limited information on .nl whois and offered solution for CA's
Maarten Simon
Browser Forum last week. Please contact me for details and the
standard agreement.
Dear all,
I am writing to you as general counsel of SIDN, the registry for .nl.
SIDN has decided to limit the information published in the public
whois. From January 12, 2010 we will no longer publish the address of
the registrant, the names and telephone numbers of the admin-c and the
tech-c. We will still publish the name of the registrant and the name
and address of the registrar, as well as the status of the domain, the
e-mail addresses of the admin-c and tech-c date of registration and
the name server data.
When we informed the public and our registrars of this change at the
end of November of last year, we learned that this limitation will
cause problems for the CA’s as they use the whois to verify
information in the process of the issuance of SSL-certificates. In the
meantime we have decided that we will offer CA’s access to the full
whois data to do their checks as a paid service. Attached you will
find the standard contract that will apply. Because of the short
period in which we had to come up with this solution we did not have
time to discuss this solution with the CA industry. We suggest the
CA’s to start working under the aforementioned contract and separately
discuss if this is a suitable solution and if necessary discuss
alternatives.
If you have any questions, please contact me.
Best regards,
Maarten Simon
General Counsel
SIDN | Utrechtseweg 310 | 6812 AR | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 34
maarte...@sidn.nl | www.sidn.nl
Paul van Brouwershaven
> When we informed the public and our registrars of this change at the
> end of November of last year, we learned that this limitation will
> information in the process of the issuance of SSL-certificates. In the
> whois data to do their checks as a paid service. Attached you will
> find the standard contract that will apply. Because of the short
> period in which we had to come up with this solution we did not have
> time to discuss this solution with the CA industry. We suggest the
> discuss if this is a suitable solution and if necessary discuss
> alternatives.
The contract was not attached in this mail, you can find the contract at:
http://www.sidn.nl/ace.php/c,728,6246,,,,Whois_access_for_CAs.html
Gervase Markham
> http://www.sidn.nl/ace.php/c,728,6246,,,,Whois_access_for_CAs.html
€200 per quarter, in advance. What if everyone did this?
gerv@kitten:/$ wget http://data.iana.org/TLD/tlds-alpha-by-domain.txt
...
gerv@kitten:/$ wc -l tlds-alpha-by-domain.txt
281 tlds-alpha-by-domain.txt
One of those lines is a comment, and 11 are test IDN TLDs.
€200 * 4 * (281 - 12) = €215,200 (£191,711, US$311,704) per year.
Hmm...
Gerv
Varga Viktor
Üdvözlettel/Regards,
Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customers Service Executive
Netlock Kft.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________________________________
> Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail
> MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
>
> This email has been scanned for viruses and SPAM by the filter:mail
> MessageLabs System. More information: http://www.filtermax.hu
> _______________________________________________________________________
> _
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________
Paul van Brouwershaven
> Will somebody use after this a .nl domain? :)
This policy change of the .nl registry is not a problem for the end-user but the CA who can't issue
OV/EV certificates to this almost 4 million domains as long they don't sign this agreement.
I must agree that this is a 'service fee' of €200 per quarter is high for a free whois data
verification. (which is positive for the registry)
On 13-1-2010 09:27, Maarten Simon wrote:
> We suggest the CA’s to start working under the aforementioned contract and separately discuss if
this is a suitable solution and if necessary discuss alternatives.
I think they understand the problem and this is only a short time solution to have a work around for
the time being.
Varga Viktor
Will be there some kind of electronic, pay by query use?
Pay by query beca ause its possible, to have sometimes an .nl request at s, but it will never reach the 200€ value.
Electronic, because its a joke to sign an agreement about the DNS queries, by a CA, which issues singer certificates, for whois data on PAPER? :)
Another question:
Is there any competitor of you in this market? Or the SIDN was a goverment delegated authority for this job?
Because as a monopolic Service Provider of these information and without competition maybe this will fail, if more investigated because the EU antitrust rules? :)
Please make some competition, like the CAs have. :)
Üdvözlettel/Regards,
Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customers Service Executive
Netlock Kft.
