2017-12-20 Next Gen RDS PDP Working Group

Notes/ Action Items

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki here.

1. Roll Call/SOI Updates

• Meeting Materials: https://community.icann.org/x/NQByB
• Call Handout: https://community.icann.org/download/attachments/74580021/Handout-20Dec-RDSWGCall.pdf
• SOI Updates: none

2. Complete deliberation on Domain Name Management as a legitimate purpose

a. Review poll results for data needed for Domain Name Management

• Poll Results (22 participants): https://community.icann.org/download/attachments/74580021/AnnotatedResults-Poll-from-12December.pdf
  • 100-90%: Domain Name, Registrant Name, Registrant Organization, Registrant Email, Registrar Name, Creation Date
  • 89-80%: Updated Date, Expiration Date, Nameservers, Domain Status
  • 79-70%: Registrant Postal Address, Registrant Phone, Administrative Contact
  • Less than 60%: Registrar Abuse Contact, Original Registration Date, Technical Contact
• Propose that data with 80-100% support be accepted as rough consensus; data with less than 60% support be dropped for this purpose
• Question: Would it be useful to flag data that is derived vs. data that is collected from the registrant? It will be necessary to differentiate when we develop policies - at this stage, we are looking at data required for this purpose within the RDS
• Comment: Original Registration Date has been helpful to some organizations - including helpful to the registrant themselves. Not in WHOIS today. Note WG Agreement 44.  There is no requirement for the Original Registration Date as proposed by the EWG Final Report.
• Administrative Contact  (77%) was the subject of several poll response comments (Rod, Tomslin, Maxim, David). Historically, Admin Contact is often the contact that controls the DN registration. If a registrant chooses to designate an Admin Contact, it would be needed for this purpose.

b. Finalize Data Elements needed for Domain Name Management

• Possible WG Agreement: The following registration data is needed for the purpose of Domain Name Management: Domain Name, Registrant Name, Registrant Organization, Registrant Email, Registrar Name, Creation Date, Updated Date, Expiration Date, Nameservers, Domain Status, Administrative Contact
• These are data with 100-82% support, plus Admin Contact (77% support), but not data with less than that level of support
• Notably, Registrant Postal Address (77%) and Phone (73%) are not included in above-proposed agreement, based on lack of support in poll - no rationale given for inclusion or exclusion in the poll
• Comment: Other methods of contact may be helpful in occasions where other contacts have failed/were dead - giving an opportunity to get a real live person.
• Registrant postal address may be convenient but not required? No tasks for Domain Name Management that require sending info to registrant by ground mail - except perhaps DN Transfer requires postal address?
• in Transfer Policy "The registrar may use additional contact information on file when obtaining confirmation from the Prior Registrant and is not limited to the publicly accessible Whois." -- https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en
• Noted that postal address and phone are often required for credit card payment - this may not be registration data collected by the RDS, but data collected by the registrar for payment processing
• This week's poll will recap discussion about possible addition of Registrant Postal Address and Phone, but confirm the following...

Possible WG Agreement (to be re-confirmed by poll): The following registration data is needed for the purpose of Domain Name Management: Domain Name, Registrant Name, Registrant Organization, Registrant Email, Registrar Name, Creation Date, Updated Date, Expiration Date, Nameservers, Domain Status, and Administrative Contact.

3. Start deliberation on Domain Name Certification as a legitimate purpose (slide 7+)

• Refer to slides 7-11 for DT3 definition of DN Certification:
  • "Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name."
• Three levels of certificate validation: DN validated, Organization validated (OV), and Extended validation (EV).
• DN validated is not covered by this purpose - no data required of RDS for this level, can be accomplished with just DNS data.
• For OV and EV certificate validation, data in RDS is relevant but not required - CABForum requires info to be verified by other channels.
• There are 10 equivalent methods of proving control - of those, 4 use RDS data if available. Not strictly required since there are 6 alternative methods.
• Data that may be relevant includes DN and Registrant, Tech, and Admin contact data: email, phone, name, postal address (slide 11)
• DN certification proves CONTROL of DN, not ownership - not proving the person seeking cert owns the DN, just proving they control it
• EV does examine relationship between entity seeking cert and registrant of DN
• Is possible WG agreement on slide 12 phrased incorrectly? it seems this isn't a legit use to _require_ collection but is a legit use to collect, if the registrant wants to use that biz model @ CA
• Possible WG Agreement suggested on slide 12 modified as shown above to reflect this:
  • Revised Possible WG Agreement: Domain Name Certification is NOT a legitimate purpose for requiring collection of some registration data, but may be a legitimate purpose for using some data collected for other purposes. (Access requirements to be deliberated at a later stage.)
• EWG recommended purpose-based contacts – for example, a Registrant might optionally designate a contact specifically for DN Certification, to interact with CA – or the Registrant or Admin Contact could be used for this purpose
• Do our agreements need to differentiate between required and optional? In this pass we are focusing agreements on required data for each purpose.

Possible WG Agreement (to be confirmed by poll): Domain Name Certification is NOT a legitimate purpose for requiring collection of some registration data, but may be a legitimate purpose for using some data collected for other purposes. (Access requirements to be deliberated at a later stage.)

Action item: Leadership team to launch poll to confirm two Possible WG Agreements identified during this call. WG members are encouraged to participate in this poll no later than 30 December (poll close date).

4. Confirm action items and proposed decision points

Possible WG Agreement (to be re-confirmed by poll): The following registration data is needed for the purpose of Domain Name Management: Domain Name, Registrant Name, Registrant Organization, Registrant Email, Registrar Name, Creation Date, Updated Date, Expiration Date, Nameservers, Domain Status, Administrative Contact

Possible WG Agreement (to be confirmed by poll): Domain Name Certification is NOT a legitimate purpose for requiring collection of some registration data, but may be a legitimate purpose for using some data collected for other purposes. (Access requirements to be deliberated at a later stage.)

Action item: Leadership team to launch poll to confirm two Possible WG Agreements identified during this call. WG members are encouraged to participate in this poll no later than 30 December (poll close date).

5. Confirm next WG meeting: Tuesday, 9 January at 17:00 UTC

• Note: NO meetings for next two weeks - Happy Holidays to all
• During 9 January call, we plan to start deliberation on this purpose:
  Criminal Activity/ DNS Abuse – Investigation