DNSO Mailling lists archives


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [nc-impwhois] Melbourne IT WHOIS implementation comments

I was called away and not able to make the call today. But it sounds as
though there is a presumption that only complaints that come from ICANN's
online WHOIS complaint form are considered valid complaints. I would
certainly have no objection to this "funnel" for these complaints. That
would leave registrars with more discretion in how to deal with complaints
from other sources.  Also, that should then be made clear in the
implementation report.

I agree that it should be the burden of the complainant to
prove/demonstrate/document the inaccuracy when making the complaint.
However, the challenge process should also not be designed without any cost
or responsibility on the part of the complainant should they choose to use

The cost of any process/utility to VALIDATE international contact data for
ACCURACY should not be underestimated. Were specific assignments made to
start this analysis? If so, I am more than willing to assist. I'm also a
bit confused about why 100% is not the goal. I have heard that a couple of
times now. In the X% of cases where VALIDATION of ACCURACY is not possible,
do presume innonence or guilt?


 -------- Original Message --------
   Subject: RE: [nc-impwhois] Melbourne IT WHOIS implementation comments
   From: Steve Metalitz <metalitz@iipa.com>
   Date: Thu, January 16, 2003 3:58 pm
   To: "'Bruce Tonkin'" <Bruce.Tonkin@melbourneit.com.au>, nc-


   Following up on our discussion on today's call, I think the proposal
   you have made on the contact/correction process is a very positive
   contribution. I would suggest the following changes.

   (1)  Steps (a) and (b) could be combined -- the e-mail sent to the
   registrant's contact points could include the challenged Whois entries
   which the registrant is asked to review and change/correct/confirm.

   (2)  I am not clear about the circumstances in which a registrar would
   not use e-mail as the first means of contact. In any event, the
   contractual period is currently 15 days so perhaps the implementation
   proposals should be restricted to that, without prejudice to a
   possible future change in the time period if the data and experience
   justify it.

   (3)  The use of a commercially reasonable verification/validation
   utility (whether in-house to the registrar or suplied by a third
   party) that meets specified (to be developed) criteria sounds right to
   me. My only
   recommendations are that (1) the utility  should be employed beginning
   with the response given by the registrant to the complaint, rather
   than waiting another cycle until the complainant challengers the
   revised/"corrected" data (cf. the OECD "Nic-God" experience), and (2)
   the cost of using the facility should not be imposed on the
   complaining party.  I welcome the input of others about quanitifying
   what the cost for a commercially reasonable (i.e., not 100%
   comprehensive) facility might be.

   (4)  Certainly there would be problems if there are a lot of frivolous
   or malicious complaints.  I don't think that has proven to be a
   problem so far (based on Dan Halloran's presentation after he had
   reviewed every complaint that had been submitted to the Internic site
   up to the time of the Shanghai meeting).  However, to at least
   forestall this possibility, a registrar should have the flexibility to
   reject a complaint that does not set forth any basis for believing
   that the Whois data is false.  (In a similar vein, of course, the
   registrar also needs the flexibility to act more decisively in a case
   in which the Whois data is obviously false.)

   I hope this serves to clarify my comments at the endof our conference
   call and provides some useful input to the report that I understand
   you are drafting.

   Thanks for your efforts on this important topic.

   Steve Metalitz

   -----Original Message-----
   From: Bruce Tonkin [mailto:Bruce.Tonkin@melbourneit.com.au]
   Sent: Thursday, January 16, 2003 3:16 AM
   To: nc-impwhois@dnso.org
   Subject: [nc-impwhois] Melbourne IT WHOIS implementation comments

   Hello All,

   Here are some Melbourne IT comments on implementation of the WHOIS


   (1) Transfers Task Force Recommendation (WHOIS update at renewal)
   "Registrars must require Registrants to review and validate all WHOIS
   data upon renewal of a registration. (effectively an extension of RAA
   clause above) The specifics of required validation remain to
   be determined by this Task Force or another appropriate body."

   This is implementable IF:
   - the registrar presents the WHOIS data to the registrant at time of
   renewal (via website, fax, or postal message) = REVIEW
   - the registrant is required to confirm that the data is still
   current, or update the information, and warrant that the information
   is still correct = VALIDATE

   It is not feasible for the Registrar to validate the data (e.g make
   phone calls to registrant, ring post office to confirm address exists
   etc).  A registrar may optionally use various heuristic techniques to
   do some data validation (e.g check that a USA city existing within a
   particular USA state) - but such techniques are not applicable
   uniformly across the globe. In general it is in the registrars best
   interests to get accurate data as it increases the chance of a
   successful renewal - so there are commercial incentives here for
   clever registrars.

   I suggest rewording to:
   "Upon renewal of a domain name, a registrar must present to the
   Registrant the current WHOIS information, and remind the registrant
   that provision of false WHOIS information can be grounds for
   cancellation of their domain name registration.  Registrants must
   review their WHOIS data, make any
   corrections, and warrant that the data is correct to the Registrar."

