<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [registrars] Some observations
An easy way to limit the port 43 access
would be to get with Verisign GRS or whatever their name is this week and have
them provide a list of registrars and their subnets that have access to the
registry. Whenever a new registrar is added or subnets are changed
Verisign could send an email to all registrars that one of the subnets have
been changed and the access to the WHOIS servers could be updated accordingly.
The only problem with going this route is
that you have some registrars that have given access to their batch pool to
outside companies that would now have access to port 43 access for all
registrars. But I am sure those registrars would be more than happy to
tell us who they have sold their batch pool access to. J
I will come up with more details to send
in the next day or so on my research. I’ll even check if we have
stats on the different IP addresses that have accessed the domain via port 43
or via our web based whois.
Donny
From: Tim Ruiz
[mailto:tim@godaddy.com]
Sent: Wednesday, June 11, 2003 8:34 AM
To: 'Elana Broitman'; 'Donny Simonton'; Registrars@dnso.org
I’ll put something together. A
tiered access approach is a good idea, as long as the ultimate policy that
provides for it includes the ability to recoup the ongoing costs of enabling
it.
Tim
-----Original Message-----
From: owner-registrars@dnso.org
[mailto:owner-registrars@dnso.org] On Behalf
Of Elana Broitman
Sent: Wednesday, June 11, 2003 7:01 AM
To: Donny Simonton; Tim Ruiz;
Registrars@dnso.org
Subject: RE: [registrars] Some
observations
Donny and Tim - for
purposes of the Montreal workshop (and possibly later for the GNSO Council task
force), your research would be really instructive. So, I'm wondering if
you can send anything written about the test domain that Intercosmos did, and
the legal articles that Tim came across.
Also, Tim, do you have
suggestions for short-mid term solutions for port43 limiting? Proxy
domains are only a short term solution or provide a good service for a section
of the market. I've outlined a tiered access approach. Anything
else would be helpful.
No matter who presents in
Montreal, if we all gather our data, it will provide a more comprehensive
picture of what registrars face.
-----Original
Message-----
From: Donny Simonton
[mailto:donny@intercosmos.com]
Sent: Wednesday, June 11, 2003 8:43 AM
To: 'Tim Ruiz';
Registrars@dnso.org
Subject: RE: [registrars] Some
observations
Tim,
I completely agree with
you that port 43 whois access is one of the main reasons the spam problem is as
bad as it is today. For example about 6 months ago, I setup a test domain
with a specific email address that was never used anywhere else. I have
tracked every email that I have received and I have received 239 emails in
those 6 months. I have received emails from all types of services
including one domain name registrar. So in my opinion public access to port 43
should go away! It’s become one of the largest public sources of
spam without us even realizing it.
The bulk whois access was
always a waste IMHO. $10,000 for a few hundred thousand contacts.
Could you imagine Microsoft selling a list of all of their customers for
$10,000. There would be a senate hearing about it or something similar.
Donny
From: owner-registrars@dnso.org
[mailto:owner-registrars@dnso.org] On Behalf
Of Tim Ruiz
Sent: Wednesday, June 11, 2003 7:19 AM
To: Registrars@dnso.org
Web Based Whois Services - Public Access
We provide a web based whois, as required by our RAA. We have decided to make
it near live, although that is not required. The reason is that our customers
have indicated a need for it. For example, if they are applying for
a digital certificate and need to make changes that are immediately
visible to the certificate authority, they can make those changes and refer the
authority to our web whois, where those changes are visible almost immediately.
If a registrar should choose to make their web whois more flexible, search by
last name, geographic location, etc. they could certainly do so, and even
charge for that (like WhoBIZ for example) if they like. There is nothing
preventing that. It would be simpler to do with a web interface than it would
be with port 43.
Web based Whois services can also be made relatively secure from scripting/data
mining.
This is all the general public really needs to meet Mike's concern about
verifying the actual registrant, admin, etc. of a domain name. There is also
the potential to make it as flexible as desired without any new technology, and
could provide an opportunity for registrars to recover some of the cost of
providing this access.
