Security Experts:

The Road from WHOIS to Directory Services

A few months ago, I wrote a column expressing my deep concern over the lack of progress in the debate about domain name registration data (a/k/a the WHOIS). The debate aims to reach collective understanding and agreement regarding the purpose of that data and, specifically, who should have access to it and how.

Is the main purpose of WHOIS data to enhance the overall stability and security of the Internet by providing contact points for network operators and administrators? Or is it to help combat infringements on intellectual property, fraud and other forms of abuse? Both? Neither?

WHOIS DirectoryThese issues, and the questions that arise from them, have been in circulation for a decade now. The latest movement in the debate is an ICANN-commissioned report by the Interisle Consulting Group on the possibility of an in-depth WHOIS data study. In other words, whether a WHOIS data study was even feasible. The report concludes that such a study is possible. 

Some participants in the industry have expressed their displeasure that the Interisle study is yet another incident in a decade-long string of stalls. However, I believe that ICANN is priming the pump to make a strong and sustained push to get past the vexing issues of the past on this topic.

While the decade-long duration of the debate is frustrating, I do have two pieces of good news to share.

The first is that we have managed to move away from the term “WHOIS” in discussions and toward the phrase “Directory Services,” which more accurately describes both the data and access to it. A nod of the head goes to the CEO and president of ICANN, Fadi Chehade, who’s encouraged the use of the term “Directory Services.”

Second, ICANN recently announced the formation of a group of experts, led by Jean-François Beril, that will work together through April 2013 with the goal of responding to issues presented in a recent report from ICANN’s Security and Stability Advisory Committee (SSAC) (of which I am a member, and a contributing author to the report). In report SAC055, SSAC posits that the problem of the WHOIS is analogous to a group of blind men attempting to learn about an elephant by touching separate parts of it, and then refusing to consider the perspective of the others in the group who touched other areas of the animal.

Thoughts to consider in regards to directory services

Some historical considerations. Thanks to the rapid evolution of the Internet and the role technology plays in all of our lives, the WHOIS of today is far larger and more complex than what many of the Internet creators envisioned — a contact sheet for the early users of what was then a vast, untamed wilderness. Since then, the WHOIS has continued to be implemented in a way that’s more or less the same as when it was started. As an analogy, think of having an airport’s traffic control run out of a covered wagon in what was once the Wild West.

Second, consider that the groups who currently use the WHOIS (and who are likely to use it in the future). The largest and most diverse group is the general public. Another group? Law enforcement, who rely on the data for anti-criminal activities. Two other groups that use WHOIS data are intellectual property owners and security practitioners. While they each have different goals and objectives, they all use the term “WHOIS” for registry-collected data, even though the “WHOIS” means something very different to each one.

Third, consider that WHOIS covers not only domain names, but also Internet addresses.  The various regional Internet address registries (APNIC, RIPE, ARIN, AFRINIC, and LACNIC) all manage and maintain WHOIS services with contact data regarding IP addresses or address ranges.

That’s why a policy that defines the purpose of registration data might be a good first step toward a common solution. To reach that point, we need to clearly and consistently determine who has access to what data.  We should separate the needs of supporting the domain name industry from the needs of these groups who believe they need access to the data for various reasons. Once we establish what data they need and why, we can then consider in earnest who should have access, why they should have that access, and the method of access.

What role can you play in this process?

I encourage you to keep an eye on the progress made by the expert group at ICANN and, when ICANN requests public comments, add your insight and opinions. The impact of this group will be felt for years to come; so if you have opinions, don’t be shy about contributing them.  

Subscribe to the SecurityWeek Email Briefing
view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.