Re: <info> Command and authInfo

[Rick H Wesson <wessorh@ar.com>]

Scott,

On Mon, 14 Jan 2002, Hollenbeck, Scott wrote:

> Those of you familiar with the NSI RRP, the protocol's STATUS command, and
> the way it's been implemented in the com|net|org registry are probably aware
> that RRP clients can only do a STATUS command on domains that they've
> registered.  A client who attempts to get status on a domain registered by a
> different client gets an error response.
>
> The EPP specification is a bit more flexible in this regard, saying this
> about the essentially similar <info> command:
>
> "This action SHOULD be limited to authorized clients; restricting this
> action to the sponsoring client is RECOMMENDED."
>
> VeriSign often gets registrar requests to open up the RRP STATUS command
> completely so that any client can obtain information about any registered
> domain.  The usual argument to support this request relates to transfers:
> the potential gaining client wants to be able to see what they're getting in
> to before requesting the transfer.  Opening the command up completely
> introduces a data mining risk, so that's why the EPP text is written as it
> is, but without allowing some cross-vision the gaining client has to go to
> an out-of-band mechanism (like whois) to obtain info.  I think we can do
> better with EPP without opening a significant data mining risk.

thanks to competition we now understand how usefull it is to preform a
INFO command on a domain.


> I'm wondering how people feel about adding an optional <authInfo> element to
> the domain <info> command.  Sponsoring clients wouldn't have to use it; they
> can continue to "see" all of the domains they sponsor.  Clients who need to
> see something in the context of a transfer can provide the <authInfo> to see
> domain object info via the protocol, eliminating the need to go out-of-band.
> Data mining protections are still in place because non-sponsoring clients
> who don't have the <authInfo> can't see domains sponsored by other clients.

no.

please don't turn this spec into VeriSigns view of a Domain Registry. Up
till now you have done a good job of engineering but it seems as though
your employer is creeping into your work.

Registrars believe that the status command should be open to all
registrars even those that use RRP and shoreing up your employers position
by altering the <info> command so that your employer can continue to
maintain their position is not the kninds of changes I think we need in
EPP.

> This sort of change would let us tighten up the EPP spec a bit, which should
> help with interoperability.  I know we finished a WG last call, but I'm in
> the docs now working on wrapping up the changes based on last-call comments
> and would like to know how folks feel about this change given their
> operational experience with RRP.

IMHO, we should not support this change, and that VGRS should open up
their status command and VGRS should allow the EPP <info> command on
domains. This is what Registrars have been asking for since the registry
opened, isn't anyone listening?

-rick