Is WHOIS going to go away?

bzs at theworld.com bzs at theworld.com
Thu Apr 19 21:31:58 UTC 2018


I just want to add my voice to basically the same sentiment (way
below...)

With all the data breaches it's almost become easier to list companies
who haven't had a massive data breach lately.

And once someone walks off with that db it's out there forever tho
admittedly still a little more difficult to access than a mere whois
query.

But most registrars offer a privacy option so whois only returns the
registrar's contact info. That of course won't help with mass data
breaches. And there are third-party options.

All GDPR and similar is likely to do is change exactly who has access
to this information and how, and how much it will cost.

That might be an improvement for some, and it might offer a false
sense of security for many.

How many will thereafter willingly pay the $5/month or whatever it is
for "privacy" if they believe their data is somehow protected by law?

Far fewer I would guess (yes many registrars provide this free but
will they after May 25th?)

I'll reiterate my suggestion I've been pushing for a while now:

Put the WHOIS accessible information into the DNS, possibly as a new
RR but that's optional.

That would put it completely under the domain owner's control.

It doesn't solve the problem of data breaches, and I'd include lawful
mass access (i.e., selling your info), but at least it's realistic and
easy enough to implement -- just convert any WHOIS query into an
appropriate DNS query.

But it does separate the WHOIS function from normal customer data
management.

ICANN and its registries and registrars can then proceed to practice
standard customer information management policies without also having
to try to layer a WHOIS policy on the same data.

On April 19, 2018 at 10:24 rsk at gsp.org (Rich Kulawiec) wrote:
 > On Sat, Apr 14, 2018 at 05:29:35PM +0000, Aaron C. de Bruyn via NANOG wrote:
 > > So why are you proposing that I can't run my *personal*  "I strongly
 > > believe in {insert emotionally-charged issue} site" without letting psychos
 > > know exactly where I live?
 > 
 > A PO box might suffice.  There are also mail forwarding (and phone
 > forwarding) services that serve the purpose.  Having encountered exactly
 > these sorts of psychos, this might be a good idea if you think it's a
 > threat you may have to face.
 > 
 > (Although let me note that your address is likely available anyway through
 > some deliberate-public database or through one that's been hacked and
 > subsequently leaked.  Or via someone you know who "checked in" with
 > a geolocation app while visiting.  Or via someone who handed it over to
 > a third party because they were shipping you something.  Or...)
 > 
 > Let me suggest that a better choice for these situations is not to
 > register a domain *at all*.  Consider: doing so creates a record at your
 > registrar that has information-of-interest about you.  All that stands
 > between a psycho and that information is a security breach, a dataloss
 > incident, or -- maybe -- a hundred bucks in an envelope (old style)
 > or a cryptocurrency transfer (new style).  Maaaaybe it would be better
 > not to create that record at all.
 > 
 > That's why I've always recommended (for example) that dissident political
 > movements in repressive countries avoid registering domains: any dictator
 > worthy of the title will easily acquire the real registration details,
 > whether they're held in-country or not.
 > 
 > ---rsk

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*



More information about the NANOG mailing list