Bulk Whois - Appearances Only
I don't agree with Mike that this is simply a matter of enforcement right now.
I do agree with Ross' response on that topic. Also, it has already been
made clear that the major registrars have a huge number of opt-outs and any
bulk Whois they would provide might be half the data at best.
In addition, proxy services are going to continue to grow. Domains By Proxy is
offered by Go Daddy and Wild West Domains, ProtectFly is offered by Registerfly
(a large eNom reseller), and I don't think that will be the end of it. So the
half of the data that a bulk whois licensee does receive is likely to have a
significant number of proxied domains.
Bottom line, bulk whois is not going to get anyone what they really think they
need from it.
IF the bulk whois requirement continues to exist then:
1) It should be available only to appropriate parties (Law Enforcement,
Registrars, verifiable IP interests, certificate authorities, etc.) with
appropriate non-disclosure requirements based on their intended use of the
data.
2) It should not be used for marketing purposes of ANY kind.
3) It should not be allowed to be incorporated into any value added products or
services that are directly accessible to anyone other than the licensee.
4) Registrars should be allowed to charge an appropriate fee based on number of
records provided and perhaps even on intended use. If someone is going to make
money, even indirectly, on customers we spent huge dollars to acquire, we
should get something out of it. What's your current CPA? And to expect a
registrar with millions of records to provide that data on a weekly basis for
the same annual fee that a registrar with a few thousand is ridiculous. The
$10,000 annual fee ($192.31 a week) should be just the baseline, and go up from
there.
5) Registrars should be allowed latitude in the models they develop to provide
bulk access.
6) Registrars should not be required to provide any whois data, directly or
indirectly, that they are not considered authoritative for.
Port 43 - A Data Miner's Dream
Anyone who would argue that port 43 is not a significant source for data mining
must have a hidden agenda. Any registrar who monitors their port 43 knows
better. We can identify most of the registrars who access our port 43. We know
the level of transfers that go to these registrars. After filtering out those
queries, how do we account for the other 80,000,000 or more queries we get?
1. Improper data mining. I don't think I have heard any registrar claim that
data mining port 43 is THEE primary source of Spam. What we do know is that it
IS a significant source. And in the context of what we are dealing with here, that
problem should not be ignored. Why would we ignore it simply because it is not
the primary source of Spam. We have an opportunity to make a dent in reducing
Spam. Why wouldn't we want to do something about it?
And spam isn't the only mis-use of this data. It is also used to acquire bulk
access without paying the fee. At least two major law suits over the last few
years have been about just that. Sending unsolicited postal mail from
improperly acquired bulk data may not be considered Spam, but our customers
didn't view it as anything less when it happened to them.
2. Cross registrar public Whois services. We don't mind allowing access for
other Registrars who provide a public service of this type. It provides a
valuable service to our industry and helps to facilitate portability. If a
registrant can view their current whois data before a transfer request it can
help to alleviate problems later when things don't match up. Most registrars
who provide this type of service also protect their service from potential
scripting and data mining.
What we don't like is providing access to anyone who decides to throw up a
cross registrar whois service and then sells advertising there, charges for the
privilege, etc. When a third party makes a profit out of accessing this data
through an infrastructure we have to provide and support, we would at
least like our cut. Registrars should not be expected to continue to
provide all of these services on their own nickel.
Port 43 needs to change. I don't care what port it becomes, or if we
manage this one differently. I like the capabilities that CRISP has
to offer, and a lot of other suggestions I have heard from this group on this
subject. But I'm not as concerned with the technical how-to as I am with the policy.
It's the policy that HAS to change. High speed automated access to this data
needs to be restricted.
Question: There is no SLA portion to the port 43 requirement in our RAA. Has
anyone given any thought to providing a minimum level of service to meet the
RAA requirement, and another one that is fee based? I don't see anything
preventing that.
Assumptions
Registrars are going to be required to continue providing some form of public
ally accessible whois service.
There are parties who have a legitimate need to access this data in more than a
one-off fashion.
Some of the suggestions above will help to minimize improper access to this
data. It does not really address the issue of privacy. Should this data be
public ally accessible at all? That is another debate.
Tim
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|