From: Brett Fenton 
Sent: Wednesday, 24 August 2005 3:14 PM
To: jo.lim@auda.org.au
Subject: whois policy review comments

Dear Jo,

In regards to the review of the WHOIS policy 
(http://auda.org.au/policies/auda-2003-08/), i note the following comments:

1) The suggestion made by Paul McGowan that Registrars as part of a standard 
domain registration provide a rotating alises email address in order to 
address SPAM is from the point of view of a Registrar an uneconomic solution. 

In the gTLD space, solutions such as what has been proposed are currently 
being discussed in terms of a 'secret' email address for use between the 
Registrant and the Registrar for valid communications such as requests for 
transfer and the like, whilst retaining publically available information 
(excluding the secret address). This is probably a better overall solution.

Paul McGowan's suggestion can certainly be provided by Registrars at a 
technical level, however as a value added service at an additional cost, as 
opposed to a solution mandated by policy. 

2) The benefits of the present system of excluding the creation date heavily 
outweigh any probable advantages of listing it. Until such time as there are 
non uniform domain license periods in the .au domain space, I feel that the 
existing policy (Clause 4.4) of non publication of the creation date is a 
reasonable measure. 

3) At this stage I feel the existing policy is adequate in terms of defining 
the use and publication format of WHOIS data. Where the policy is lacking is 
in terms of defining the methods of access to WHOIS information. These access 
methods can be defined as:

a) Port 43 requests directly to the Registry maintained WHOIS server
b) EPP requests via Registrars accredited to access the appropriate API
c) Web based information display (results published via access using the above 
methods or HTML posts to external web forms.

Our experience is that there are adequate controls around a) and b) and that 
ultimately any harvesting that may be occurring is via web based forms. The 
position that NetRegistry takes is that rather than looking to remove data 
from public view (ie Registrant email address), methods of preventing data 
harvesting in general are more useful. I would propose a clause within the 
policy such that any online form published by a) The Registry, b) A Registrar 
c) An appointed Reseller, must only be done where a mechanism is in place 
that:

i) Limits the number of queries from an IP address to some defined level.
ii) Uses automation detection eg requires a user to input a code displayed in 
an image to submit the form.

Regards,
Brett Fenton

-- 
Brett Fenton
NetRegistry Pty Ltd _______________________________________________