‘The EU is working on NIS2 security regulations.’
My modeling for specifying data exchange and building forms
IT professionals can use knowledge sharing in teams
Several Dutch national registers could speed up their IT with experiences of the Dutch Land Registry. E.g. to improve scores:
from 80% to 100%: https://en.internet.nl/mail/registrars.sidn.nl/749544/
from 95% to 100%: https://en.internet.nl/mail/www.sidn.nl/759626/
from 48% to 100%: https://en.internet.nl/site/whois.domain-registry.nl/1714222/
from 80% to 100%: https://en.internet.nl/mail/whois.domain-registry.nl/786430/
How to follow the NIS2 security directive for much needed regulation?
- For Whois file management, the respective Trade Register generates and supports web_ids;
- Interface fields must be functionally readable as well as work technically:
‘Registrar Registration Expiration Date’,
‘Registrant Organization’ (where applicable),
‘Registrar Registration Data (WHOIS) Server’,
can be clear to any user, such as:
‘registrant_trade_name’ (field visible anyway),
Note: The EU term ‘Essential Provider’ does, I think, complicate.
- Whois data exchange is only in variable-width ‘UTF-8’ character encoding;
- To justify publication of (search engine) results, ‘domain_web_publish’ must be on ‘yes’;
- To protect the customer, the supplier name of the url is behind the padlock in the address bar;
- Registry-Registrar-User interfaces recognize a ‘Non-business use’ vs. a ‘Business use’ type;
- Privacy protected values are made clearer by fields such as ‘registrant protected’.
- The Registrar ‘Abuse’ fields are visible and located in a Registrar information block;
- The route security ‘DNSSEC’ yes / no field is located in a name server information block;
- For business transparancy, the ‘registrant_trade_name’ value is visible to the public;
- For privacy reasons, the ‘registrant_personal_name’ value is privacy protected;
- To check off, the ‘registrant_trade_name’ and ‘registrant_personal_name’ fields are shown;
- The administrative e-mail address and technical e-mail address(es) are visible;
About main rules
- For segregation of duties, a domain holder is primarily responsible for his domain data;
- For business transparency, a domain used for business is of type ‘Business use’;
- A domain used for business has a legal name of the responsible entity visible;
- The Registrar ‘Abuse’ information provides a contact option for a third party.
- Mail delivery to a Whois contact may not be delayed by forwarding manually;
- Forwarding can be authorized. SPF ‘-all’ setup combines with forwarding via SRS.
See also my https://webhostingtech.nl/monitoring-email/solve-exim-issues/
- For Whois identification, the data infrastructure is subject to indirect costs;
- For Registrar Whois identification, updating data is subject to indirect costs;
- For phased Reseller Whois identification, updating data is subject to indirect costs;
- For phased Registrant Whois identification, updating data is subject to indirect costs.
My key points for working Whois
- Whois lookup is intended for both technical and functional purposes;
- A correct domain registrant and the contacts need periodical verification;
- Regulations can work after narrowing down physical scenarios first;
- Authorization for legal requests would work through the country-level registers;
- Country-level registers are better able to handle incorrect registrations than registries;
- Sovereign countries can do without the central gateway, accreditation authority and identity providers;
- Technical specification, standardization of cost handling and legal regulation may provide high availability and reliability;
- In Whois, domain business purposes can be transparent without any individual privacy concerns;
- Fine-tuning at country level requires an adequate data structure first;
- US/EU lawyers can work together to technically cover country-specific needs;
- Similar to user level, technical personnel often deal passively with necessary actions;
- Technology-infused delivery of legal preparation isn’t too hard to achieve;
- When duties can be separated, separation can help, eg four eyes principle;
- Whois tools that actually work require to-do lists for all expertise.
How to correct web domain information with a registrar
List of ICANN-accredited registrars
Whois Data Reminder Policy (WDRP) for compliance
Querying databases that store the registered users or assignees of an Internet resource
Current iteration of the WHOIS protocol drafted by the Internet Society
Compare the uniform Database Language SQL (Structured Query Language)
- issue: Registrars are pressed for tracing further data in legal matters.
proposal: Opt, through a web ID that validates, for reference to country-level data;
- issue: Registries make verification work. A registry can decide on a domain registrant name.
