[Ietf-not43] 3.2.6 Escrow Support and other thoughts

Andrew Newton anewton@verisignlabs.com
Wed, 06 Nov 2002 10:20:44 -0500 

Comments in-line.

Rick Wesson wrote:
> 
> Since 3.2.6 is out of band and out of scope lets remove it. If an entity
> wishes to use the schemas defined by crisp for escrow thats fine but
> escrow has requirements unto its self that may be in opposition to the
> requirements under discussion.

I disagree.  Being able to support serialization for escrow purposes is 
a current problem.  I attended a meeting full of registrars not too long 
ago where they agreed that none used a common format.  And I've heard 
this requirement from stated many times in the past.

I would agree with some wordsmithing on the text though.  Perhaps the 
"to an escrow entity" should be removed.  I could see how some people 
might thing it implies a single escrow authority, which is not the intent.

> 3.2.9 DNS Label Referencing
> 
> Is it the intent of section 3.2.9 to require that the information now
> provided via the internic port 43 referal whois be published somehow in
> the DNS? If that is not the intent please reprase this section as it is
> not clear as to the intent nor the requirement.

No, that's not the intent.  The intent is that DNS is used to find the 
authoritative server.  As I have asked on numerous occasions for new 
language specific to this requirement, my response to your demand is 
"send text".

> 7. Security Considerations
> 
> Please add the following to the end of section 7. Security Considerations
> 
> This document contains requirements for the distribution of queries
> against a mesh of pariticpiants and the possable generation and
> distribution of index hints both of which could be used in the development
> of DDoS attacks against the entire mesh or used to create data minning
> effors by Direct Marketers (see Section 2.4.7)

I'm not sure I agree with the DDoS portion of this statement.  Can you 
point to a security concern in a current RFC or draft that states a 
referral system or index hint is the vulnerability causing the DDoS?

I do agree with the data mining portion.  It should probably state that 
operators should take steps to prevent this according to the 
requirements of the appropriate sections.

-andy