> -----Original Message-----
> From: dev-security-policy-bounces+varga_v=netlo...@lists.mozilla.org
> [mailto:dev-security-policy-
> bounces+varga_v=netlo...@lists.mozilla.org] On Behalf Of Paul van
> Brouwershaven
> Sent: Tuesday, February 02, 2010 10:32 AM
> To: dev-secur...@lists.mozilla.org
> Subject: Re: limited information on .nl whois and offered solution for
> CA's
>
> On 1-2-2010 19:49, Varga Viktor wrote:
> > Will somebody use after this a .nl domain? :)
> There are 3.735.393 .nl domains registered, it's one of the largest
> ccTLDs.
>
> This policy change of the .nl registry is not a problem for the end-
> user but the CA who can't issue
> OV/EV certificates to this almost 4 million domains as long they don't
> sign this agreement.
>
> I must agree that this is a 'service fee' of €200 per quarter is high
> for a free whois data
> verification. (which is positive for the registry)
>
> On 13-1-2010 09:27, Maarten Simon wrote:
> > We suggest the CA’s to start working under the aforementioned
> contract and separately discuss if
> this is a suitable solution and if necessary discuss alternatives.
>
> I think they understand the problem and this is only a short time
> solution to have a work around for
> the time being.
Paul van Brouwershaven
> Will be there some kind of electronic, pay by query use?
Netherlands we asked the Dutch domain registry for a solution and they provided one.
The discussion is open, and for CAs who do thousands of organization vatted certificates on .nl this
is a better solution then not being able to lookup whois information.
Maarten Simon from SIDN should be able to answer your questions.
> Pay by query beca ause its possible, to have sometimes an .nl request at s, but it will never reach the 200€ value.
In the current setup your IP gets whitelisted, so you can easly do the query to there registrar
whois server which will provide the full details of the registrant. We have spoken about a manual
request, but this will delay every issue and with ten thousands of organization vatted certificates
in the Netherlands this we give a huge load on the registry.
> Electronic, because its a joke to sign an agreement about the DNS queries, by a CA, which issues singer certificates, for whois data on PAPER? :)
If you don't have a lot certificates on .nl you should maybe find an other way to validate the
domain name ownership or start the discussion with SIDN as Maarten requested in his initial post!
> Another question:
> Is there any competitor of you in this market? Or the SIDN was a goverment delegated authority for this job?
Sorry, do you know what a domain registry does?
> Because as a monopolic Service Provider of these information and without competition maybe this will fail, if more investigated because the EU antitrust rules? :)
> Please make some competition, like the CAs have. :)
Off-topic, I will ignore this comments.
Varga Viktor
> > Will be there some kind of electronic, pay by query use?
> Not that I know, but I work for Networking4all and not for SIDN. As the
> largest SSL reseller in the
> Netherlands we asked the Dutch domain registry for a solution and they
> provided one.
Sorry for this, this piece of info was missed by me.
> The discussion is open, and for CAs who do thousands of organization
> vatted certificates on .nl this
> is a better solution then not being able to lookup whois information.
Yes it is better than nothing.
> Maarten Simon from SIDN should be able to answer your questions.
>
> > Pay by query beca ause its possible, to have sometimes an .nl request
> at s, but it will never reach the 200€ value.
> In the current setup your IP gets whitelisted, so you can easly do the
> query to there registrar
> whois server which will provide the full details of the registrant. We
> have spoken about a manual
> request, but this will delay every issue and with ten thousands of
> organization vatted certificates
> in the Netherlands this we give a huge load on the registry.
>
> If you don't have a lot certificates on .nl you should maybe find an
> other way to validate the
> domain name ownership or start the discussion with SIDN as Maarten
> requested in his initial post!
As I see, you put him into the CC field. Thank you.
>
> > Another question:
> > Is there any competitor of you in this market? Or the SIDN was a
> goverment delegated authority for this job?
> Sorry, do you know what a domain registry does?
