RE: [ga-sys] Registrants Charter - FREEDOMS - Part 1

[Roeland Meyer <rmeyer@mhsc.com>]

> From: Joanna Lane [mailto:jo-uk@rcn.com]
> Sent: Wednesday, May 16, 2001 1:29 AM
> 
> on 5/15/01 8:02 PM, Roeland Meyer at rmeyer@mhsc.com wrote:
> 
> Hello Roeland,
>  
> > The problem (and I'm not that far from WXW here) is that the contact
> > information is required for problem solving, contacting NOCs, etc.
> 
> All industries have information sources for professionals 
> only. I don't
> object to a WHOIS database in principle for that reason, but 
> I do object
> strongly to it being available in the public domain.
> 
> Question: Could WHOIS data be restricted on a "need to know" 
> basis and if
> so, how could that work ?

Some of us have actually been batting that problem around for a few years.
We don't have an answer. It's like trying to copy protect an image on a web
site, once you see it on a browser, you can copy it and there is no way to
stop that. The bits are on another machine, in its memory, which you do not
control.

The fundimental problem is that there is no way to predict which SysAdmin,
in which domain, will need that data. In the case of DDoS attacks, that
information should really be fetched by automated scripts. uuid/passwd
protocols would make those scripts unusable. We are talking about 10-20
cascaded lookups, with a number of different whois servers, in under a
second here.

> No, it
> > was never designed for individual use and makes inadequate privacy
> > protections. On that, I agree. However, the new EU privacy 
> protections would
> > allow many to remove ALL contact information. This is also 
> non-acceptable.
> 
> Are you sure? That would be like asking the phone company to not keep
> records of an account and I don't think that is the 
> requirement. 

My reading says that they only want to restrict publication of that data. To
allow an unlisted DNS entry. This does not mean that the data isn't in the
registry. But, it is exactly the availability of that data that we are
discussing here. The contact info is extremely important for network
troubleshooting.

> The idea is
> to remove personal data from casual scrutiny that serves no 
> purpose, not to
> stop Registries keeping private records of their customers, 
> as any other business would do.

How do you define access as casual v. non-casual? There is no way to do that
without some form of authentication mechanism, to identify the requestor.
This means that each contact needs a uid/realm/key. In the case of COM, this
runs into the millions. It doesn't scale. In the specific example I
mentioned, their pipes are clogged and they are probably using a spare dial
port to another ISPs system and doing the queries there. Normal
authentication can be difficult.

> > Yes, there WAS no provision for individual anonymity UNTIL 
> > the advent of the
> > ROLE account. So, now we have role accounts and 
> > individuals, entering
> > personal contact data into the whois, either explicitly 
> > know what they're doing or have bad advice.
> > 
> > The ONLY remaining glitch is the registrant data.
> As I explained to Chris
> > Ambler, years ago, this is simply taken care of by the paid 
> usage of a PO
> > box, or MBE account (of which, I have a few, for this purpose).
> 
> In middle class America, every town has a Post Office with 
> boxes and mail
> forwarding, but this resource is not available everywhere. 
> It's a helpful
> tip, but it's not the solution for everyone.
> 
> What is an MBE account?

MBE is a company called "Mail Boxes Etc", a private competitor to a Post
Office branch office. In fact, many of them are PO branch offices, by
license. They are a general mail service with add-ons like; pre-sorting and
filtering, mail forwarding service, UPS and FedEx delivery point (USPS will
not accept FedEx and UPS parcels at a PO box, MBE will), Fax send/rcv, etc.
More importantly, an MBE address reads like a normal business address. The
sender does not know that they are sending to a PO box. Both my corporate
addresses are MBE accounts.

-- 
ROELAND M.J. MEYER
Managing Director
Morgan Hill Software Company, Inc.
TEL: +001 925 373 3954
FAX: +001 925 373 9781
http://www.mhsc.com
mailto: rmeyer@mhsc.com

--
This message was passed to you via the ga-sys@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-sys" in the body of the message).
Archives at http://www.dnso.org/archives.html