IETF Logo Mail Archive

Re: [ire] Extended verification process of the escrow deposit files

"Gould, James" <JGould@verisign.com> Mon, 17 December 2012 22:20 UTC

Return-Path: <JGould@verisign.com>
X-Original-To: ire@ietfa.amsl.com
Delivered-To: ire@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC8921F84D0 for <ire@ietfa.amsl.com>; Mon, 17 Dec 2012 14:20:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.294
X-Spam-Level:
X-Spam-Status: No, score=-6.294 tagged_above=-999 required=5 tests=[AWL=0.304, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7k4N4BT7Efd for <ire@ietfa.amsl.com>; Mon, 17 Dec 2012 14:20:57 -0800 (PST)
Received: from exprod6og111.obsmtp.com (exprod6og111.obsmtp.com [64.18.1.27]) by ietfa.amsl.com (Postfix) with ESMTP id 1166021F8880 for <ire@ietf.org>; Mon, 17 Dec 2012 14:20:36 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKUM+as3GFIvVrQA7L84bNyaPsVA2FEt1W@postini.com; Mon, 17 Dec 2012 14:20:56 PST
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id qBHMKWCV006684 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 17 Dec 2012 17:20:32 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0318.004; Mon, 17 Dec 2012 17:20:32 -0500
From: "Gould, James" <JGould@verisign.com>
To: Gustavo Lozano <gustavo.lozano@icann.org>, "ire@ietf.org" <ire@ietf.org>
Thread-Topic: [ire] Extended verification process of the escrow deposit files
Thread-Index: Ac3Zkeu6eJJKrRR3SMuGey8/HtjSOQC9mawAABDu5YD//7FQgA==
Date: Mon, 17 Dec 2012 22:20:31 +0000
Message-ID: <C41D7AF7FCECBE44940E9477E8E70D7A0D7465CF@BRN1WNEXMBX02.vcorp.ad.vrsn.com>
In-Reply-To: <CCF4D135.6C74%gustavo.lozano@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.2.120421
x-originating-ip: [10.173.152.4]
Content-Type: multipart/mixed; boundary="_006_C41D7AF7FCECBE44940E9477E8E70D7A0D7465CFBRN1WNEXMBX02vc_"
MIME-Version: 1.0
Subject: Re: [ire] Extended verification process of the escrow deposit files
X-BeenThere: ire@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Internet Registration Escrow discussion list." <ire.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ire>, <mailto:ire-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ire>
List-Post: <mailto:ire@ietf.org>
List-Help: <mailto:ire-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ire>, <mailto:ire-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2012 22:20:59 -0000

Gustavo,

My feedback is below.

--

JG

[cid:CD6ED76A-6C4B-40ED-8E7F-B9D6E7BE6635]

James Gould
Principal Software Engineer
jgould@verisign.com

703-948-3271 (Office)
12061 Bluemont Way
Reston, VA 20190
VerisignInc.com



From: Gustavo Lozano <gustavo.lozano@icann.org<mailto:gustavo.lozano@icann.org>>
Date: Monday, December 17, 2012 5:02 PM
To: James Gould <jgould@verisign.com<mailto:jgould@verisign.com>>, "ire@ietf.org<mailto:ire@ietf.org>" <ire@ietf.org<mailto:ire@ietf.org>>
Subject: Re: [ire] Extended verification process of the escrow deposit files

James,

Comments below.

From: <Gould>, James <JGould@verisign.com<mailto:JGould@verisign.com>>
Date: Monday, December 17, 2012 10:57 AM
To: Gustavo Lozano <gustavo.lozano@icann.org<mailto:gustavo.lozano@icann.org>>, "ire@ietf.org<mailto:ire@ietf.org>" <ire@ietf.org<mailto:ire@ietf.org>>
Subject: Re: [ire] Extended verification process of the escrow deposit files

Gustavo,

Has the concept of an "extended verification process" for the data escrow agents been previously discussed or documented?   It looks like some of the data integrity checks (linked contacts and hosts) along with business rules like whether or not there are glue records and the creation and last update dates in the future are better handled by an EBERO provider based on the deposits made.  The Data Escrow Provider should be able to validate the completeness of the deposit by verifying the signatures and verify the deposit against the format definition.

