Upload
lykhanh
View
231
Download
4
Embed Size (px)
Citation preview
The WHOIS: security and privacy issues
Giovanni SeppiaCENTR General Manager
Network and Information security: political and technical challenges
Rome, 2-4 November 2005
Introducing CENTR
Network and Information security: political and technical challengesRome, 2-4 November 2005
What is CENTR?
Council of European National Top Level Domain RegistriesForum for TLD managers
– Primarily ccTLDsAlso includes gTLDs
– Mainly EuropeanMembership from 5 continentsDeveloped and emerging TLD markets, like .AF, .IR
Open to all Top Level Domain Registries in the world
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR’s MembershipAFGNIC Afghanistan (.af)STA Andorra (.ad)ISOC.AM Armenia (.am)NIC.AC Ascension Is. (.ac), Diego Garcia (.io), St Helena (.sh)NIC.AT Austria (.at)DNS Belgium Belgium (.be)Digital Systems Bulgaria (.bg)CIRA Canada (.ca)CARNet Croatia (.hr)UCY-DNS Cyprus (.cy)CZ.NIC Czech Republic (.cz)DENIC Germany (.de)Dansk Internet Forum (.dk)FICORA Finland (.fi)AFNIC France (.fr), Mayotte (.yt), Reunion (.re), St. Pierre & Miquelon (.pm), Wallis & Futuna Is. (.wf )GibNet Gibraltar (.gi)GR-Hostmaster Greece (.gr)Island Networks Guernsey (.gg), Jersey (.je)CHIP Hungary (.hu)IEDR Ireland (.ie)IPM Iran (.ir)ISNIC Iceland (.is)ISOC-IL Israel (.il)IT-NIC Italy (.it)JPRS Japan (.jp)
•LITNET NOC Lithuania (.lt)•LATNET, Latvia (.lv)•RESTENA DNS-LU Luxembourg (.lu)•NIC Malta Malta (.mt)•NIC-Mexico Mexico (.mx)•SIDN Netherlands (.nl)•ISOCNZ New Zealand (.nz)•NORID Norway (.no), Bouvet Is. (.bv), Svalbard & Jan MayenIs. (.sj)•Palestinian Registry Palestine (.ps)•NASK Poland (.pl)•FCCN Portugal (.pt)•RNC Romania (.ro)•Ros-NIIROS Russia (.ru)•RED.ES Spain (.es)•ARNES Slovenia (.si)•IIS Sweden (.se)•SWITCH Switzerland (.ch), Lichtenstein (.li)•SITA (.aero)•Vatican – Holy See (.va)•Nominet UK United Kingdom (.uk)•NeuStar United States of America (.us)•VeriSign (.com, .net)•Afilias (.info)•Public Interest Registry (.org)
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR’s structure
Executive Committee– 5 members to steer the organisation in accordance
to members wishes
Secretariat– 4 people to develop the work as requested by
members
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR’s outputNewsletter, “Domain Wire”, 2 issues a year
Surveys– A-level survey, covering the registries management main aspects– B-survey, covering legal issues related to registries– Other surveys upon request of our members
Comments and positions on several topics that may have an impact on our members
Outreach programme, providing registries of developing countries with financial and technical support
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR in the international arenaThe European Commission participates in CENTR as an observer. Government reps may also attend…Regular meetings with: DG INFSO & Media, including the GAC Secretariat, the Cabinet of the Commissioner RedingAt present, co-operation with the data protection Unit of DG Justice, Freedom and Security for the WHOIS related topicsAssociate member of the European Internet FoundationRegular participation in all the international Internet fora and meetings
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR’s long term visionExpanding the dialogue among registries, governments and international bodies
Developing best practice by encouraging exchange amongst registries
Improving the reliability and stability of Internet through improved DNS practices
Working closely with other Internet organisations
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR and the WSIS-WGIG process
Fundamental to distinguish between:– Those issues that may require restructuring of the present
arrangements– Those that can be (and are expected to be) resolved within
the existing frameworks
Most issues are local and regional: best solved within countries, not globally
The “free spirit” of the Internet crucial for any future development
Industry statistics
Network and Information security: political and technical challengesRome, 2-4 November 2005
Domain name base growth 2001 – Q2 2005*
At the end of the second quarter 2005, there were 82,9 million domain names registered worldwide. This represents a nearly 8% growth over the first quarter of 2005 and a 28% increase over last year.
.com remains the largest Top Level Domain (TLD) in terms of its total base of registrations.
Followed by .de (Germany), .net and .uk (United Kingdom)
*courtesy of VeriSign
Network and Information security: political and technical challengesRome, 2-4 November 2005
Industry growth and composition*
*courtesy of VeriSign
Over 8 million new domain names were registered in the second quarter of 2005.
