11/15/01 6:00pm - 7:30pm PST Marina Del Rey - Marriot Hotel Verisign Universal Whois Consultation - International Users Introduction Miriam Sapiro (VRSN): An Intellectual Property and Business community briefing has already occurred. There will also be a Civil Liberties consultation shortly. Verisign has an obligation to undertake the development of a universal whois system and use best efforts to deploy it prior to December 31, 2001. Technical Goals Mark Kosters (VRSN): The proposed system as currently envisioned will be : - non proprietary, open spec and distributed in nature. - idn capable, not willing to reinvent the wheel where appropriate. - Includes support for access controls. Verisign's role in this effort lies with coordination, commitment, listening. A website has been set up at uwho.verisignlabs.com and a mailing list at uwho-request@lists.verisignlabs.com Panelist Statements Peter Dengate Thrush - Request to participate was last minute, so the Country Code interests did not appoint anyone to speak on their behalf at this consultation. He noted that he could not speak on behalf of the country codes and was negative on the process thus far. He also noted his surprise at the scope of Appendix W to the Verisign Registry Agreement. He indicated that there were also positive things to be said about this process and that he would take the information from the consultation back to the Country Code Operators and alert them about this process and indicated that the CCSO will be a great forum in which to continue discussion on this issue. Bruce Tonkin (Melbourne IT/INWW) - Echoed Peter's comments regarding last minute notice and that he did not represent the interests of Registrars. Miriam Sapiro indicated that Bruce's role on the panel was simply to relate the views of Melbourne IT/INWW and not that of all registrars. Bruce noted that the Whois is essentially a series of distributed databases. Standardized queries need to be put into the system with predictable results coming out and that a positive outcome of this process would be the Whois version of the DNS. He further indicated that there should be no single entry point into the Whois - a distributed system is important. He also noted that the dotAU-registry has unique requirements that throttles the query rates and eliminates bulk access. Therefore whatever protocol is eventually deployed needs to take into account the different policy points that are in place within each of the various ccTLDs. IETF is the proper forum for this - VRSN needs to push the issue towards an Internet Draft in order that appropriate comments on a substantive proposal can be provided by affected stakeholders. Hakon Haugnes (GNR) - The title of the GNR presentation was "Do you really want to be searched for today". The Whois was created for the purpose of finding people running services associated with domain names but is currently used for availability checks, data mining, direct marketing, tracking of companies, using the domain name in question, IP interests. For an individual it is an open listing of your private details, your personal email, phone number and other - it is also open to illegitimate use. What is a "legitimate use of Whois?" Is there a difference between a Whois query for technical reasons, finding an old friend or enemy? What about law enforcement rights? Should there be access policies, are these different for different contacts and different for different TLDs? This new service should not be a service for high-volume queries, registrar checks data mining, availability checks. It should not pose a security risk, should not be proprietary and should not be based on dcentralized data storage. It should respect local policies, be a "one-stop shop" for cross-TLD queries, serve for non time-critical applications, serve for legitimate use, request and give data only on a need to know basis. Perhaps this will allow for the correction of circular name server references. Questions and Comments from the Floor Jeff Neuman (Neulevel/Neustar) - The contract specifies different conditions than what was explicitly stated during the introduction (ie - progress must be made by Dec. 31, 2002, but it is not mandatory that the project be completed) The contract also specifies that a fee will be paid to VRSN by those who wish to make use of this data. The Universal Whois provider should not be a registry or a registrar, but rather it should be a third party that will not benefit from the use of this data. Andreas (?) (EPIC) - Apart from your communications with the civil liberties groups have you considered meetings with the data privacy groups in the various countries? If this is a technical consultation, why are you involving policy groups? Miriam Sapiro (VRSN) - We are reaching out to the users to gather their requirements. Christopher Chiu (ACLU) - In other forums, you have had consultations with others - which members have you talked to? Miriam Sapiro (VRSN) - We will be posting the list of those who we consulted with at a later date Milton Mueller (NCDNHC Names Council Representative) - This is beginning to make me feel uncomfortable. It seems to me that registrants are being