IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <ietf-provreg@cafax.se>
From: Karl Auerbach <karl@CaveBear.com>
Date: Tue, 26 Dec 2000 12:29:22 -0800 (PST)
Reply-To: Karl Auerbach <karl@CaveBear.com>
Sender: owner-ietf-provreg@cafax.se
Subject: Comments on overall direction


I've just read through the e-mail that came in over the last week.

What struck me is how much it seems tied to existing practices of NSI's
registry.  For example, just because NSI today has registrations in year
units is no reason to think that that must be true for everyone
everywhere.

And what struck me further is how quickly the discussion focused on domain
name registration and forgot that there are other kinds of network
resources that need similar services.

So -- my comments:

1. A nit: I'd like to get rid of this horrid "registrar", "registry",
"registrant" terminology.  There have been more instances than I can count
where discussions went off into the weeds because somebody accidently used
the wrong ending to the string "registr".  Mike O'Dell has suggested
"repository" and "agent" in lieu of "registry" and "registrar".
Personally I like the trio "database", "agent", and "customer".

2. There are many kinds of Internet resources that customers will want to
lay claim to - domain names, IP address blocks, and ASNs come to mind as
some we have today.  The common feature about these is that they can all
be described using the following skeletal paradigm:  (The following is for
illustration, I'm aware that there are more detailed versions.)

        <registration-object>
         <definition-of-thing-being-registered>
           ...
         </definition-of-thing-being-registered>
         <duration-of-registration-info>
           ...
         </duration-of-registration-info>
         <contact-list>
          <admin-contact>
            <contact-info>
               ...
            <contact-info>
          </admin-contact>
          <tech-contact>
            <contact-info>
               ...
            <contact-info>
          </tech-contact>
          <billing-contact>
            <contact-info>
               ...
            <contact-info>
          </billing-contact>
         </contact-list>
        </registration-object>

This suggests several things to me:

   - That we can have a single protocol to handle registrations of all
     kinds of things, not just DNS names.

   - That there is no reason why this package can't also be used between
     all parties to this system - agents-to-database (and
     vice-versa), customers to agents, agents-to-agents,
     databases-to-escrow systems, agents-to-escrow systems.

   - That the protocol should be designed in "chunks".  Thus one chunk
     would support a lockable registration exchange between a customer and
     its selected agent, and also between an agent and the database.  And
     another chunk of protocol would support unlocked query access.  (This
     latter function happens to be a nice alternative to the underdefined
     port 43 mechanism.)

3. I am very wary of continuing the current notion of agent-to-agent
transfers.  To my mind any transfer should be accomplished via the
customer, i.e. that some signed certificate must be handed by the
relinquishing agent to the customer for the customer to hand over to the
acquiring agent.

4. I'm nervous about the inclusion of fancy negotion protocols - such as
have been aluded to with regard to the negotion of expiration timestamps.
My own preference is that the protocols simply have a code to express that
a request has been "rejected due to unacceptable expiration timestamp".
To my mind external channels should be used to convey policies about these
kinds of things.

5. The issue of privacy and security seems to be being glossed over - we
are talking about databases that will be among the worlds larger bodies of
personally identifiable information - with both strong privacy
characteristics and high value to marketing/sales folks.

This suggests to me that there ought to be adequate information in the
protocols to build unambiguous, timestamped, transaction journals.

It also suggests to me that there be provision for solid identification
and authenticatation of all transactions.  I don't care whether this comes
as part of this protocol or as part of a lower layer protocol.  However,
since we are going to have to abide by inconsistant privacy laws I have
this more than sneaking suspicion that implementations are going to have
to resort to call-outs to policy servers - as such we ought to make sure
that these protocols and data representations are amenible to being
filtered by some sort of policy expressions that might come back from such
policy servers.

           --karl--

Follow-Ups:
- Re: Comments on overall direction
  - From: Dave Crocker <dcrocker@brandenburg.com>

Prev by Date: Re: My personal comments on the requirements.
Next by Date: Draft provreg charter
Prev by thread: Re: Scope [was Re: Expiration times]
Next by thread: Re: Comments on overall direction
Index(es):
- Date
- Thread

Home | Date list | Subject list