At-Large comments on the Initial WHOIS Service Requirements Report
The At-Large community thanks the GSNO and the ICANN staff for this opportunity to comment on the Initial WHOIS Service Requirements Report.
As noted in in the report under 3.1, Components of the WHOIS service, The name "WHOIS" refers to multiple concepts and it is important to distinguish between them. The At-Large suggests it might be necessary to come up with another name to refer to the "WHOIS service", to avoid confusion with the WHOIS protocol. This is especially true if the service itself might be running over other protocols in the future.
We define the WHOIS service as an interaction between the client and the server, running on TCP port 43, and implementing the protocol defined in RFC3912. We disagree that web-based interfaces that query a database can be considered "WHOIS clients". They do not suffer from the same limitations as the text-based clients, and can easily handle authentication, internationalization and anti-abuse features.
Most of the issues we face today are due to the lack of features of the protocol. The WHOIS, as defined in RFC3912 is rudimentary. It does not define a format neither for the query nor for the data being returned.
We note also that the WHOIS protocol and associated servers and clients are being used outside the gTLD space. ccTLDs use them in a way similar to gTLDs, but often need to implement variations on the server side to comply with local laws on privacy.
Regional Internet Registries have WHOIS services as an essential part of their work with regard to the allocation of IP addresses, autonomous system numbers, as well as in-addr.arpa and ip6.arpa PTR delegations. This is why we suggest that the ASO should be consulted in the framework of this process. The last sentence of the executive summary does not indicate the ASO as one of the parties to be consulted, and neither did the original GNSO resolution.
Given that WHOIS clients are included in most operating systems today, and are being used outside of the gTLD space, it is of upmost importance that, whatever new requirements are implemented do not break the existing installed base. We need to avoid having different dialects of WHOIS, which would share a similar name, but different interfaces and output.
We note that the requirements mention several recommendations the SSAC has done in the past regarding authentication and granular access to information. The At-Large obviously supports these, as it has done multiple times over past years.
The At-Large supports all the requirements expressed in the document, and believes there is a consensus in the community on these. We add the following additional comments:
- R-4: Standardized error messages will make the localization of the client software much easier. This would be most welcome by those who do not have English as one of their languages and do not understand what "tech-c" may mean.
- R-6a: The introduction of a structured data format would also be an excellent opportunity to require the use of internationally agreed standards on the display of postal addresses and phone numbers. The use of a machine-parseable output would certainly be beneficial for legitimate uses of the WHOIS information, allowing to automate processes. On the other hand, it will also make the life of those with malicious intents much easier, too. There should be mechanisms put in place to prevent large scale harvesting of data for malicious use.
- R-8.1 and 8.2: The authentication framework, coupled with granular access to data for the WHOIS service should not be an option or a nice to have feature, but is a fundamental prerequisite to allow for the protection of the privacy of individuals. It should be sufficiently flexible to allow those outside the gTLD community, notably ccTLDs, to implement access policies required by their locals laws.
- R-9: The At-Large believes that the thick vs thin WHOIS debate is outside the scope of this document and that its implementation is a policy decision that is not dependent on the underlying protocol. We disagree that "new or legacy registries should consider evolving to a thick WHOIS". Irrespective of the policy decision taken, all gTLD registries should behave the same way. It should not be an option for the registry to consider or not.
We understand that the requirement 7, which does not appear in this document, has been submitted to a specialized working group on the internationalization of WHOIS data. On that matter, the At-Large is of the opinion that the data should be displayed both in native script and in latin characters. Domain names should be displayed both in native script and punycode.
The discussion over the WHOIS has been going on for several years. The At-Large would like to see a clear roadmap and a timeline with milestones for the implementation of the above requirements.
Obviously, the At-Large Community and the Committee is willing to work with the GNSO, the staff and other parts of the ICANN community in helping to move the process forward.