domain contacts: person vs role (1 Viewing)

Maybe [notify]richard.schreier[/notify] or [notify]FM[/notify] can shed some light on a question I've always had.

When it comes to the varlous fields in WHOIS data that identify a person, I've always had the understanding that you are not allowed to use a "role" and that you must list a real person's name. So you cannot list the name as something like "Domain Admin" instead of "John Doe".

Clearly the "Registrant Name" should be accurate for the selected CPR category type, otherwise you're risking losing the domain in a RIV when you cannot prove your name is "Domain Admin" or whatever.

However, when it comes to admin/tech/billing contacts, I can understand where a company might prefer to name a role such as "Domain Administrator" or whatever, as employees may come and go.

Is that allowed by CIRA?

You [notify]rlm[/notify] are correct that registrant contact names should be accurate for selected CPR category. Having incorrect information does risk losing the name in a Registrant Information Validation (RIV) process. The admin contact has the same rights/access to the domain as the registrant. In both cases, our policies define both the Admin Contact and the Registrant as a “Person: means a natural person, partnership, limited partnership, limited liability partnership, corporation, limited liability corporation, unlimited liability company, joint stock company, trust, unincorporated association, joint venture or other entity or governmental entity” (Ref: https://www.cira.ca/policy/legal-agreement/registrant-agreement). Any registration that uses an invalid “name” in the Registrant or Admin Contact records risk losing the domain.

Ultimately CIRA needs to be able to verify the registrant is who they say they are and that they indeed comply with the CPR category they have chosen. A good example where this becomes problematic is where a privacy proxy is used (remember that all individual registrant data is redacted in whois by CIRA and always has been so privacy services simply hide the registrant from us). In these cases, "officially" the privacy service is the registrant which causes issues when we need to validate compliance or when the domain is subject to legal action.

[notify]richard.schreier[/notify], thanks for the response. That definitely brings up a few more questions. I'll tackle them one issue at a time though. First one up:

OK, so in theory that sounds as if both the Registrant and Admin contacts are allowed to be listed with the company name, thus not needing to list a personal name? So for example, would the following domain be fully meeting CIRA's policies?

Domain Name: roulette.ca
Registry Registrant ID: 14313861-CIRA
Registrant Name: 0979592 B.C. LTD.
Registrant Organization:
Registry Admin ID: 24802844-CIRA
Admin Name: 0979592 B.C. LTD.
Admin Organization:

From my experience, it appears that a Registrant Name is allowed to be something other than a natural person, but that an Admin Name is required to be a natural person. Then admin's organization might optionally be listed in the Admin Organization field, as in this example:

Domain Name: google.ca
Registrant Name: Google LLC - TMA868122
Registrant Organization:
Admin Name: Lauren Johnston
Admin Organization: Google LLC

This could of course be entirely due to each registrar having different implementations for creating a new contact. I'm pretty sure I've been forced down this road by certain registrars where I couldn't put my company name in the "Admin Name" field, they were requiring a real person's name. The also would not allow me to select the same "Registry Registrant ID" in place of the "Admin Registrant ID". They require choosing a separate Admin ID. However, Tech and Billing contacts were allowed to use the same Admin ID.

But it does appear possible to assign the Registrant ID to the Admin ID, as in this case:

Domain Name: theblack.ca
Registry Registrant ID: 90399170-CIRA
Registrant Name: Wang Rui
Registrant Organization:
Registry Admin ID: 90399170-CIRA
Admin Name: Wang Rui
Admin Organization:

So, just to be clear here, from CIRA's perspective, it is perfectly acceptable to have the Registrant ID be used as the Admin contact too, right?

Thanks!

[notify]rlm[/notify] In your first example I assume you are referring to a domain registered with a non-individual CPR type (like a company) and the Registrant Name is the Company Name... this is correct. In future, we are enabling use of the Organization field in EPP so for non-individual CPR types, the Organization field will have the correct Registrant and, in theory, the Contact Name would have an individual working at the company that could be contacted if necessary. And yes, the Registrant and Admin contacts may be the same.

Your second question, again with the clarification we are now referring to a registration where the CPR type is an individual (Canadian Citizen for example), the Registrant Name and/or the Admin Name should be a person per our policies. If it is not, then there is risk of losing the domain when a validation is conducted (RIV).

In your Google example, the registration is a non-individual based on a trademark. So, the Registrant name is correctly shown as the company. The Admin is shown as a natural person which is fine.

And yes, the same contact record can be designated for use as multiple contact types including registrant, admin, technical and financial. The only caveat is the Registrant contact must meet the requirements with the associated CPR category.

richard.schreier said:

[notify]rlm[/notify] In your first example I assume you are referring to a domain registered with a non-individual CPR type (like a company) and the Registrant Name is the Company Name... this is correct. In future, we are enabling use of the Organization field in EPP so for non-individual CPR types, the Organization field will have the correct Registrant and, in theory, the Contact Name would have an individual working at the company that could be contacted if necessary. And yes, the Registrant and Admin contacts may be the same.

