From: Bruce Tonkin Sent: Wednesday, 31 August 2005 6:02 PM To: jo.lim@auda.org.au Subject: WHOIS policy review Hello Jo, I support the current WHOIS policy except for the display of the registrant's email address. Recent discussions on the DNS list have indicated that registrants are still concerned about receiving unsolicited marketing mail to publicly displayed email addresses. If a person wants to contact a registrant with respect to a security, SPAM, or network abuse incident - the most useful information is the technical contact details. These details are available either from the technical contact information associated with the WHOIS record, or by identifying the Internet Service provider from the IP address associated with a website or mail server. If a person wants to contact a registrant for other legal reasons, they may either use the information available on the website of the registrant, or retrieve business information records associated with the ACN or ABN number supplied in the WHOIS. Registrars may continue to use their direct access to the registry to obtain the registrant's email address for the purpose of obtaining authorisation for transfers. Proposed changes: - remove the display of a registrant's email address from the WHOIS Alternative changes: - replace the registry display of an email address with a link to a form to send a message to the registrant. This form would only allow plain text, and would be subject to SPAM/Virus checking before forwarding a message to the registrant's email address - allow the registrar to nominate a standard email address to display for each registration that can be used for contacting the registrant (often referred to as a "private registration" service). The registrar can then implement measures to remove SPAM and viruses before forwarding an email to the registrant. This email address would be separate from the registrant's email address stored in the registry that can be retrieved by registrars to allow authorisation of a transfer. It may also be useful to include a definition of the purpose of the technical contact in the WHOIS policy: - e.g The technical contact is intended for public display, and can be used by Internet users to report a technical problem associated with a domain name, including network abuse problems such as SPAM, viruses, and data mining that may be causing load problems for network resources managed by Internet users. I don't support publishing creation or expiry dates. Issues associated with problem domains can usually be taken up directly with the associated registrar or internet service provider associated with a domain name. Publishing dates simply provides information used for unsolicited marketing. Regards, Bruce Tonkin Hello Jo, Further to my request to remove the registrant email address from the WHOIS service, I note the following finding from the ICANN Security and Stability committee. From: http://www.icann.org/committees/security/sac007.htm "ICANN Policy on Transfer of Registrations between Registrars specifies that "consent from an individual or entity that has an email address matching the Transfer Contact email address" is an acceptable form of identity. Transfer Contact email addresses are often accessible via the Whois service and have been used to impersonate registrants. " The security of transfer procedures is enhanced by ensuring that the email address used to authorise transfers is not publicly available. Regards, Bruce