[ARIN-consult] Consultation on ACSP 2018.3
Jimmy Hess
mysidia at gmail.com
Tue Apr 3 05:31:01 EDT 2018
On Wed, Mar 28, 2018 at 4:16 PM, ARIN <info at arin.net> wrote:
> Question: If ARIN redirects http to https requests, should ARIN then
> use HSTS for web-based Whois queries?
-ARIN should send HSTS headers If and Only If: ALL web-based traffic to
that hostname used with HTTP are mandated to be over HTTPS.
-HSTS headers should not be sent for whois.arin.net if Non-HTTPS whois
queries are allowed.
-Non-HTTPs Whois queries should be allowed,
and Non-HTTPs should be the default for simple queries of WHOIS information.
Rationale:
The WHOIS database is public information, and the use of HTTPS creates
potential access issues or impairments for some browsers, and requires
additional resources related to the CPU cost of encryption and
Certificate Revokation checks.
> Question: Should ARIN automatically redirect user Whois queries made
> via "http" to "https"?
Should not redirect. The WHOIS protocol itself does not provide secrecy.
The web WHOIS query interface is an alternative interface to the WHOIS data...;
Furthermore, there is not a reasonable expectation of privacy regarding what
users lookup in WHOIS --- heavy WHOIS users ought to be monitored
carefully and be subject to the possibility of public reporting and transprency
on their individual usage querying the public service by their IP and/or lookup
history or patterns, as there is a high potential for abusive
activities such as
automated data mining or harvesting e-mail address contacts to spam.
So long as the WHOIS protocol itself continues to be supported -- it
seems pretty unreasonable to force HTTP users to access the data over TLS
while not allowing visitors the option to access WHOIS over plain HTTP
when the WHOIS over WHOIS continues to be allowed and is equal to plain HTTP.
The forced redirect would surely cause some WHOIS queries to fail, as
some users will eventually be running browsers that cannot reach agreement
with ARIN's https servers over a secure protocol version and/or ciphers.
The WHOIS database is supplying information listed as publicly available,
and there is no expectation of privacy within the contents of the public
information --
It could be very useful for ARIN to provide digitally signed WHOIS listings
to confirm their authenticity, and ensure WHOIS data is not tampered with
on storage medium or before/during transit;
However, the HTTPS protocol is not capable of fully providing this
level of assurance.
For operating on public WHOIS data it is more suitable to provide
digitally signed query
responses, and a verifiable digital signature for each record.
API requests capable of modifying records ought to be required to be
digitally signed
requests by an authorized user (HTTPS / TLS does not provide this)
----
> Question: If ARIN redirects http to https requests, should ARIN then
> use HSTS for web-based Whois queries?
>
> The feedback you provide during this consultation will help inform how
> ARIN will proceed in response to ACSP 2018.3. All messages that have
> been sent to the arin-consult mailing lists in response to this
> suggestion prior to the opening of this consultation will be included in
> our feedback collection resulting from this consultation. Thank you for
> your participation in the ARIN Consultation and Suggestion Process.
>
> Please provide comments to arin-consult at arin.net.
>
> Discussion on arin-consult at arin.net will close on 30 April 2018. If you
> have any questions, please contact us at info at arin.net.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
> Member Services
> Help Desk at info at arin.net if you experience any issues.
--
-JH
More information about the ARIN-consult
mailing list