology, and
could provide an opportunity for registrars to recover some of the cost of
providing this access.
Bulk Whois - Appearances Only
I don't agree with Mike that this is simply a matter of enforcement right now.
I do agree with Ross' response on that topic. Also, it has already been
made clear that the major registrars have a huge number of opt-outs and any
bulk Whois they would provide might be half the data at best.
In addition, proxy services are going to continue to grow. Domains By Proxy is
offered by Go Daddy and Wild West Domains, ProtectFly is offered by Registerfly
(a large eNom reseller), and I don't think that will be the end of it. So the
half of the data that a bulk whois licensee does receive is likely to have a
significant number of proxied domains.
Bottom line, bulk whois is not going to get anyone what they really think they
need from it.
IF the bulk whois requirement continues to exist then:
1) It should be available only to appropriate parties (Law Enforcement,
Registrars, verifiable IP interests, certificate authorities, etc.) with
appropriate non-disclosure requirements based on their intended use of the
data.
2) It should not be used for marketing purposes of ANY kind.
3) It should not be allowed to be incorporated into any value added products or
services that are directly accessible to anyone other than the licensee.
4) Registrars should be allowed to charge an appropriate fee based on number of
records provided and perhaps even on intended use. If someone is going to make
money, even indirectly, on customers we spent huge dollars to acquire, we
should get something out of it. What's your current CPA? And to expect a
registrar with millions of records to provide that data on a weekly basis for
the same annual fee that a registrar with a few thousand is ridiculous. The
$10,000 annual fee ($192.31 a week) should be just the baseline, and go up from
there.
5) Registrars should be allowed latitude in the models they develop to provide
bulk access.
6) Registrars should not be required to provide any whois data, directly or
indirectly, that they are not considered authoritative for.
Port 43 - A Data Miner's Dream
Anyone who would argue that port 43 is not a significant source for data mining
must have a hidden agenda. Any registrar who monitors their port 43 knows
better. We can identify most of the registrars who access our port 43. We know
the level of transfers that go to these registrars. After filtering out those
queries, how do we account for the other 80,000,000 or more queries we get?
1. Improper data mining. I don't think I have heard any registrar claim that
data mining port 43 is THEE primary source of Spam. What we do know is that it
IS a significant source. And in the context of what we are dealing with here,
that problem should not be ignored. Why would we ignore it simply because it is
not the primary source of Spam. We have an opportunity to make a dent in
reducing Spam. Why wouldn't we want to do something about it?
And spam isn't the only mis-use of this data. It is also used to acquire bulk
access without paying the fee. At least two major law suits over the last few
years have been about just that. Sending unsolicited postal mail from
improperly acquired bulk data may not be considered Spam, but our customers
didn't view it as anything less when it happened to them.
2. Cross registrar public Whois services. We don't mind allowing access for
other Registrars who provide a public service of this type. It provides a
valuable service to our industry and helps to facilitate portability. If a
registrant can view their current whois data before a transfer request it can
help to alleviate problems later when things don't match up. Most registrars
who provide this type of service also protect their service from potential
scripting and data mining.
What we don't like is providing access to anyone who decides to throw up a
cross registrar whois service and then sells advertising there, charges for the
privilege, etc. When a third party makes a profit out of accessing this data
through an infrastructure we have to provide and support, we would at
least like our cut. Registrars should not be expected to continue to
provide all of these services on their own nickel.
Port 43 needs to change. I don't care what port it becomes, or if we
manage this one differently. I like the capabilities that CRISP has
to offer, and a lot of other suggestions I have heard from this group on this
subject. But I'm not as concerned with the technical how-to as I am with the
policy. It's the policy that HAS to change. High speed automated access to this
data needs to be restricted.
Question: There is no SLA portion to the port 43 requirement in our RAA. Has
anyone given any thought to providing a minimum level of service to meet the
RAA requirement, and another one that is fee based? I don't see anything
preventing that.
Assumptions
Registrars are going to be required to continue providing some form of public
ally accessible whois service.
There are parties who have a legitimate need to access this data in more than a
one-off fashion.
Some of the suggestions above will help to minimize improper access to this
data. It does not really address the issue of privacy. Should this data be
public ally accessible at all? That is another debate.
Tim