   (2) Transfers Task Force recommendation (Redemption Grace Period
   issue) "When registrations are deleted on the basis of submission of
   false contact data or non-response to registrar inquiries, the
   redemption grace period -- once implemented -- should be applied.
   However, the redeemed domain name should not be included in the zone
   file until accurate and verified contact information is available. The
   details of this procedure are under
   investigation in the Names Council's deletes task force."

   The principle is OK.
   The wording of "accurate and verified" needs to be updated in the
   context of the recommendation that relates to correction of data
   following a complaint. See below:

   (3) Transfers Task Force recommendation (Data correction following a
   "When registrars send inquiries to registrants regarding the accuracy
   of data under clause 3.7.8 of the RRA, they should require not only
   that registrants respond to inquiries within 15 days but that the
   response be accompanied by documentary proof of the accuracy of the
   "corrected" data submitted, and that a response lacking such
   documentation may be treated as a failure to respond."

   This recommendation is not implementable in its current form.

   Implementation of this will depend on the business model of the
   individual registrar and the level of service/price paid for the
   domain name.  For example a registrar that charges $6 for a domain
   name, would likely only send an email message to the registrant to
   update the information.  A registrar that charges $1000 for a domain
   name to a large corporate client would likely use every means possible
   to contact the registrant (phone call, send letter, send a staff
   member to visit in person etc).

   The 15 day period also relates to the implementation.  It should be
   extended to 30 days if the registrar chooses to use postal mail to
   communicate with the registrant.

   In terms of requiring documentary proof - other than just storing the
   documentary proof - registrars are not authentication agencies (they
   collect information and store it in a registry) - they do not have
   skilled staff capable of detecting whether a document is real or a
   forgery, nor could they be expected to have staff with knowledge of
   all types of documents across all countries.

   The recommendation needs to identify a cost effective minimum

   There are two components:
   - contact of the registrant
   - correction of information

   Contacting the registrant is a common problem for registrars at the
   time of renewal, and various methods are used.  Most registrars use a
   final step of placing the name in REGISTRAR HOLD status (the name is
   locked and removed from the zonefile).

   I will suggest the minimum implementation:


   First phase:
   CONTACT phase
   - registrar sends an email to all contact points available in the
   WHOIS (e.g registrant, admin, technical and billing) to request the
   information be corrected
   - if no response is received after 15 days the name should be placed
   in REGISTRAR-HOLD status (or equivalent)
   - the registrar can continue to try to contact the registrant using
   various other means, but normally the registrant of an active name
   will contact the registrar themselves
   - the name would remain in REGISTRAR-HOLD status until the contact
   information is updated, or the name is deleted from the registry for
   lack of renewal
   - this protects the registrant from any attempts at domain name
   hijacking, and also protects the community from any unsatisfactory
   practices resulting from the use of the domainname for a website or

   - registrar must present to the Registrant the current WHOIS
   information, and remind the registrant that provision of false WHOIS
   information can be grounds for cancellation of their domain name
   registration.  Registrants must review their WHOIS data, make any
   corrections, and warrant that the data is correct to the Registrar.
   - if within 60 days of updating the information, an independent
   authenticating party provides confirmation (a list of accredited
   authenticating parties to be defined, and a mechanism for them to
   securely communicate with registrars electronically) that the contact
   information is still incorrect - then the name will be placed on
   REGISTRAR-HOLD (or equivalent) until that authenticating party
   certifies that the information is correct.  The cost of the
   authenticating party would be borne by the complainant.  This clearly
   separates the registrar role of data collection and not
   - ICANN will need to accredit authentication parties in the same way
   that UDRP providers are accredited.
   - The data accuracy complainant will need to pay the costs of the
   authenticating party verifying that the contact information is
   incorrect.   - The Registrant will need to pay the costs of an
   authenticating party to verify the corrected information.  Could be a
   different authenticating party to the one used by the data accuracy
   - a Registrar will be entitled to charge for the costs of updating
   WHOIS information via an accredited authentication agency (as their is
   likely to be manual processes involved).

   Thus I suggest the following rewording of this recommendation:

   "(a) Upon receiving a complaint about WHOIS accuracy, a registrar must
   at a minimum send an email to all contact points available in the
   WHOIS (including registrant, admin, technical and billing) requesting
   the WHOIS contact information be updated.  If no response is received
   after 15 days a Registrar must place a name in REGISTRAR-HOLD (or
   equivalent) status, until the registrant has updated the WHOIS
   information.   If a registrar uses postal means to communicate with
   the registrant, then the 15 days is extended to 30 days before the
   name is placed in REGISTRAR-HOLD status.

   (b) Once contact is established, the registrar must present to the
   Registrant the current WHOIS information, and remind the registrant
   that provision of false WHOIS information can be grounds for
   cancellation of their domain name registration.  Registrants must
   review their WHOIS data, make any corrections, and warrant that the
   data is correct to the Registrar.

   (c) If within 60 days of the contact information being updated, an
   accredited authentication agency informs the Registrar that the data
   is incorrect, then the name will be placed in REGISTRAR-HOLD status
   until the registrant provides contact information that has been
   verified by an accredited authentication agency.

   Melbourne IT supports the recommendation.  Some further clarification
   of the definition of
   "marketing activities" would be useful.

   Bruce Tonkin

<<< Chronological Index >>>    <<< Thread Index >>>