We need to difference between personal data and corporative data..... The idea is good, the way is not good! Erick At 03:11 p.m. 07/12/2006, Carlos Afonso wrote: >Good initiative, Robin! > >--c.a. > >Robin Gross wrote: >>Hi there, >>Today, Avri Doria of NomCom, Wendy Seltzer of >>ALAC, and myself have made a proposal to no >>longer publish whois data on the net. The >>"Stability and Security proposal" is attached >>and below. Ross Rader of the Registrars also >>supports this proposal. It should cause a stir..... >>Since Biz & IPR continue to make proposals to >>frustrate privacy and the security of Internet >>users, we thought we'd make a proposal of our own. >>Robin >>==================== >>RETHINKING THE ROLE OF ICANN AND THE GTLD WHOIS >>TO ENHANCE THE SECURITY AND STABILITY OF THE DNS >> >>A PROPOSAL FOR THE GNSO TASK FORCE ON WHOIS SERVICES >>PREPARED DECEMBER, 2006 >>BACKGROUND >>I) The purpose of Whois >>It is widely accepted that the primary original >>uses of the gTLD Whois service is to use it for >>the purpose of coordinating technical actors as >>they seek to resolve operational issues related >>to the security and stability of the DNS and a well-functioning internet. >>Present day examples of this are many; >>● Network operators and service providers use >>Whois data to prevent or detect sources of >>security attacks of their networks and servers; >>● Emergency response and network abuse teams >>use Whois data to identify sources of spam and >>denial of service attacks and incidents; >>● Commercial internet providers use Whois >>data to support technical operations of ISPs and network administrators; >>● ISPs and Web hosting companies use Whois >>data to identify when a domain name has been >>deleted, and remove redundant DNS information from ISP name servers >>The importance of this original purpose was >>reaffirmed in the GNSO council's recommended >>definition on the purpose of Whois: >>"The purpose of the gTLD Whois service is to >>provide information sufficient to contact a >>responsible party for a particular gTLD domain >>name who can resolve, or reliably pass on data >>to a party who can resolve, issues related to >>the configuration of the records associated >>with the domain name within a DNS name server." >>The scope of use has increased considerably >>beyond this over time, a subject that has >>already been substantially considered by the >>GNSO Whois Task Force and Council. The scope of >>use of the internet has also changed over time, >>as have the management tools used to administer these uses. >>In each of these examples, the truly useful >>information is not the contact information for >>the domain name registrant in question, it is >>the name server information for the name in >>question. Unfortunately, neither is reliable or >>truly useful in any real way because >>authoritative information about DNS resources >>doesn’t live in a gTLD database, it lives inside the DNS itself. >>The validity of the data in a gTLD Whois >>database has no impact on the operational integrity of the DNS. >>Due to this disconnect between these two >>systems, network systems managers rarely rely >>on gTLD Whois service when they seek to >>investigate or resolve serious network >>operations and technical coordination issues. >>An entirely different set of tools and >>resources that relies on authoritative data >>have evolved that support the requirements of >>these types of users. For example, a network >>administrator might use “dig” or >>“nslookup” to determine the source of a DNS >>problem or the network location of a mail >>server being abused to send spam email. All of >>these tools are publicly available at no >>charge, internet standards based, and in widespread use. >>Furthermore, from a network management >>perspective, not only is the data in the DNS >>more authoritative (and therefore useful), it >>is also more comprehensive. A typical DNS >>record can include information about the >>network location of any and all web servers, >>email servers and other resources associated >>with a specific domain name at all >>sub-llevels associated with the specific DNS >>entry (i.e., the second, third and fourth >>levels of the domain hostname). The gTLD whois >>service contains none of this important information. >>When DNS data is used in conjunction with the >>IP Address Whois data sourced from providers >>like ARIN or RIPE, a network administrator is >>able to form a fully authoritative view of not >>only the services associated with a specific >>domain name, but also the identity of the >>entity that physically hosts those resources >>and how to contact that entity. All of this >>data exists outside the gTLD Whois system. >>II) ICANN’s Role >>The scope and authority of ICANN’s >>policy-making responsibilities is limited by its bylaws; >>The mission of The Internet Corporation for >>Assigned Names and Numbers ("ICANN") is to >>coordinate, at the overall level, the global >>Internet's systems of unique identifiers, and >>in particular to ensure the stable and secure >>operation of the Internet's unique identifier systems. In particular, ICANN: >>1. Coordinates the allocation and assignment of >>the three sets of unique identifiers for the Internet, which are: >>a. Domain names (forming a system referred to as "DNS"); >>b. Internet protocol ("IP") addresses and >>autonomous system ("AS") numbers; and >>c. Protocol port and parameter numbers. >>2. Coordinates the operation and evolution of >>the DNS root name server system. >>3. Coordinates policy development reasonably >>and appropriately related to these technical functions. >>ICANN’s role is primarily that of a technical >>coordinator and developer of policy to support that coordination. >>III) ICANN’s Scope >>There are many other uses of gTLD Whois - most >>or all of which have been documented by the >>GNSO Whois Task Force . Creating policy to >>manage, influence, prevent or encourage most of >>this use is out of scope for ICANN. >>IV) Technical coordination in the real world >>Most technical coordination of DNS >>administration, abuse and network management >>issues occurs without ICANN’s involvement. >>Private sector coordination is more likely >>through CERT, NANOG, Reg-OPS and other forums, >>than those operated by ICANN. These initiatives >>are often ad hoc and key players do often not >>understand the importance and value of >>participation. This is an area where small >>improvements in the overall level of >>cooperation between the various initiatives >>would lead to substantial improvement in the >>overall security of the internet and DNS infrastructure. >> >>POLICY IMPLICATIONS >>Given that the original beneficiaries of the >>gTLD Whois service have developed superior >>alternate methods of coordinating their >>activities, and that the remaining uses of this >>service are out of scope relative to ICANN’s >>scope and mission, and that the abuse of this >>data has caused a significant barrier to the >>security of millions of Internet users, we propose the following; >>1) that ICANN waive all Whois publication >>requirements for gTLD registries and registrars; >>a. If the Whois publication requirements cannot >>be waived for the registries and registrar, >>then registrars should be limited to only >>publishing contact information for the person >>or entity responsible for managing the authoritative DNS server; >>2) that ICANN immediately undertake to create a >>study of where it might best contribute to >>coordinating the network management activities >>of registration interests, network operators >>and service providers and law enforcement >>agencies. This should be done with the goal of >>ensuring that emergency response and technical >>abuse prevention is well coordinated and the >>overall interests of internet users are >>appropriately protected by a secure and functional domain name system. >>3) That ICANN undertake to develop a statement >>of best practices that registration interests >>should apply when working with law enforcement >>interests, network operators and other >>legitimate parties concerned with public >>safety, legislative enforcement, network >>management and abuse, and the protection of >>critical information technology infrastructure.