June 6, 20031 CRISP Overview and Update Andrew Newton VeriSign Labs anewton@ecotroph.net

June 6, 2003 1

CRISP Overview and Update

Andrew Newton

VeriSign Labs

anewton@ecotroph.net

June 6, 2003 2

What’s in a Name?

• CRISP – Cross Registry Internet Service Protocol

• Acknowledges that domain registries are not the only types of registries needed for the operational infrastructure of the Internet.

• Focusing on domain name registries while accepting the responsibility to be extensible.

June 6, 2003 3

Some Items covered by CRISP

• Access– Different answers for different levels of access– The ability to understand the access limits– Controls aimed at preventing data mining

• Standard queries and responses• Referrals

– Indicating where to find data– Passing state with referrals– Using DNS to locate data

June 6, 2003 4

Items NOT covered by CRISP

• Escrow– CRISP recognizes the need for data serialization, but

that is only one piece of the puzzle for escrow.

• Communications between registry operators– CRISP is about communicating with the end-user

• Definitions of access levels– The CRISP protocol will be able to support multiple

levels of access, but it does not define them.

June 6, 2003 5

CRISP Goals

• The protocol should define the mechanisms to allow for various policies.

• The protocol should not define policy.• Allow for data to be decentralized, but

define how to find it.• Define uniform queries and responses.• Provide access control mechanisms.• Enable better internationalization.

June 6, 2003 6

CRISP non-Goals

• Backwards compatibility with nicname/whois on port 43.

• Provisioning or modification of data.

June 6, 2003 7

CRISP Requirements

• draft-ietf-crisp-requirements-05– http://www.ietf.org/internet-drafts/draft-ietf-cri

sp-requirements-05.txt

• Lists the consensus of the working group on what needs to be done.

• The extensive effort documents:– the protocol requirements– the service context in which they occur

June 6, 2003 8

Requirements Sections

• The CRISP functional requirements are broken down into two sections:– requirements that are general to many types of

Internet registries– requirements that are specific to domain name

registries

• The CRISP feature requirements are derived from the functional requirements.

June 6, 2003 9

What is the WG doing now?

• The working group has reached consensus on the requirements and has asked for review by the IESG.

• There are two technical protocol proposals before the working group.

• A matrix has been created to judge the proposals against the requirements.

June 6, 2003 10

The Two Proposals

• IRIS– draft-ietf-crisp-iris-core-01– draft-ietf-crisp-iris-dreg-01– draft-ietf-crisp-iris-areg-01– draft-ietf-crisp-iris-beep-01

• FIRS– draft-ietf-crisp-firs-arch-01– draft-ietf-crisp-firs-core-01– draft-ietf-crisp-firs-dns-01– draft-ietf-crisp-firs-dnsrr-01– draft-ietf-crisp-firs-contact-01– draft-ietf-crisp-firs-ipv4-01– draft-ietf-crisp-firs-ipv6-01– draft-ietf-crisp-firs-asn-01

June 6, 2003 11

Other Work

• There are discussions with the address registries regarding their requirements.– And they have reviewed the CRISP

requirements and are reviewing the protocol proposals.

• Two tangentially related drafts:– draft-daigle-iris-credreg-00– draft-newton-iris-lightweight-00

June 6, 2003 12

IRIS

• XML-based– Uses XML Schemas for definition.– Uses XML namespaces for dividing the various

types of registries.

• Queries and results are explicit in the XML syntax.

• Uses BEEP as the default transport.– Which uses SASL for authentication.

June 6, 2003 13

FIRS

• LDAP-based– Uses a mixture of new object classes and

currently defined object classes.– Uses different branches of the DIT for dividing

the various types of registries.

• Queries use the LDAP query syntax.

• LDAP has some basic authentication but also uses SASL for newer methods.

June 6, 2003 14

SASL

• Simple Authentication and Security Layer• Defines a common framework for various

authentication methods and security facilities.– SSL/TLS for client & server authentication and

encryption with digital certificates.– MD5 Digest authentication for sending passwords over

an unencrypted session.– One-Time-Password authentication for limited client or

server trust.– And anonymous for no passwords.

June 6, 2003 15

All this technical jargon is interesting, but what does it mean

to a policy maker?

June 6, 2003 16

More Possibilities

• The CRISP working group is building a better lock…

• But they will not be making the decisions about who gets the keys.

• To bridge the gap between protocol and policy, a document describing what is technically possible may aid in developing policy.