"Whois there?" "No one."
Date: Saturday July 19 2003, @09:03AM
Topic: Laugh (or Cry)

On 18 July, the New York Times's John Markoff sparked a storm in a cup with an article describing how recent changes to the White House's email setup forced constituents to navigate up to nine pages in order to send mail to POTUS -- because he was no longer accepting email sent via, well, email. However, ever-responsive to the second superpower, public opinion, the White House climbed down: another article in today's NYT, by Matt Richtel, notes that the dubious design had been fixx0red. Well, sort of...

To find the webmail form now, you need only go to http://www.whitehouse.gov/ and click "CONTACT" in the navbar at the top of the page, which -- reasonably -- sends you to http://www.whitehouse.gov/contact/ . But on that page, there's a link to "White House Web Mail" which sends you off to https://sawho14.eop.gov/PERSdata/intro.htm -- a page on a different, inscrutably named secure whose certificate "was signed by an unknown certifying authority" (Safari), "has an identity that cannot be verified" (Mozilla), whose "identity certificate issuer is unknown" (MSIE), and whose "certificate chain could not [be] verified" (OmniWeb). The latter excellent piece of software provides much more detail:

  • C=US
  • ST=District of Columbia
  • L=Washington
  • O=Executive Office of the President
  • OU=Information Systems and Technology Group
  • OU=Terms of use at www.verisign.com/rpa (c)00
  • CN=sawho14.eop.gov
  • Validity period: not before Sat Mar 08 00:00:00 UTC 2003 and not after Sun Mar 07 23:59:59 UTC 2004
  • MD5 Fingerprint: 0819 EE9A F749 18F1 1ACB 8BA8 01FE 55F8
  • SHA1 Fingerprint: 87CE 0004 0DEF B694 B9EB A77F 7BA1 1CBB 7F1E 188E
  • Issuer:
    • O=VeriSign Trust Network
    • OU=VeriSign, Inc.
    • OU=VeriSign International Server CA - Class 3
    • OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Now, any sensible U.S. citizens will of course speculate that the "EOP" in eop.gov probably stands for something like "Executive Office of the President"; but, being sensible, s/he will doublecheck by, say looking at the site. Unfortunately, https://sawho14.eop.gov/ will refer the citizen back to the White House's site. And there aren't any webservers running under http://eop.gov or http://www.eop.gov. But said citizen, being diligent as well, will then turn to http://www.nic.gov for the straight dope, only to be confronted with a clickwrappian offer that can't be refused (because there's only an "agree" button):
Warning! Use of this site is restricted!

This computer system is for the use of the United States Government. Unauthorized access, or access which exceeds authorized access is punishable under 18 USC 1030.

After agreeing and a few clicks on this nicely designed site, the citizen will learn that the domain eop.gov is "not available for registration" and that it's status is "active." But what s/he won't learn is who the registrant actually is. Now, like our president, I am absolutely certain that someone could gad about all over the net to find out what EOP is. But who knows what kind of misinformation one might find on random web pages put up by those kooks who use the net...like the ones at ComputerWire who reported in September 2002 that VeriSign had restricted whois info for the .gov TLD. For security reasons, of course.

So one just has to trust -- without verifying.

But who, or what, are we to trust? The government? I dunno... officials say the darndest things. VeriSign? But they're the ones who issued sawho14.eop.gov's certificate, which didn't pass muster to begin with. Our browsers? That doesn't sound like a prudent policy outcome.

The point, of course, points at the paradox of whois: the need, on the one hand, to maintain it as an openly accessible resource for legitimate use, while restricting it, on the other hand, to prevent illegitimate uses. I won't pretend to know the answer; nor would I suppose that one policy fits all TLDs. But I do know that closing off whois for government sites is shortsighted. The ability to verify that a purportedly governmental site really is what it appears to be (and to be able to contact its maintainers, if necessary) is a Good Thing. For example, what if rather than haxx0ring the front page of a government site, someone were merely to change a single contact link buried nine pages down -- say, so that it pointed at a non-existent military site or a bogus government site (problems that erupted, respectively, four and five months after the battening-down of whois for .gov)? With a functional whois, a diligent citizen might be able to help our officials in a few minutes; but with whois hidden by the veil of "national security," good luck.

This discussion has been archived. No new comments can be posted.
"Whois there?" "No one." | Log in/Create an Account | Top | 5 comments | Search Discussion
Click this button to post a comment to this story
The options below will change how the comments display
Check box to change your default comment view
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Long article, but well worth it
by dmehus on Saturday July 19 2003, @11:51AM (#11986)
User #3626 Info | http://doug.mehus.info/
Yes, this was probably one of the longest ICANNWatch articles but it was a good one. It was eye opening to know the U.S. government, which claims to be "open and transparent," shuts down its public whois service in the interests of "national security." Mr. Byfield is correct, if there is ever a time for a public whois database, it is with government domain names -- be they .GOV or gov.ccTLD. :)

Doug Mehus http://doug.mehus.info/ [mehus.info]
[ Reply to This | Parent ]

This article comes from ICANNWatch

The URL for this story is: