[Ietf-not43] Comments on CRISP Requirements draft-06 and CRIS P Internet Resour ce Number Requirements draft-00

Ryan Lehning rlehning at smimetlaw.com
Wed Nov 12 13:49:41 EST 2003 

Vittorio,

Dreg (http://www.ietf.org/internet-drafts/draft-ietf-crisp-iris-dreg-04.txt)
contains a last verification date and time element, defined as "an element
containing the date and time of the last time the data for this domain was
verifed by the responsible registration authority."  Dreg does not state how
the responsible registration authority would be.  My proposal could be
amended to reflect, as you suggest, that accuracy is verified by the
responsible registration authority, without stating who that might be.  Data
may not be up to date for a variety of reasons.

Whether or not the registrars reveal registrant data, and to whom they
reveal it, would be policy decisions.  The Requirements document contains a
framework for implementing privacy policy before such policy has been
decided upon.  Why shouldn't it similarly contain a framework for allowing a
data verification policy to implemented once such policy is decided upon?

Thanks,
Ryan  

-----Original Message-----
From: Vittorio Bertola [mailto:vb at bertola.eu.org]
Sent: Wednesday, November 12, 2003 12:33 PM
To: Ryan Lehning
Cc: 'ietf-not43 at lists.verisignlabs.com'
Subject: Re: [Ietf-not43] Comments on CRISP Requirements draft-06 and
CRIS P Internet Resour ce Number Requirements draft-00


Ryan Lehning ha scritto:
> Vittorio,
> 
> I really do appreciate the comments.  

So do I. However, I'm quite a newbie on this list, so please anyone tell 
me if I'm going off topic. It's easy to move from technical issues to 
policy issues in a discussion like this, and only the former are 
appropriate on this list.

 > Rick's comments, "please define
> accuracy. . .where are methods to be kept," etc. are equally relevant to
> 3.2.8.1 because that subsection says that the protocol has to be able to
> return a result indicating a denial of access based on lack of
authorization
> or privacy contraints.  It doesn't specify what the authorization rules
> would be or what the privacy constraints are.  

Pardon me, I still don't get it. Your proposal says that the protocol 
should mark certain data as "verified as accurate", but does not define 
what "accurate" means. If the two people on the two ends of the wire 
define "accurate" in different ways, you will fail to ensure 
interoperability, and you will cause confusion. On the other hand, if 
you say "these data are being denied due to privacy constraints", it is 
just the server that speaks to the author of the query. There's no 
possible misunderstanding, as "privacy constraints do not allow me to 
reply" is a judgement to be made on one side of the connection only.

Unless what you mean is that "verified as accurate" in your proposal 
means "verified as accurate according to the registrar", which is a 
tautology, since the registrar will never purposedly give you data that 
are not the most updated ones it has (will it?).



> As to the second question, why is any work being done on CRISP now, before
> the policy making process is complete?  Based on your suggestion,
shouldn't
> we therefore wait until all of the policy choices are made before
specifying
> any technical requirements?

IMHO, that could be a good idea; work on CRISP has already taken a long 
time. Before making more modifications, I would wait to be sure that 
these would be the last and final ones. At least, this is what I advice 
as an engineer, when a customer comes to me to ask for a last minute 
feature addition, but I figure out that other people from his company 
are still discussing the matter, and more last minute change requests 
may come later.

It's better for everyone if the policy people agree on what needs to be 
done once for all, and then the specs are changed only once more, rather 
than twice or three or four times more.

> this:  Is the registrar data element false when users query the registry
for
> Whois information?  

Right.

 > It may be.  For example, if a registration is being
> transferred, depending on where in the transfer process it is, a Whois
query
> may return false registrar information.

Ok, but I am sure that this regards a very small number of domain names, 
and you can get who the correct registrar is from the other registrar. 
Or perhaps you should have a "verified as accurate" marker on the 
registrar information too? :-)

> If a user follows your suggestion
> and asks a registrar to provide registrant contact information, the
> registrar may refuse or the registrar may refer the user to Whois which
may
> be inaccurate for the reason stated above.

Sorry, but if the registrar refuses to tell you privately who the 
registrant actually is, then why do you expect it to tell everyone 
publicly through its CRISP server?

Thanks,
-- 
.oOo.oOo.oOo.oOo vb.
Vittorio Bertola - vb [a] bertola.eu.org
http://bertola.eu.org/    <-- Vecchio sito, nuovo toblog!

More information about the Ietf-not43 mailing list