treated as subjects of surveillance. Users have no choice but to put their information into this database. Miriam Saprio (Verisign) - We have an obligation to do this technically - but the ultimate policy structure is determined by ICANN. Sabine (?) (DeNIC) - Local policy, local access - as decentralized as possible. Elizabeth Porteneuve (?) - Paul Kane has determined that there are only 88 Whois services in the country code community. France will not be providing their information under any circumstances. Lauren Gillman (Realnames) - How coordinated is this with the IDN efforts? Jeff Neuman (Neulevel/Neustar) - Thanks to Verisign for holding this session - I want to clarify that my earlier comments were meant to clarify, I hope they didn't come across as being too negative. Will the requirements documented be drafted and circulated so that the technical commuity can comment on the requirements? We can't comment on what we can't see. Mark Kosters (Verisign) - Not sure if the IETF will be willing to take this on. The IETF has had a few BOFs on related subjects, but no working group has been formed to tackle the issues. Bruce Tonkin (Melbourne IT/INWW) - Verisign should submit the requirements as an Internet Draft for comment by the community. Hakon Haugnes (GNR) - Will this be used to look things up in non-DNS databases? Miriam Sapiro (VRSN) - We don't know, we're just gathering requirements at this stage. Hakon Haugnes (GNR) - Is this possibly scope creep? Leslie (?) (Verisign Labs) - Not sure we want to get this into a tarpit - Verisign has a lot of people within this room that participate in the IETF we were there and participated in the Whois BOFs. The London BOF had a very limited discussion. Their past efforts may or may not be compatible with this. We are in a listening mode trying to frame the problem. if we can't frame the question, then we can't go to the IETF. Jordyn Buchanan (Register.com) - Maybe we can run this through the IETF, maybe not. If the IETF isn't interested, then maybe that's an indication that this isn't worth doing. This is limited to IP and DNS - but it might grow to include everything that ICANN is concerned with. ICANN's mission is too big, a handle on the mission of this effort must be rapidly acquired. Karen ? (GNR) - In the interests of undertaking a full and complete solicitation on this project, materials and statement of purpose should be distributed in order that a more informed consultation could occur. There are people in this room that have been here all week that didn't know what this is meeting was about. Surprises are not welcomed and not a good way to build consensus on the issues. Fernando Espana (Neulevel/Neustar) - When will the minutes from the August consultation be distributed? When will todays? Miriam Sapiro (Verisign) - As soon as possible, certainly not in two months this time around. Sabine (?) (DeNIC) - The RIRs are working on this in the IETF, the efforts need to be coordinated. Doug (?) (Freebsd Project) - Freebsd uses a smart client to route Whois inquiries - this problem seems to be largely solved (and trivial to solve) - predictable responses need to be examined. More universal formating of the query protocol needs to be examined. The open (source) requirement should be more thoroughly defined. Speaking as an EFF member (not speaking for the EFF) - I am in favor of allowing search of domain name information, but I'm not in favor of a one-stop data-mining operation. From a business perspective, this should not absolve the registries and registrars from their data maintenance and distribution obligations. Sarah Andreas (EPIC) - Anonymity might be a requirement. Commercial interests should be looked at separately from those of the individuals because of the different natures of their requirements. Sabine (?) (DeNIC) - Not all registries have all information available. Data does not need to be collected necessarily; there are other ways ([not clearly heard] records, intelligent clients). Mark Kosters (Verisign) - This would create a problem of recursion. Sabine (?) (DeNIC) - There are ways around this. we do it, new gltds do it etc. Gere Rasmussen (GNR) - Data must be decentralized, entry points must be decentralized, and the policy must be tightly controlled. Much of the effort must go into the policy mechanism. (?) (ACLU) - The Goal is Dec. 2002. When will the documents of definition be released? Miriam Sapiro (Verisign) - We only have a schedule for consultation at this point - not design or rollout. Doug (?) (Freebsd Project) - In relation to Sabine's problem, make it mandatory to include emergency contact in the DNS record. Make everything else optional. Bruce Tonkin (Melbourne IT/INWW) - The need comes from dotcom. The Whois information is already distributed, but finding information is difficult. Data accuracy isn't going to solve this. Jordyn Buchanan (Register.com) - whois.geektools.com gives equally good results as well. Bruce Tonkin (Melbourne IT/INWW) - I suspect that the real problem is data integrity, not data searchability. Chuck Gomes (Verisign) - There are two types of Whois - centralized and universal. Closing Miriam Sapiro (Verisign) - Thanks, etc.