IETF Logo Mail Archive

Re: [ire] Extended verification process of the escrow deposit files

Gustavo Lozano <gustavo.lozano@icann.org> Mon, 17 December 2012 22:02 UTC

Return-Path: <gustavo.lozano@icann.org>
X-Original-To: ire@ietfa.amsl.com
Delivered-To: ire@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B98621F89E2 for <ire@ietfa.amsl.com>; Mon, 17 Dec 2012 14:02:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlRf99+mAi26 for <ire@ietfa.amsl.com>; Mon, 17 Dec 2012 14:02:06 -0800 (PST)
Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 487B621F89BB for <ire@ietf.org>; Mon, 17 Dec 2012 14:02:06 -0800 (PST)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Mon, 17 Dec 2012 14:02:05 -0800
From: Gustavo Lozano <gustavo.lozano@icann.org>
To: "Gould, James" <JGould@verisign.com>, "ire@ietf.org" <ire@ietf.org>
Date: Mon, 17 Dec 2012 14:02:03 -0800
Thread-Topic: [ire] Extended verification process of the escrow deposit files
Thread-Index: Ac3coiak246CmltUTf2Br+ViCOPbdg==
Message-ID: <CCF4D135.6C74%gustavo.lozano@icann.org>
In-Reply-To: <C41D7AF7FCECBE44940E9477E8E70D7A0D745B18@BRN1WNEXMBX02.vcorp.ad.vrsn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.5.121010
acceptlanguage: en-US
Content-Type: multipart/mixed; boundary="_004_CCF4D1356C74gustavolozanoicannorg_"
MIME-Version: 1.0
Subject: Re: [ire] Extended verification process of the escrow deposit files
X-BeenThere: ire@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Internet Registration Escrow discussion list." <ire.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ire>, <mailto:ire-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ire>
List-Post: <mailto:ire@ietf.org>
List-Help: <mailto:ire-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ire>, <mailto:ire-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2012 22:02:07 -0000

James,

Comments below.

From: <Gould>, James <JGould@verisign.com<mailto:JGould@verisign.com>>
Date: Monday, December 17, 2012 10:57 AM
To: Gustavo Lozano <gustavo.lozano@icann.org<mailto:gustavo.lozano@icann.org>>, "ire@ietf.org<mailto:ire@ietf.org>" <ire@ietf.org<mailto:ire@ietf.org>>
Subject: Re: [ire] Extended verification process of the escrow deposit files

Gustavo,

Has the concept of an "extended verification process" for the data escrow agents been previously discussed or documented?   It looks like some of the data integrity checks (linked contacts and hosts) along with business rules like whether or not there are glue records and the creation and last update dates in the future are better handled by an EBERO provider based on the deposits made.  The Data Escrow Provider should be able to validate the completeness of the deposit by verifying the signatures and verify the deposit against the format definition.

GL. The problem perceived with this approach is that the format definition on the draft is too generic. An extension mechanism is being incorporated in the new version of the draft-arias-noguchi-dnrd-objects-mapping draft and we require that data escrow agents validate the data related to extensions. I understand that you define some extensions guidelines in the draft-gould-thippeswamy-dnrd-csv-mapping draft as well.

 Items like email address validation should be covered by the XSD format definition.  Applying differential deposits to the full deposit also sounds like the job of the EBERO provider and not the Data Escrow Provider.    In summary, I believe that only #1 below should be required of the Data Escrow Provider and the remainder should be discussed as a requirement for an EBERO provider.

GL. Requiring the EBEROs perform verification of the escrow deposit files frequently is an unlikely scenario. The data escrow agent is the party other than the registry with frequent (daily) access to escrow files, therefore the data escrow agent is in best position to perform a verification procedure. Depending on the day of the week, the full deposit and differentials are require to have a snapshot of the SRS database at that point in time, and it is expected that the extended verification procedure will require access to a snapshot of the SRS database.


--

JG

[cid:2FE192F5-206E-41B1-B26D-69A4A5A73698]

James Gould
Principal Software Engineer
jgould@verisign.com<mailto:jgould@verisign.com>

703-948-3271 (Office)
12061 Bluemont Way
Reston, VA 20190
VerisignInc.com



From: Gustavo Lozano <gustavo.lozano@icann.org<mailto:gustavo.lozano@icann.org>>
Date: Thursday, December 13, 2012 7:28 PM
To: "ire@ietf.org<mailto:ire@ietf.org>" <ire@ietf.org<mailto:ire@ietf.org>>
Subject: [ire] Extended verification process of the escrow deposit files


Colleagues,



Specification 2, Part A, 8. of the new gTLD applicant guidebook specifies:



" (5) If [1] includes a verification process, that will be applied at this step."



We are in the process of defining the extended verification process that the data escrow agents must perform daily with the escrow deposit file. This process will be included in new versions of the data escrow draft.



The purpose of this continuous verification process is to mitigate the risk of  an inconsistent data escrow deposit file.


In case of differentials deposits, the escrow agent shall use the last full and all the differentials deposits to perform the extended verification process.


I am interested in your feedback regarding:

 1. Other tests that you consider should be present in the draft.

 2. The proposed tests itself.


Proposed tests (this is not a final list of tests, we want to create the final list of tests with your input):

 1. Validate the escrow deposit file using the schema defined for the TLD including extensions as defined in Specification 2, Part A, 3.2 of the new gTLD base agreement.

 2. All contacts linked to domain names in the escrow deposit files are present.

 3. All hosts linked to domain names in the escrow deposit files are present.

 4. All the required glue records are present.

 5. The IPv4 addresses of the glue records are valid global address, or in other words not present in the special use IPv4 address blocks defined in: RFC5735 and RFC6598.

 6. The IPv6 addresses of the glue records are part of 2000::/3 with the exception of sub allocations mentioned in RFC5156.

 7. The creation and last update date of objects is not in the future.

 8. Email addresses are syntactically valid.


Note: heuristics tests like the abrupt increase or decrease of domain names escrowed will be performed by ICANN using the data escrow report sent by the data escrow agents to ICANN.

v2.23.0 | Report a Bug | By Email