Periodic verification is technically possible after entering a web ID.
Strict verification, without any interpretation, is case sensitive and includes dots.
Registrant, registrant name, registrar, registrar name, reseller and reseller name are relevant.
Note: Eg Google Search provides a ‘google-site-verification’ value to put in the DNS.
proposal: Opt for technical specification so that countries can realize data retrieval;
- issue: There are so-called ‘thick’ and ‘thin’ Whois servers, with one or two queries.
proposal: If performance demands, choose one type of Whois server;
- issue: The DNSSEC field (suite of security extensions to the DNS) needs proper explanation.
proposal: Field definition and its explanation that meet all needs are to-do and to address.
- issue: A possible change of the name of the registrant must also be justified.
proposal: US/EU lawyers agree how to define legal name change of the registrant;
- issue: Use of the web ID to be introduced, should be restricted.
proposal: US/EU lawyers agree how to define use of a fake web ID as forgery;
- issue: Search engines (like Google) publish search results from private web domains.
issue: Search results are still published for a canceled domain.
proposal: US/EU lawyers agree about publishing search results only if ‘web_publish’ is on yes;
- issue: A customer may register / renew through a registry for longer than one year.
proposal: US/EU lawyers agree to register / renew for one year for realistic registration;
- issue: A registry can now decide unilaterally in a dispute with a registrar.
issue: Country-level registers can evolve into professional dispute resolution.
proposal: US/EU lawyers try to improve handling of disputes;
- issue: A registrant, registrar and registry do refuse to act on a spelling mistake.
proposal: US/EU lawyers introduce a legal limitation in case of misspelling.
Eg the Dutch ‘Vereniging Van Registrars’ exists when spelled as ‘Vereniging van Registrars’;
- issue: Checking Whois for financial statements has not yet been analyzed as legal.
issue: Segregation of duties of the contacts and answer time require attention too.
proposal: US/EU lawyers update the analyzed six legal gTLD Whois purposes;
- issue: Primary responsibility and/or physical capability need a clear segregation of duties.
need: A top-level domain zone (the end part of a web domain) is assigned to a registry.
need: A domain registry owns domains in their zone(s).
need: A domain registrar handles the reservation of domains and IP address routing.
need: A domain registrant holds a domain from a registry.
need: A registry assigns a domain to a registrant and cancels it if necessary.
need: Primary responsibility limits to registrant (/ reseller) level of physical capability.
need: Support attaches a report by a third party to a customer account.
need: An administrative contact answers and addresses a reported issue for a solution.
need: One of the technical contacts responds to resolve a malfunction notification.
need: A domain registrant’s liability for harmful content and actions is limited, based on separated responsibilities of the contributing parties.
proposal: US/EU lawyers work towards basic explanations in short sentences;
- issue: Privacy for admin-c is not a problem by using a specific functional email address.
proposal: US/EU lawyers agree on admin_email for legal matters, change of registrant, etc.;
- issue: A reseller may have agreements such as to protect customer data.
proposal: US/EU lawyers write generic reseller conditions (see eg the .nl zone);
- issue: Court decisions deal with issues related to ownership aspects of web domains.
need: A domain is kept out of liquidation if another intended registrant paid for it.
need: Domains are included in the transfer of ownership of a company.
proposal: US/EU lawyers introduce specific web domain regulation;
- issue: A web domain may contain confidential information from the previous registrant.
proposal: US/EU lawyers define moved data, similar to letter secrecy;
- issue: Country-level registers need to start validating domain holdership.
issue: A registrar can mask with an existing name such as ‘Privacy Protected by Hostnet’
issue: The EU puts pressure on companies that cannot take all responsibility for failures.
issue: The registrant and his country-level registry can perform checks and adjustments.
need: The country-level register provides a domain overview of a company behind its login.
need: The country-level register provides a Whois check of a company behind its login.
need: The country has a duty of care with regard to the correctness of the registered data.
proposal: US/EU lawyers formulate a country’s legal basis for a web domain overview;
- issue: As for the .eu zone, the countries in the European Union are not all countries in Europe.
proposal: EU lawyers propose something like ‘EU Domain Registry vzw’ instead of ‘EURid vzw’.
