<div dir="ltr">The only thing I would add is a bullet for regular reporting. Stats should get reported at every ARIN meeting for while, like maybe the next 3-5 meetings. <div><br></div><div>In the past, Mark Kosters regularly reported Whois stats for a while, Classic Whois (TCP port 43) vs. http (REST) Whois, if I remember correctly. Maybe report on Classic Whois vs. http Whois vs. https Whois.</div><div><br></div><div>I'll also note that I personally doubt <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Classic Whois will every completely go away, at least not anytime soon. So while <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Classic Whois <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">(TCP port 43)</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> </span>remains available, unencrypted access to Whois will remain available even if all http Whois is eventually redirected to https Whois.</span></span></div><div><br></div><div>Thanks.<br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 2, 2018 at 11:55 AM, Kevin Blumberg <span dir="ltr"><<a href="mailto:kevinb@thewire.ca" target="_blank">kevinb@thewire.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-CA" link="blue" vlink="purple">
<div class="m_4125788415334186640WordSection1">
<p class="MsoNormal"><span>John,<u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span>The blueprint that Frank laid out is very sensible and doesn’t impact programmatic access.<u></u><u></u></span></p>
<p class="MsoNormal"><span><br>
This should be an ongoing process of improvement. Once implemented you should have a much better sense of how often requests are coming in that are not https.<u></u><u></u></span></p>
<p class="MsoNormal"><span><br>
Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span>Kevin Blumberg<u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1f497d"><u></u> <u></u></span></p>
</div>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> ARIN-consult <<a href="mailto:arin-consult-bounces@arin.net" target="_blank">arin-consult-bounces@arin.net</a><wbr>>
<b>On Behalf Of </b>John Curran<br>
<b>Sent:</b> Monday, April 2, 2018 9:07 AM<br>
<b>To:</b> <a href="mailto:frnkblk@iname.com" target="_blank">frnkblk@iname.com</a><br>
<b>Cc:</b> <<a href="mailto:arin-consult@arin.net" target="_blank">arin-consult@arin.net</a>> <<a href="mailto:arin-consult@arin.net" target="_blank">arin-consult@arin.net</a>><br>
<b>Subject:</b> Re: [ARIN-consult] Consultation on ACSP 2018.3<br>
<b>Importance:</b> High<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 2 Apr 2018, at 9:00 AM, <a href="mailto:frnkblk@iname.com" target="_blank">
frnkblk@iname.com</a> wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">There’s been some great discussion on this topic. I’d like to suggest the following approach:<u></u><u></u></p>
</div>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal">No auto-redirection at this time<u></u><u></u></li><li class="MsoNormal">But stop redirecting<span class="m_4125788415334186640apple-converted-space"> </span><a href="https://whois.arin.net/" target="_blank"><span style="color:purple">https://whois.<wbr>arin.net</span></a><span class="m_4125788415334186640apple-converted-space"> </span>to<span class="m_4125788415334186640apple-converted-space"> </span><a href="http://whois.arin.net/ui/" target="_blank"><span style="color:purple">http://whois.arin.<wbr>net/ui/</span></a>,
rather redirect them to<span class="m_4125788415334186640apple-converted-space"> </span><a href="https://whois.arin.net/ui" target="_blank"><span style="color:purple">https://whois.arin.net/ui</span></a>. If they chose to go to the secure site, being redirected to the insecure site does not seem
like a good idea.<u></u><u></u></li><li class="MsoNormal">Make sure that all links from ARIN’s other sites to<span class="m_4125788415334186640apple-converted-space"> </span><a href="http://whois.arin.net/" target="_blank"><span style="color:purple">whois.arin.net</span></a><span class="m_4125788415334186640apple-converted-space"> </span>are
referring to the HTTPS one (that may already be the case, but I don’t know)<u></u><u></u></li><li class="MsoNormal">Enable HSTS for<span class="m_4125788415334186640apple-converted-space"> </span><a href="http://whois.arin.net/" target="_blank"><span style="color:purple">whois.arin.net</span></a><span class="m_4125788415334186640apple-converted-space"> </span>– if a web browser
hits it intentionally then just keep doing it automatically.<u></u><u></u></li><li class="MsoNormal">Provide some subtle feedback (perhaps an extra line/bar at the top of the page) to those web browsing the HTTP version of<span class="m_4125788415334186640apple-converted-space"> </span><a href="http://whois.arin.net/" target="_blank"><span style="color:purple">whois.arin.net</span></a><span class="m_4125788415334186640apple-converted-space"> </span>to
alert them that they are searching in the clear and provide a link to the secure version.<u></u><u></u></li><li class="MsoNormal">Develop a long-term goal to migrate programmatic access to HTTPS<u></u><u></u></li></ul>
</div>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Frank - <u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> Excellent strawman proposal for moving forward - thank you for taking the time to express it with clarity! <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">All - <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"> Any specific objections or concerns with ARIN proceeding as proposed above? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks!<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">/John<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">John Curran<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">President and CEO<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">ARIN<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
ARIN-Consult<br>
You are receiving this message because you are subscribed to the ARIN Consult Mailing<br>
List (<a href="mailto:ARIN-consult@arin.net">ARIN-consult@arin.net</a>).<br>
Unsubscribe or manage your mailing list subscription at:<br>
<a href="http://lists.arin.net/mailman/listinfo/arin-consult" rel="noreferrer" target="_blank">http://lists.arin.net/mailman/<wbr>listinfo/arin-consult</a> Please contact the ARIN Member Services<br>
Help Desk at <a href="mailto:info@arin.net">info@arin.net</a> if you experience any issues.<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">===============================================<br>David Farmer <a href="mailto:Email%3Afarmer@umn.edu" target="_blank">Email:farmer@umn.edu</a><br>Networking & Telecommunication Services<br>Office of Information Technology<br>University of Minnesota <br>2218 University Ave SE Phone: 612-626-0815<br>Minneapolis, MN 55414-3029 Cell: 612-812-9952<br>===============================================</div>
</div></div></div>