GL. The problem perceived with this approach is that the format definition on the draft is too generic. An extension mechanism is being incorporated in the new version of the draft-arias-noguchi-dnrd-objects-mapping draft and we require that data escrow agents validate the data related to extensions. I understand that you define some extensions guidelines in the draft-gould-thippeswamy-dnrd-csv-mapping draft as well.

JG - I don't believe that the extensions changes anything related to the responsibility of the data escrow agent.  Both draft-arias-noguchi-dnrd-objects-mapping and draft-gould-thippeswamy-dnrd-csv-mapping provide extensibility of attributes and objects by the registry defining their own extension XSD, which I'm assuming would need to be passed to the data escrow agent out-of-band or with each deposit.  The data escrow agent would be able to verify the completeness of the deposit by verifying the signatures and verifying the deposit (standard and extensions) against the format definition.


 Items like email address validation should be covered by the XSD format definition.  Applying differential deposits to the full deposit also sounds like the job of the EBERO provider and not the Data Escrow Provider.    In summary, I believe that only #1 below should be required of the Data Escrow Provider and the remainder should be discussed as a requirement for an EBERO provider.

GL. Requiring the EBEROs perform verification of the escrow deposit files frequently is an unlikely scenario. The data escrow agent is the party other than the registry with frequent (daily) access to escrow files, therefore the data escrow agent is in best position to perform a verification procedure. Depending on the day of the week, the full deposit and differentials are require to have a snapshot of the SRS database at that point in time, and it is expected that the extended verification procedure will require access to a snapshot of the SRS database.

JG – I am still not sure where the requirement for an extended verification procedure has been defined.  It sounds like you are adding new requirements for the data escrow providers that has contractual and policy impacts.  The data escrow providers simply take the data, do completeness and format checks, archive the data, and make the data available based on contractual conditions.  I have never heard of a deep data scrub that is being referred to as "extended verification" for the data escrow provider.  This kind of deep data scrub would be within the expertise of the EBERO provider to perform if they had access to the data.


--

JG

[cid:2FE192F5-206E-41B1-B26D-69A4A5A73698]

James Gould
Principal Software Engineer
jgould@verisign.com<mailto:jgould@verisign.com>

703-948-3271 (Office)
12061 Bluemont Way
Reston, VA 20190
VerisignInc.com



From: Gustavo Lozano <gustavo.lozano@icann.org<mailto:gustavo.lozano@icann.org>>
Date: Thursday, December 13, 2012 7:28 PM
To: "ire@ietf.org<mailto:ire@ietf.org>" <ire@ietf.org<mailto:ire@ietf.org>>
Subject: [ire] Extended verification process of the escrow deposit files


Colleagues,



Specification 2, Part A, 8. of the new gTLD applicant guidebook specifies:



" (5) If [1] includes a verification process, that will be applied at this step."



We are in the process of defining the extended verification process that the data escrow agents must perform daily with the escrow deposit file. This process will be included in new versions of the data escrow draft.



The purpose of this continuous verification process is to mitigate the risk of  an inconsistent data escrow deposit file.


In case of differentials deposits, the escrow agent shall use the last full and all the differentials deposits to perform the extended verification process.


I am interested in your feedback regarding:

 1. Other tests that you consider should be present in the draft.

 2. The proposed tests itself.


Proposed tests (this is not a final list of tests, we want to create the final list of tests with your input):

 1. Validate the escrow deposit file using the schema defined for the TLD including extensions as defined in Specification 2, Part A, 3.2 of the new gTLD base agreement.

 2. All contacts linked to domain names in the escrow deposit files are present.

 3. All hosts linked to domain names in the escrow deposit files are present.

 4. All the required glue records are present.

 5. The IPv4 addresses of the glue records are valid global address, or in other words not present in the special use IPv4 address blocks defined in: RFC5735 and RFC6598.

 6. The IPv6 addresses of the glue records are part of 2000::/3 with the exception of sub allocations mentioned in RFC5156.

 7. The creation and last update date of objects is not in the future.

 8. Email addresses are syntactically valid.


Note: heuristics tests like the abrupt increase or decrease of domain names escrowed will be performed by ICANN using the data escrow report sent by the data escrow agents to ICANN.

v2.23.0 | Report a Bug | By Email