Internet Architecture Board

RFC2850

Comments from the Internet Architecture Board (IAB) on “Registration Data Access Protocol (RDAP) Operational Profile for gTLD Registries and Registrars”

Home»Documents»IAB Correspondence, Reports, and Selected Documents»2016»Comments from the Internet Architecture Board (IAB) on "Registration Data Access Protocol (RDAP) Operational Profile for gTLD Registries and Registrars"

On 13 January 2016, the IAB responded to ICANN’s public comment proceeding on Registration Data Access Protocol (RDAP) Operational Profile for gTLD Registries and Registrars. The text of those comments is provided below.

Thank you for the opportunity to provide public comment on the
Registration Data Access Protocol (RDAP) Operational Profile for gTLD
Registries and Registrars.

The Internet Engineering Task Force (IETF) developed RDAP to resolve
the technical shortcomings of WHOIS.  Given the well known issues with
WHOIS, the IAB strongly encourages ICANN and the registration
community to deploy RDAP as soon as possible.  WHOIS lacks support for
authenticated access and differentiated responses.  Since RDAP can
make use of HTTP authentication, the IAB believes that authenticated
access should be part of the first version of the RDAP Profile in
order to significantly decrease the privacy concerns of registration
data exposure.  We believe that failing to include authenticated
access in the RDAP Profile now will result in a very large transition
effort to implement authenticated access and differentiated responses
once a policy that supports them is in place.  We do not believe that
authenticated access will necessarily incur more costs for any users.

The IAB understands that ICANN policy development is needed to
determine which registration data ought to be available to the public
and which registration data deserves additional protection.  We
believe that policy development work should begin immediately.  While
we understand that ICANN cannot approve an RDAP Profile that includes
differentiated responses based on user authentication until that
policy work is complete, we strongly believe that the RDAP Profile can
be specified in such a way that it accommodates the easy introduction
of differentiated responses once the policy is in place.

Finally, the IAB strongly supports running RDAP only over TLS in order
to offer server authentication as well as integrity and
confidentiality for registration data.

Respectfully submitted,
Andrew Sullivan
for the IAB