Yes, i know, but i don't know the local legislation in NL, and how the control over the .NL was delegated.
Sometimes are jobs, which are delegated for an organization in a country by the local law, like in Hungary the fund transfer between the financial banks, or the certification of the Cryptographic devices.
If I see the crypto device certification case, there is competitor because a crypto device certified in the EU you have the choice to select a certifier from an other country, because a crypto device in an EU country certified has the certification for the the EU, not only in the local country.
Is this scenario applies to the whois query? Is there an other source with full data, but a competitable price or service? Or this is a monopolic service?
Üdvözlettel/Regards,
Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customers Service Executive
Netlock Kft.
Paul van Brouwershaven
>>> Another question:
>>> Is there any competitor of you in this market? Or the SIDN was a
>> goverment delegated authority for this job?
>> Sorry, do you know what a domain registry does?
>
> Yes, i know, but i don't know the local legislation in NL, and how the control over the .NL was delegated.
> Sometimes are jobs, which are delegated for an organization in a country by the local law, like in Hungary the fund transfer between the financial banks, or the certification of the Cryptographic devices.
>
> If I see the crypto device certification case, there is competitor because a crypto device certified in the EU you have the choice to select a certifier from an other country, because a crypto device in an EU country certified has the certification for the the EU, not only in the local country.
competition and there couldn't be competition from a TLD with the same name. Of course poeple could
decide to use a .com or .eu (or every other TLD), but they want .nl because thats the TLD for there
country and thats the primarily domain used in the country.
> Is this scenario applies to the whois query? Is there an other source with full data, but a competitable price or service? Or this is a monopolic service?
Because the owner of a domain is registered by a domain registry (that what they do) they are the
only source for official information.
But finally I still think this shouldn't be the topic for discussion, the question is:
- Why is there a fee of € 200 per quarter? (does the registry make that amount of costs?)
- Shouldn't this service be free for CAs (information get more accurate for free)
- If it's not possible to make it free, could there be a query based fee?
.. do you have any more?
Eddy Nigg
> We are talking about a TLD, there can only be one TLD with the name
> .nl, so no there is no
> competition and there couldn't be competition from a TLD with the same name.
>
Why not, it exists for other TLDs and works well.
> But finally I still think this shouldn't be the topic for discussion, the question is:
>
> - Why is there a fee of € 200 per quarter? (does the registry make that amount of costs?)
> - Shouldn't this service be free for CAs (information get more accurate for free)
> - If it's not possible to make it free, could there be a query based fee?
>
This is part of the services a registrar is supposed to provide - for
this they receive a fee from their clients. Soon they will complain that
the DNS queries, web site accesses and whatnot costs them too much as well.
Man, this is what they are paid for - including WHOIS.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Paul van Brouwershaven
> On 02/06/2010 05:45 PM, Paul van Brouwershaven:
>> We are talking about a TLD, there can only be one TLD with the name
>> .nl, so no there is no
>> competition and there couldn't be competition from a TLD with the same
>> name.
>>
>
> Why not, it exists for other TLDs and works well.
still have VeriSign (GRS) or PIR that runs the system.
Do you have an other example?
>> But finally I still think this shouldn't be the topic for discussion,
>> the question is:
>>
>> - Why is there a fee of € 200 per quarter? (does the registry make
>> that amount of costs?)
>> - Shouldn't this service be free for CAs (information get more
>> accurate for free)
>> - If it's not possible to make it free, could there be a query based fee?
>>
>
> This is part of the services a registrar is supposed to provide - for
> this they receive a fee from their clients. Soon they will complain that
> the DNS queries, web site accesses and whatnot costs them too much as well.
>
> Man, this is what they are paid for - including WHOIS.
You are partly right, but by not making the whois publicly available they are protecting privacy and
decreasing spam by shutting down this popular source for the public. There are many positive
responses to this action and I think other registries will follow.
Eddy Nigg
> Even then there is always one party that maintains the database, let look at the gTLD's, then you still have VeriSign (GRS) or PIR that runs the system.