Fields and values
- issue: Search engines may check Whois on ‘domain_web_publish’: yes / no.
proposal: A new ‘domain_web_publish’ table field (and public Whois-XML) would fit;
- issue: Web browsers may check on yearly holdership renewal (such as for HTTPS).
proposal: A new ‘domain_transaction’ field would be informative when a year passes;
- issue: A web ID works effectively to verify a registrant and one of the registrant’s names.
E.g. ‘icann.org’ of ICANN (incorporated, mutual-benefit nonprofit corporation ‘iCANN’).
E.g. ‘ca.gov’ in Whois for ‘.gov’ of organization ‘State of California’.
With the many spelling mistakes, acceptance of auditing is still a long way off.
proposal: Specify a web ID format, such as the IBAN bank account code.
Registrars and domains (registrant and reseller) fields with a 34 character code, may have a two letter (ISO) country code, two digits for internal validation, ‘COMM’ and up to 26 characters within a country, such as ‘NL88COMM01234567890123456789012345’, in uppercase;
- issue: Protected field values need proper communication.
proposal: A new field ‘protected’ in the contact table:
- issue: Country-level web IDs are required to retrieve the registrant.
Country business registers can meet an important need.
Whether or not data is displayed is country specific.
Lawyers can negotiate carefully at country level (not the EU).
Shared sovereignty, as in the EU, would slow down negotiation.
proposal: Country-level politicians agree on implementation of web IDs;
- issue: Country-level registers need to guarantee web IDs.
Note: The Sarbanes-Oxley Act also took time for countries to adopt.
proposal: Country-level registers adopt a generic data structure;
- issue: A country-level register, such as KVK in NL, charges for solid lookups.
proposal: Verification in a country-level register should become free of charge;
- issue: Country-level registers may charge for enabling web IDs.
proposal: Verification costs for a country-level register must be indirect.
Registry interface and registrar menu
- issue: ‘Private person’ or ‘Company’ do not cover registrant name protection properly.
proposal: ‘Personal use’ (or ‘Non-business use’) vs. ‘Business use’ is clearer about name protection.
- issue: A regional server / application for Whois must function without centralization.
At table level the contact data already have their specific table structure.
At XML level, the large number of fields, such as ‘registrant_contact_id’, is not a problem.
A registry doesn’t need to immediately convert field names, without standardization.
Search based on the web ID must be able to retrieve from / via each country-level register.
Unicode works to handle all kinds of character sets worldwide.
Data sharing of type ‘all’ with registrars for the .nl zone may conflict with GDPR:
Data sharing of type ‘public’, I think, would fit. See my XML file and output with PHP.
proposal: An application based on HTML / PHP / Python / XML / Docker / Azure;
- issue: The UK is not a valid domicile anymore to hold a .eu domain as former EU country.
proposal: Such a change requires simple validation to check and maintain;
- issue: Registries may charge for a web ID enabled Whois application.
proposal: Costs of a regional server / application must be indirect.
- issue: Economies of Scale cost advantages are achieved in both period and variable costs.
proposal: A variable cost advantage is reduced, even to zero;
- issue: Legal updating at a registry can be a variable cost component equal to zero.
proposal: Include updating details in annual costs and no longer pass on variable costs;
- issue: A registry looks over and manages its registrar’s information. Charging looks illegal.
proposal: Include updating registrar details in period costs for a registrar;
- issue: Volume discount and direct debit discount for ‘.nl’ are called ‘expenses’ by SIDN.
issue: Incentive programs for ‘.nl’ at SIDN up to 0.40 euro off the domain fee are significant.
E.g. 8% volume discount from 100,000x and 2.5% direct debit discount at SIDN.
proposal: Registries charge registrars with no discount;
- issue: Billing for a new or relocated domain is not cost-driven for the fiscal year.
E.g. 0.60 euro for the first year at a domain provider for ‘.nl’.
proposal: The fee for the first year of a domain is 6/12 of the renewal fee per year;
- issue: Customers unnecessarily commit for two or three years.
proposal: Customers simply register and automatically renew for one year.