AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

13 October 2018

Proposed gTLD-Registration Data Access Protocol (RDAP) Profile

ADOPTED

15Y, 0N, 0A

Joanna Kulesza

Jonathan Zuck

12 October 2018

13 October 2018

15 October 2018

18 October 2018

13 October 2018

Francisco Arias
francisco.arias@icann.org

AL-ALAC-ST-1018-02-02-EN

Hide the information below, please click here 

Brief Overview

Purpose: The Temporary Specification for gTLD Registration Data adopted by the ICANN Board on 17 May 2018 directed the creation of a gTLD-RDAP Profile(s) as a prerequisite to launching the Registration Data Access Protocol (RDAP) service across the gTLD space. ICANN org has received a proposal from a discussion group of gTLD registries and registrars and is asking the community for input.

Current Status: ICANN org has received a proposal from a discussion group of gTLD registries and registrars for a gTLD-RDAP Profile and is asking the community for input in order to finalize it and proceed with the implementation of RDAP services in the gTLD space.

Next Steps: Following any updates based on input during the public comment period, the gTLD-RDAP Profile will be published and considered for adoption. The gTLD registries and registrars will receive a notice requesting them to implement RDAP according to the gTLD-RDAP Profile(s) and in compliance with SLA and registry reporting requirements within 135 days. The RDAP SLA and registry reporting requirements are still being negotiated.

Section I: Description and Explanation

The Temporary Specification for gTLD Registration Data [PDF, 736 KB] adopted by the ICANNBoard on 17 May 2018 requires gTLD registries and registrars to implement a Registration Data Access Protocol (RDAP) service within 135 days of ICANN org requesting implementation. The Temporary Specification also called for a gTLD-RDAP Profile(s) to be developed prior to RDAP deployment.

A discussion group of gTLD registries and registrars (contracted parties) developed a proposal for a gTLD-RDAP Profile consisting of two documents: 1) RDAP Technical Implementation Guide; and 2) RDAP Response Profile. The former aims to provide technical instructions to gTLDregistries and registrars on how to implement the RDAP service. The latter intends to map current policy requirements to the RDAP implementation with flexibility to incorporate future policy changes with minimal reengineering.

Although ICANN org provided input to the contracted parties in the development of the two documents, not all the issues raised by ICANN org were addressed. To that end ICANN org has compiled input to the contracted parties' proposal documents [PDF, 3.27 MB] and is making this available for the public to consider.

Section II: Background

Since the 1980s WHOIS has been used in directory services, first for ARPANET users, later for domain name registrant and other related registration data.

On 19 September 2011, the Security and Stability Advisory Committee issued SAC 051, which advised the ICANN community to evaluate and adopt a replacement for the existing domain name registration data access protocol (WHOIS).

On 28 October 2011, the ICANN Board adopted SAC 051 directing staff to produce, in consultation with the community, a roadmap for the coordination of the technical and policy discussions necessary to implement it.

On 4 June 2012, ICANN org published a Roadmap for the coordination of the technical and policy discussions necessary to implement the recommendations outlined in SAC 051.

Also in 2012, The Internet Engineering Task Force (IETF) chartered the Web Extensible Internet Registration Data Service (WEIRDS) working group to develop a protocol to replace WHOIS.

In March 2015, the Web Extensible Internet Registration Data Service (WEIRDS) working group finalized the RFCs defining the Registration Data Access Protocol (RDAP), a standardized replacement for WHOIS.

In September 2015, ICANN org published a proposed draft RDAP operational profile for gTLDregistries and registrars for discussion with the community. These discussions took place over the next 10 months, including a public comment period.

On 26 July 2016, ICANN org published a gTLD RDAP profile that included service level and reporting requirements. Subsequently, the gTLD Registries Stakeholder Group requested that ICANN org not use that profile and instead work together on a modified plan to implement RDAP.

On 1 August 2017, the gTLD Registries Stakeholder Group with support from the Registrar Stakeholder Group submitted a proposal to the ICANN org to implement RDAP with a first phase in the form of an RDAP pilot.

On 1 September 2017, the ICANN org accepted the proposal for a voluntary pilot program for and started the first phase. The gTLD registries and registries formed a discussion group that began work on an updated gTLD RDAP profile.