The ccTLDs as a group count for 35% followed by .net at 7%.
Network and Information security: political and technical challengesRome, 2-4 November 2005
ccTLD breakdown 2002 – Q1 2005*
*courtesy of VeriSign
Out of the more than 240 ccTLDs, the top ten account for 71% of all ccTLDregistrations.
ccTLDs compete with gTLDs and each other.
Network and Information security: political and technical challengesRome, 2-4 November 2005
Top ccTLD registries by domain name base, Q2 2005
1. .de (Germany)2. .uk (United Kingdom)3. .ar (Argentina)4. .nl (Netherlands)5. .it (Italy)6. .us (United States)7. .br (Brazil)8. .ch (Switzerland)9. .cn (China)10. .jp (Japan)
WHOIS and security issues
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR and WHOIS
In 2004, CENTR members started to work on a document that was meant to provide information on:– WHOIS– Policies on WHOIS services– Administrative and technical aspects of WHOIS
services– WHOIS checklist
Network and Information security: political and technical challengesRome, 2-4 November 2005
What is WHOIS?Originally:
– A simple network protocol for sharing contact information relating to a domain
– Designed to aid network engineers in contacting domain administrators to maintain the stability of the Internet
Over time, taken on a second meaning:– The database of contact information relating to domains, no
matter how it is presentedi.e. over WHOIS, via a web page, using other methods
Now there are over 80 millions domain names registered worldwide– Uses for WHOIS services has expanded
Network and Information security: political and technical challengesRome, 2-4 November 2005
WHOIS and ccTLDsCountry Code Top Level Domain registries are accountable to the local communities they serveRelations between ccTLDs and their registrars are generally made through bilateral agreementsEach ccTLD must establish and enforce any privacy policy in accordance with applicable laws
Network and Information security: political and technical challengesRome, 2-4 November 2005
Who uses WHOIS?The OECD stated that “WHOIS data is a critical source of information that assists in accurately identifying the registrants of domain names”WHOIS is generally used by:– Network operators– Registries and registrars– Registrants (i.e. consumers)– Business users– Law enforcement personnel
Network and Information security: political and technical challengesRome, 2-4 November 2005
Information availabilityFor gTLDs, public availability is requested by ICANN through the Registrar Accreditation Agreement, which require registrars to collect data directly from the registrantsInformation to be available:
– Name of authoritative name servers– Identity of the registrar– Date of initial registration– Current expiration date– Name and postal address of the name holder– Name, postal address, e-mail address, telephone and fax numbers of
the technical contact for the registered name– Name, postal address, e-mail address, telephone and fax number of the
administrative contact for the registered name
Network and Information security: political and technical challengesRome, 2-4 November 2005
Data accuracy
The survey undertaken by the WHOIS taskforce of ICANN in 2002 revealed that a high percentage of the WHOIS data is incomplete, inaccurate or outdated
The ccTLDs have established some methods to improve the accuracy of the WHOIS data
Network and Information security: political and technical challengesRome, 2-4 November 2005
Administrative aspects of a WHOIS service
Registries and registrars need to consider the impact of complying with relevant data protection requirements
– Declarations of data collection and usage– Source for legislation about data protection– The “controller” of the data– Usage of personal data– Transfer of data to third parties– Information on the rights of the registrant and its ability to enforce them– The right to refuse data to be displayed on the WHOIS– The possibility to access its own data– Ability to correct or delete held data
Network and Information security: political and technical challengesRome, 2-4 November 2005
Technical aspects of a WHOIS service
Registries may have put in place some technical measures to run a WHOIS service in compliance with administrative requirements:
– Data security– Access to data– Tiered access– Opt-in/opt-out provisions– Searchability
Network and Information security: political and technical challengesRome, 2-4 November 2005
Security issues summary
Level of data in the databaseControls on queriesIndirect vectors to get into WHOIS
Primary goal: Run the service, protecting the rights of the registrant
Network and Information security: political and technical challengesRome, 2-4 November 2005
CENTR WHOIS paper
Developed as a reference document of guidelinesNot mandatory for CENTR membersProvides a framework to help them develop suitable policies and procedures that comply with international legislation and regulationsHighlights some basic aspects of the WHOIS services, offering a checklist
Network and Information security: political and technical challengesRome, 2-4 November 2005
WHOIS checklistCreate a privacy policyMake the privacy policy available at all timesEnsure that you can get a specific consent from the registrantGive the registrant the possibility to read, rectify or remove personal data contained in the registry databaseUse the data strictly in accordance with the policyThird party accessMaintaining the database