> On Aug 1, 2018, at 7:52 AM, Hollenbeck, Scott <shollenb...@verisign.com>
> wrote:
>
>> -----Original Message-----
>> From: Alissa Cooper <ali...@cooperw.in>
>> Sent: Tuesday, July 31, 2018 1:28 PM
>> To: The IESG <i...@ietf.org>
>> Cc: draft-ietf-regext-rdap-object-...@ietf.org; Gould, James
>> <jgo...@verisign.com>; regext-cha...@ietf.org; Gould, James
>> <jgo...@verisign.com>; regext@ietf.org
>> Subject: [EXTERNAL] Alissa Cooper's No Objection on draft-ietf-regext-
>> rdap-object-tag-04: (with COMMENT)
>>
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-regext-rdap-object-tag-04: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-object-tag/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> I'm not sure why anyone would do this, but I'll ask anyway: is there no
>> concern about someone maliciously registering an identifier against an
>> existing RDAP URL, given that the registry is specified to be FCFS? Let's
>> say I have a grudge against MyLocalRIR and I go register "fubar" as the
>> service provider name together with an existing mylocalrir.org RDAP URL.
>> This maybe has little practical effect but surely MyLocalRIR would not be
>> too happy with it.
>
> Thanks for the review, Alyssa. Yes, this is possible. We could specify
> another registration policy; perhaps expert review? Even with that policy,
> though, the expert would have to be able to distinguish a "legitimate"
> operator from a fake, and that wouldn't always be an easy task and there
> would still be a risk of a fake getting through. Perhaps we could add text to
> advice IANA that fakes are possible and IANA should be able to respond to a
> change request from a "legitimate" operator with assistance from an expert
> reviewer. Another possibility could be FCFS with email contact information
> provided so that IANA can attempt to verify the request. Looking at RFC 82126
> again, I see that "a minimal amount of clerical information" is required, so
> adding contact information would be a good change.
Adding the email verification seems like a good step.
Thanks,
Alissa
>
> Scott
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