Click to expand...

Funny, I had actually typed, then deleted, that it would have made sense for CIRA to put the non-individual registrant in the Organization. Good to hear they're trying to clean things up.

So my guess is that organizations will often make up fake names or roles to put in the Admin Name field because they don't want to list a person's name for whatever reasons. But that entire problem exists only because they don't realize that they can simply re-use the Registrant Contact as the admin (or they are not given the option to do so by their registrar). IF they realized they _could_ do like roulette.ca did, there would be no need for them to make up fake names or roles. And the whois wouldn't be littered with those types of details.

So if CIRA is looking to clean up the past whois messes, they need to make it clear to Registrars that it is acceptable to re-use the Registrant ID as the Admin ID and not force them to create a new one, and that if they _do_ want to create a new one, then they can simply put the Company Name in that field again, it doesn't have to be a person. The real problem is the random implementations by Registrars and the Registrants not understanding what their options are.

If CIRA does eventually make the change as you mentioned, would they _require_ an actual person to be named for the Registrant and/or Admin contact? Obviously a real person's name would be required for individual CPR types. But for other entities, the Registrant is the entity, and the admin/tech/billing contacts are just roles. Why not just 100% support the idea of a role being a role? No name required, but optional for sure. The email is about the only thing important for admin/tech/billing. Clearly there's a good argument for a role being a role and not a named person. That solves some privacy issues AND allows a company not to have to worry about updating their domains every time an admin/tech/billing contact leaves the company. I know you have had some history with that issue yourself.

[notify]rlm[/notify] all good points. The problem with how "registrars" may tackle the business is they will implement code that meets a broader base of requirements, not necessarily each individual registry. For example, if they impose restrictions that are required by one registry but are not invalid for another registry, they may choose to leave the code like that... a common approach that does not provide the flexibility that may exist in the second registry but it means there is only one code base.

Just a point of clarification the contact name in both registrant and admin must be a "Person" as defined by our policy (which is much broader than just an "individual") but must match the CPR category. The only problem with any "role based" designation is the notion of security and proper validation. The email of course and phone numbers are top of the list, but without a real live person to speak to, who do we ask for when needed?

I get the fact that registrars won't necessarily comply with CIRA's rules if CIRA doesn't enforce them. What's the problem with enforcing them? You want to do business with CIRA, you follow CIRA policies, no? Why does CIRA let the tail wag the dog here? While I'm sympathetic to registrars that its inconvenient that rules are slightly different at different registries, the fact is, they do comply with some of those differences (i.e. the CPR). Those differences are the cost of doing business. No different than needing to upgrade/repair your building occasionally.

I have one of those exact issues with GoDaddy right now. I have domains that are NOT locked in any way, they know I am the registrant, yet they refuse to give me the Auth Codes for 60 days. GoDaddy is imposing their OWN pseudo lock by simply refusing to give me the auth codes. I have a fundamental problem with that, and I wish I could get CIRA to tell GoDaddy to give me those auth codes. Is that even legal for a registrar to do that?? I'm just not optimistic that CIRA would help me out there. But that's a different issue.

richard.schreier said:

The only problem with any "role based" designation is the notion of security and proper validation. The email of course and phone numbers are top of the list, but without a real live person to speak to, who do we ask for when needed?

Click to expand...

Security is an interesting point for sure. But how often is an Admin contact ever needed to be personally validated? Wouldn't that really require the Registrant contact to be validated first? I would assume that a registrant would be the only validation ever needed.

But I suppose on the flip side, as many problems probably happen when former employees LEAVE a company, then have control of the domain. So that security problem exists already.

Definitely a legit problem to contemplate though.

[notify]rlm[/notify] i would suggest this conversation is going beyond what we should be talking about in a public forum, give me a call and we can chat... 613-237-5335 x 222

Just had a nice chat with Richard about contacts and security protocols and the complexity that both bring. I understand why it was easier to discuss by phone than typing it all out here. I received some great explanation and info and I pretty much agreed and understand CIRA's line of thinking and like where they're headed with certain things. I'd mention more but its not my place to announce any CIRA plans, but I'll just say its very good for us.

rlm said:

Just had a nice chat with Richard about contacts and security protocols and the complexity that both bring. I understand why it was easier to discuss by phone than typing it all out here. I received some great explanation and info and I pretty much agreed and understand CIRA's line of thinking and like where they're headed with certain things. I'd mention more but its not my place to announce any CIRA plans, but I'll just say its very good for us.

Click to expand...

Preserving it in writing is always good


Great information for the forum