On 17 May 2018, the ICANN Board passed a resolution adopting a Temporary Specification for gTLD Registration Data. As part of that Temporary Specification, gTLD registries and registrars are required to implement a Registration Data Access Protocol (RDAP) service within 135 days of ICANN org requesting implementation. The Temporary Specification also called for a gTLD-RDAP Profile.

In August 2018, ICANN org received a proposal a gTLD-RDAP Profile from the contracted parties.

Section III: Relevant Resources

Documents in the current public comment for community feedback:

Section IV: Additional Information

Section V: Reports


FINAL VERSION SUBMITTED (IF RATIFIED)

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 

Update with ALAC Consensus from ICANN63:


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

The At-Large Advisory Committee (ALAC) recommends that ICANN adopt the Registration Data Access Protocol (RDAP) quickly and effectively because it is an essential step for ICANN to deploy a tiered-access model adequately. RDAP implementation, in turn, puts ICANN in a better position to be more compliant with the European Union's General Data Protection Regulation by ameliorating the relevant deficiencies to the contemporary WHOIS model. As the community is aware, the current WHOIS seven-bit ASCII system cannot hold international registration information (e.g., name or address) and that, in turn, leaves the entire DNS community, including end-users, vulnerable to various online threats. RDAP is a solution ICANN has long had to resolve these issues and the At-Large implores its wide adoption expeditiously to resolve these matters.

 

Additionally, the ALAC appreciates the RDAP's revised structure that intends to distinguish the policy-independent elements and policy-dependent elements. Assuming the RDAP Profile appropriately defines such distinctions, this will ensure that ICANN removes the technical implementations of the RDAP from political considerations and debate, and, as a result, not bog down its adoption.

 

In its current form, the RDAP appears to emulate some of the ambiguities that exist within key provisions of the European Union's (EU) General Data Protection Regulation (GDPR), and it would behoove ICANN to address these concerns as it moves through RDAP's implementation.  Examples of such ambiguities are:  

  • What constitutes a "legitimate purpose" as it is articulated in Para. 4.4, particularly as it relates to the notion of "accurate reliable and uniform (...) based on legitimate interests not outweigh by (...) fundamental rights";
  • the framework to address appropriate law enforcement needs under Para. 4.4.9;
  • handling contractual compliance monitoring requests under para. 4.4.13;
  • provisions in Annex A para. 4 that requests operators to "provide reasonable access to [data] to third parties on the basis of legitimate interests pursued by that party, except where such interest is overridden by the interests of fundamental rights and freedoms…pursuant to Article 6(1)(f) GDPR"; and
  • requirements in Appendix C, particularly ones related to outlining obligations for data registrars operating in the EU.

 

The ALAC appreciates the opportunity to comment on this important matter.


DRAFT SUBMITTED FOR DISCUSSION

The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).

6 Comments

  1. Holly Raiche

    We need technical advice on this issue.  From my non-technical perspective, therefore: When the RDAP was developed, included the functionality to provide gated access to registration data.  When ICANN adopted thee protocol   however, the functionality to provide gated access was optional - not required.  The explanation was that, at that stage - and still the case - there is no policy now in force in ICANN to require gated access to registration data.  Given that the Temporary Spec requires gated access and any final ICANN acopted policy will certainly require gated access, the functionality of gated access should be a required feature of the RDAP.

    1. Carlton Samuels

      You're right Holly.

      When we discussed  RDAP in the EWG, the most compelling reason it was reported favourably was the capability vested in the protocol to process multiple attributes in decision-making on access; who, what, how and how long.   That ICANN chose to endorse a less-than-ideal implementation is regrettable.  But that is not a disability of the protocol.  We should record that, along with the political decision.

      -Carlton

        

    2. Alan Greenberg

      To be clear, the Temp Spec does not require gated access. It requires that contracted parties respond to requests, not necessarily through an automated protocol.

      The EPDP policy may need gated access if we can all agree to do so. Without lowering contracted parties liabilities if they rely on such access and are then cited for a breach of GDPR, it is unlikely, in my mind, that we will come to such an agreement.


  2. Olivier Crepin-Leblond

    I have asked the Technical Issues Working Group.

    https://atlarge-lists.icann.org/pipermail/technical-issues/2018-September/000397.html

  3. Alfredo Calderon

    In my opinion, it collects assertive suggestions for the implementation of RDAP. Therefore, I support the comment as redacted.

  4. Hadia Elminiawi

    Some ICANN accredited registrars are already providing tiered access or gated access to the registration data (Previously WHOIS data) using RDAP