Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GDPR - API for contacting domain registrants #824

Closed
vohmar opened this issue Apr 18, 2018 · 2 comments
Closed

GDPR - API for contacting domain registrants #824

vohmar opened this issue Apr 18, 2018 · 2 comments
Assignees
@maciej-szlosarczyk
Labels
enhancement

Comments

@vohmar
Copy link
Contributor

vohmar commented Apr 18, 2018

After 29th of May we will not be able to reveal data of private domain registrants. To enable still contacting the regsitrants without revealing their identity nor email address we will implement API for sending the email to the private domain registrants.

The email sending functionality will be available only using Restful WHOIS and EIS's webpage requiring token based authentication. Detailed description of the vision is here

https://docs.google.com/document/d/1kEg4V4hADYu6x10wTrq2BdAafPZ7wFTgSsmFzbUNrvA/edit?usp=sharing
@maciej-szlosarczyk maciej-szlosarczyk self-assigned this May 9, 2018
@maciej-szlosarczyk
Copy link
Contributor

I'm pretty convinced that this feature should not touch the domain registry at all, it should be self-contained within the RESTful WHOIS, as it contains all the data required to serve this functionality. There is no need to introduce runtime binding between WHOIS and registry. We should slightly reverse the order in which the steps are performed to avoid storing email text in our database.

  1. Select domain whose owner you want to contact.
  2. Verify your email:
    a) Receive an email with a link to the form.
    b) Open the link. The page is a one-time only, after it has been opened, it is not accessible any more.
    c) Enter email text (only plain text is allowed), the title should be hard-coded.
  3. Select recipients (owner, technical contact, admin contact)
  4. Send email. Sending should be synchronous, not a background job.
  5. If the domain owner/administrator feels like it, the can either answer or ignore those emails.

If any of the steps fail, you shall start from the beginning.

To accomplish that, we need a new table that will hold the following data:

+-----------------+-----------------------------+------------------------------------------------------+-----------+----------------+---------------+
| Column          | Type                        | Modifiers                                            | Storage   | Stats target   | Description   |
|-----------------+-----------------------------+------------------------------------------------------+-----------+----------------+---------------|
| id              | integer                     |  not null default nextval('emails_id_seq'::regclass) | plain     | <null>         | <null>        |
| whois_record_id | integer                     |  not null                                            | plain     | <null>         | <null>        |
| secret          | character varying           |  not null                                            | extended  | <null>         | <null>        |
| email           | character varying           |  not null                                            | extended  | <null>         | <null>        |
| valid_to        | timestamp without time zone |  not null                                            | plain     | <null>         | <null>        |
| status          | character varying           |  not null default 'new'::character varying           | extended  | <null>         | <null>        |
| created_at      | timestamp without time zone |                                                      | plain     | <null>         | <null>        |
| updated_at      | timestamp without time zone |                                                      | plain     | <null>         | <null>        |
+-----------------+-----------------------------+------------------------------------------------------+-----------+----------------+---------------+
Indexes:
    "emails_pkey" PRIMARY KEY, btree (id)
    "index_emails_on_secret" UNIQUE, btree (secret)
    "index_emails_on_email" btree (email)
    "index_emails_on_status" btree (status)
    "index_emails_on_whois_record_id" btree (whois_record_id)
Foreign-key constraints:
    "fk_rails_2c92e93c82" FOREIGN KEY (whois_record_id) REFERENCES whois_records(id)
Has OIDs: no

This is not a minimal set of features, but it allows us to track which domain owners are contacted the most and maybe isolate spammers if needed.

Let me know if there are any negatives to this version, mostly from the ops side. In my view, adding a new table to whois database is less costly than an API/runtime binding between REST WHOIS and the Registry.

@maciej-szlosarczyk
Copy link
Contributor

Fixed in internetee/rest-whois#50

@vohmar vohmar closed this as completed May 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maciej-szlosarczyk maciej-szlosarczyk

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maciej-szlosarczyk @vohmar