-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open Q / Discussion: SHOULD Subdomain Registries be providing RDAP/Whois to be included in PSL? #1813
Comments
#1612 as an example has indicated that their whole namespace was flagged by Google Safebrowsing - if this was triggered by a enough volume of perps underneath the submitted string that the string was blocked in chrome. What is not clear about this PR, as it has not been processed, is if the hop.sh namespace had been in the PSL, would Google have handled their blocking differently or at all. Assuming that the action by Google affected legitimate users that were not phishing as a consequence of the parties that were phishing, It seems that as a tradeoff for partitioning the namespace to shelter the impacts is that there should be transparency into the perps directly. |
How would this requirement "benefit" the PSL management process? From what I've read above, it sounds like the choice is based on some consumer-specific use-case, and we generally try to stay consumer neutral. |
Some "off the top of my head" comments:
|
Thanks, Gavin. As an author of RDAP stuff widely used, your comments are superappreciated...
Whois was left there as nomenclature because mostfolk don't recognize what RDAP is.
This topic makes its own gravy, but at a high level it seems like at very least an abuse contact email or webform url that can be used to complain about or reach the subdomain operator.
Really good point and I suppose that would need solving, and would be helpful to have some form of top-down RDDS discovery tree that was more friendly to subspaces. Not trying to discuss the bootstrap for the RDDS so much, and that is a probem thirsty for a solution, but rather the objective of this issue was to add more accountability and reachability at the point closest to the problem space due to the affectation that a PSL entry has beyond just cookies, SSL and obvious ones. |
Recieved the following comment: What constitutes a Subdomain Registry?
|
This seems like perhaps a series of questions that would be good to capture at the intake when requests are being submitted, along with, at very minimum, a means to contact the administrator of the namespace(s) when there is abuse/phishing/pharming/malware etc other activity that requires prompt action. |
it seems to be a good idea, the issue is, owners of such lists have to educate a lot of parties how to identify the domain status, contact the party registering e.t.c., so having it in the list as WHOIS:_____ / RDAP:NONE or something like it is ok |
Adding Abuse contact or Abuse Form URL may be where we are heading for this |
I am going to leave this issue open but create another that is a call for comments on requiring abuse contacts being present in Pull Requests and later close the RDAP / WHOIS requirement as wontfix for now, as that seems heavier touch than should be expected for most submitters where an abuse contact seems very reasonable in contrast. |
There is a growing quantity of requests for subdomain eTLD+ with aspirations of offering segmented customer namespace.
Given that registries are increasing the wholesale price of domain names, and the registrars are passing these prices through to the registrant, low-cost options are becoming attractive for hosting providers in order to serve their customers.
Low-cost options help customers start their journey, but unfortunately are also an area that can get exploited for bad things.
Question for the community:
SHOULD these subdomain registries be required, as part of inclusion in the PSL, to provide RDAP / WHOIS lookup server address such that it is possible to directly contact the specifically responsible party for a given subdomain?
The text was updated successfully, but these errors were encountered: