Versions Compared

Old Version 20

changes.mady.by.user Caitlin Tubergen

Saved on

compared with

New Version 21

changes.mady.by.user Caitlin Tubergen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...



Notes/ Action Items

...

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki.

1. Introductions and SOI Updates

2. PDP Background

3. Meeting Goals 

  • As the WG has deliberated on the below Charter Questions, We may be constraining our thinking by deliberating on existing WHOIS data elements, assuming today’s (often implicit) definitions, without clearly-stated expectations of the entities identified and/or contacted using registration data
    • Who should have access to gTLD registration data and for what purposes?
    • What data should be collected, stored, and disclosed for those purposes?

 

  • To address these concerns and enable more effective deliberation, purpose drafting teams were asked to re-convene to answer the following questions:

1. Who associated with the domain name registration needs to be identified and/or contacted for each purpose?

2. What is the objective achieved by identifying and/or contacting each of those entities?

3. What might be expected of that entity with regard to the domain name?

  • Today, each drafting team will present its answers for consideration by the full WG
  • Results from today’s session will be input to deliberation on possible purposes and associated data

Domain Name Purchase/Sale

WG Response:

  • The expectation is that a potential buyer can verify the seller owns the DN; this is not a requirement for public access – for example, a DN registrant could supply a lookup key to the buyer
  • At what point would this be opened up to verification – after initial inquiry, or when the seller chooses to go forward?
  • Potential buyers may want to see a registrant’s full portfolio, not just one DN
  • Is this purpose limited to business-owned DNs or does it apply to all DNs?
  • Should it be a requirement to be able to find out the full set of domains controlled by a single entity, or is this just a particular desire?
  • A potential buyer should send a note to the account holder, via the registrar
  • Why is there a need for the account holder to have control of a DN?
  • The account holder is not always the registrant and may not have the ability to sell a domain name
  • Ultimately it should be the potential seller that controls further communication for this purpose
  • Are there two different audiences? All registrants, or only those that express interest in being contacted for this purpose?
  • There may be value in supplying additional information, but it seems this may be best handled outside of the basic system, e.g. by exchanges for listing names potentially available for sale
  • Is there any threshold for the buyer is identifying itself as a bona fide purchaser?
  • Are there two different types of entities being contacted in the beginning of this purpose? (1)  any registrant that may or may not be interested in selling names; (2) registrants that specifically wish to receive potential purchase offers for their DN?
  • To what extent must this be supported by the mandatory system as opposed to external services that have developed and will continue to develop?
  • The buyer needs to have a third-party place to verify the registrant holds the rights to the DN – a public record of ownership, not just the current contact information
  • If the seller opts in to full disclosure of other DNs, that could be done at the seller’s discretion, based on an incentive (e.g., paying more for the DN)
  • There's a sharp distinction between validating whether the seller has title versus whether the car is in running order.  For the latter, the state does not participate; the buyer would get an assessment from their own mechanic
  • Being contactable for this purpose is different from publishing contact data for this purpose
  • The info listed in the Registrant field is supplied by the Account Holder, and it's entirely possible that the information is unrelated to the account and domain.

Domain Name Management

WG Response:

  • Noted that WG Agreement 48 refers to legitimate purpose but does not give grounds for what criteria is used to determine legitimacy (e.g., consistency with mission)
  • Legitimate interests of the parties should be identified – this is basis for lawful processing
  • Third party legitimate interests are not limited to those of contracted parties.
  • Benefit to the registrant is security and stability: To prevent unauthorized changes to the DN registration, that their DN doesn’t get hijacked, that they have the ability to verify their DN’s record
  • The bylaws define, 4.6(e)(i) “Subject to applicable laws, ICANN shall use commercially reasonable efforts to enforce its policies relating to registration directory services and shall work with Supporting Organizations and Advisory Committees to explore structural changes to improve accuracy and access to generic top-level domain registration data, as well as consider safeguards for protecting such data.”
  • There are different ways of viewing security and stability, and from the registrant’s perspective this purpose goes directly to security and stability

Individual Internet Use

WG Response:

  • Primary focus is identification and not contact
  • Contact in the case of fraud may not be useful – contact might occur through other channels
  • Would the average Internet user actually use WHOIS for this purpose?
  • Should not be encouraging consumers to do this, but rather provide other consumer protection mechanisms
  • Some users DO query WHOIS for this purpose – knowledgeable users are valid too
  • WHOIS Review Team studied this very question. There is a study, including video footage, showing Internet users trying to find a domain name owner.  The majority went to a website or search engine – WHOIS was not used.  Since we paid for this study, we could use it. – RT4 – this question was part of this exercise.  The majority went to the website or google.  To say that WHOIS came up little if not at all.  Perhaps we could retrieve this data for this purpose. For further information, please refer to the WHOIS Review Team’s Final Report
  • When you’re engaged in a commercial transaction, you want tools to learn who you’re dealing with, and why rob users of this tool? (imperfect or not)

Domain Name Certification

WG Response:

  • Who is the certifying agent? The CA itself
  • This purpose is only relevant to those registrants that want a certificate; access could be provided by some kind of one-time-use token and not publication of data
  • When DN is sold, is the certificate revoked?
  • ICP in China and SSL: having public email makes it much easier. We face difficulties with .co.uk to get SSL validation, because email is not available in WHOIS by design
  • In cases where email address is published in WHOIS, obtaining a certificate may be easier, but email-based validation is not the only method available and not having an email address doesn’t prevent obtaining a certificate
  • If a CA (other than the CA run by the registrar) wants access to data to provide their service they could pay the registrar to get access.  These kinds of business model issues are out of scope of this PDP.

Technical Issue Resolution and Academic of Public Interest DNS Research

Technical Issue Resolution:

WG Response:

  • Registrars do not want to be the first point of contact for Tech Issue Resolution – go to the hosting provider (or the Registrant/contact) first. All the Registrar can do is take the DN down. The web host is in a much better position to disable access to the hostname (not the DN)
  • There are registrars whose business model includes serving as Tech Contact (value add)
  • Is the entity you want to reach for tech issue resolution sometimes or always the account holder? Probably not since several different entities are enumerated in the DT’s answer, but this deserves further discussion

  • DNS OARC meeting example – DNSSEC validation – need to contact operators of the DN, to help resolve issue, not take the entire DN down
  • What is the role of the Reseller in this purpose?
  • It is not necessary that Registrants understand the technical issue – the “mechanics of the Internet” need to understand/resolve the issue being reported
  • You only need the help of a domain contact when the IP isn’t resolving
  • Nameservers will not always lead to the hosting provider
  • Hosting is not regulated by ICANN – that other part of the Internet community cannot be addressed by RDS policy
  • Contacting the domain holder can also be useful if the site is partially pirated, to warn the owner. no need for the host to shut down the site, but for the domain holder to clean its database

DNS Research

WG Response:

  • Note that #2, benefit to prospective buyer doesn’t belong in this purpose – it’s another purpose
  • What is “public interest” research?  Too open ended
  • Universities typically apply a rigid protocol to research involving humans
  • Do you need data associated with individuals for this purpose? Can’t you just use aggregate data? Depends on the study – for example WHOIS Misuse study, WHOIS Accuracy study both used individual registrant and contact data to study misuses and inaccuracies to inform policy development, to the benefit of future registrants

5. Confirm Action Items and Proposed Agreements

Meeting Materials (posted at https://community.icann.org/x/ygi8B)