Name: SSAC Staff
Date: 16 Nov 2022
Affiliation: Security and Stability Advisory Committee (SSAC)
Original Public Comment: Proposed Amendments to the Base gTLD RA and RAA to Add RDAP Contract Obligations
On behalf of the SSAC, please find SSAC2022-12: SSAC Public Comment on Proposed Amendments to the Base gTLD RA and RAA to Add RDAP Contract Obligations.
Summary of Attachment
This correspondence provides comments from the ICANN Security and Stability Advisory Committee (SSAC) on the Proposed Amendments to the Base gTLD RA and RAA to Add RDAP Contract Obligations. The SSAC wishes to thank ICANN org staff and the contracted parties for their continued work towards deploying a consistent, documented RDAP implementation for access to domain registration data as per longstanding advice from the SSAC and other community members.
Per its role, the SSAC focuses on matters relating to the security and integrity of the Internet’s naming and address allocation systems. This includes operational matters (e.g., pertaining to the correct and reliable operation of the root zone publication system), administrative matters (e.g., pertaining to address allocation and Internet number assignment), and registration matters (e.g., pertaining to registry and registrar services). The SSAC engages in threat assessment and risk analysis of the Internet naming and address allocation services to assess where the principal threats to stability and security lie and advises the ICANN community accordingly. The SSAC has no authority to regulate, enforce, or adjudicate.
Summary of Submission
SSAC provides comments on 2 topics:
1) Reporting requests for domain registration data: The SSAC notes that while the proposed language on page 62 does attempt to address SAC097 recommendation 4 by publishing standards, the end result may still report per-TLD statistics inaccurately for TLDs run under shared registry systems. This will depend upon how a shared registry operator decides to follow the guidance in the proposed language. The proposed language permits an operator of multiple TLDs to allocate counts of queries to individual TLDs in an inaccurate manner, as long as the sum of all counts equals the total queries for the operator. While this is an improvement, it potentially serves to normalize the creation of inaccurate reports, as it codifies the ability for shared registry operators to provide statistics that may not reflect the true number of queries per-TLD they operate. The SSAC concludes that this change only partially satisfies Recommendation 4 in SAC097.
2) Sunsetting of web-based WHOIS services: The SSAC notes that while RDAP is a web-based protocol, there are some potential negative ramifications of sunsetting web-based WHOIS services for end users. It would be helpful for all contracted parties to be aware of the issues raised in SSAC2022-12 so that they may work to address them prior to receiving customer queries or help requests. It would also be useful for ICANN org to take SSAC2022-12 into consideration as it works on end user education materials and outreach during the transition to RDAP. Another consideration on this topic for third parties creating their own user-friendly RDAP lookup portals is that a naive approach to providing such services could result in denial of access to data due to hitting rate limits at individual registries or registrars. It would be useful for ICANN org to provide some guidance on how to avoid such issues along with other advice they provide for the transition to RDAP.