>
Yes, but WHOIS is delegated for example. And today Godaddy sells more
domains than Verisign.
> You are partly right, but by not making the whois publicly available they are protecting privacy and decreasing spam by shutting down this popular source for the public.
If that would have been their concern, they could implement an
arrangement for selected parties like CAs to access their WHOIS servers.
It doesn't explain why there is a reason to turn it into a new business
plan. Do you really think all accesses a CA potentially may make is
worth 800 euro per year (all bandwidth and CPU cycles included)?
Paul van Brouwershaven
> On 02/06/2010 10:45 PM, Paul van Brouwershaven:
>> Even then there is always one party that maintains the database, let
>> look at the gTLD's, then you still have VeriSign (GRS) or PIR that
>> runs the system.
>>
>
> Yes, but WHOIS is delegated for example. And today Godaddy sells more
> domains than Verisign.
Yes, Godaddy runs it's own whois but onder regulation from VeriSign and Icann.
>> You are partly right, but by not making the whois publicly available
>> they are protecting privacy and decreasing spam by shutting down this
>> popular source for the public.
>
> If that would have been their concern, they could implement an
> arrangement for selected parties like CAs to access their WHOIS servers.
> It doesn't explain why there is a reason to turn it into a new business
> plan. Do you really think all accesses a CA potentially may make is
> worth 800 euro per year (all bandwidth and CPU cycles included)?
No I don't think so, only the CA who have sufficiently business in the Netherlands, and yes I agree
(as said several times) that the .nl registry is not requesting a fair fee at this moment.
- Do you think it's fair to ask an annual administrative fee to validate if you are a webtrust
complaint CA so you may access the whois data?
- Do you think it's fait that large CAs have to pay more because they do more requests on the system?
Eddy Nigg
> As far as I know, VeriSign is the domain regsitry for .com and sells only to resellers like Godaddy.
> Yes, Godaddy runs it's own whois but onder regulation from VeriSign and Icann.
>
Godaddy is one of many as far as I know. But obviously, also .NL is
regulated by the ICANN/IANA clan :-)
>> If that would have been their concern, they could implement an
>> arrangement for selected parties like CAs to access their WHOIS servers.
>> It doesn't explain why there is a reason to turn it into a new business
>> plan. Do you really think all accesses a CA potentially may make is
>> worth 800 euro per year (all bandwidth and CPU cycles included)?
>>
> No I don't think so, only the CA who have sufficiently business in the Netherlands, and yes I agree
> (as said several times) that the .nl registry is not requesting a fair fee at this moment.
>
As I believe, there should be no fee - they are the one and only doing
so unfortunately. I wonder what special burdens they have over there in
Holland ;-)
> - Do you think it's fair to ask an annual administrative fee to validate if you are a webtrust complaint CA so you may access the whois data?
>
No, why's that distinction?
> - Do you think it's fair that large CAs have to pay more because they do more requests on the system?
>
They probably also provide more value to the .NL domain holders. It's
their clients domains, they pay for it a yearly fee and they should
receive the full service.
CAs will simply burden the subscribers to provide the data, more time to
spend on a .NL domain, more money for getting the confirmation from the
registrar, more administrative expenses by the .NL registrar too. I
believe they haven't thought everything through.
And eventually I believe that if this should become common practice, CAs
will find a way to work around that. Apparently they are far more
organized than the registrars. :-)
Maarten Simon
Gentlemen,
Paul copied me in in this and the former discussion. Thank you for
that.
Please understand that the current CA-whois that we as the .nl-
registry offer, is only a quick and dirty solution which we decided to
provide because of the fact that Paul mentioned in December to us the
use that CA's make of the whois. It is not meant to be the perfect and
final solution but is only there to avoid that you were forced to work
with the current public .nl whois which from January 12, 2010 for
example does not show the address of the registrant anymore. We plan
to have further discussions with the CA's in the coming months and see
where we can improve our services. If you have any questions with
regard to the current service please send me an e-mail.
Best regards,
Maarten Simon
SIDN