IIT-CNR/Registro.it

Via Moruzzi,1 Pisa IT 56124 mario.loffredo@iit.cnr.it http://www.iit.cnr.it

IIT-CNR/Registro.it

Via Moruzzi,1 Pisa IT 56124 maurizio.martinelli@iit.cnr.it http://www.iit.cnr.it

VeriSign, Inc.

12061 Bluemont Way Reston VA 20190 US jgould@verisign.com http://www.verisigninc.com

DENIC eG

Theodor-Stern-Kai 1 Frankfurt am Main DE pawel.kowalik@denic.de https://denic.de

Verified Contacts Extension This document describes an extension to the Registration Data Access Protocol (RDAP) that allows the inclusion of verification status information for contact fields such as email addresses and phone numbers. The goal is to improve data quality and trustworthiness of RDAP responses by indicating which pieces of contact data have been verified and how.

Introduction The Registration Data Access Protocol (RDAP) provides access to registration data for domain names, IP addresses, and autonomous system numbers. However, RDAP responses do not currently include explicit information about whether contact information such as email addresses or phone numbers has been verified. This document defines a simple extension that enables RDAP providers to include verification status for contact fields. This is useful in contexts where contact verification may be legally required or strongly recommended. In particular, Article 28 of Directive (EU) 2022/2555 () requires top-level domain (TLD) name registries and domain name registrars to collect and maintain accurate and complete domain name registration data. It also mandates them to verify, to the extent possible, the accuracy of such data. The extension defined in this document can support compliance with this obligation by enabling the inclusion of verification status for contact fields in RDAP responses.

Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

RDAP Conformance Servers implementing this extension MUST include the string "verifiedContacts" in the "rdapConformance" () array of all relevant RDAP responses. The registration of the "verifiedContacts" extension identifier is described in .

JSON Structure The verification information is conveyed via a new top-level object member named "verifiedContacts_data" within the entity objects.

Entity object including the "verifiedContacts_data" member { "objectClassName": "entity", "handle": "ABC123-EXAMPLE", "rdapConformance": ["rdap_level_0", "verifiedContacts"], ... "verifiedContacts_data": { "email": { "verificationDate": "2025-03-15T12:00:00Z", "method": "email verification" } ... } }

verifiedContacts_data Structure The "verifiedContacts_data" member is an object whose keys are contact details, using one of the RDAP JSON Values Registry "verified contact detail" type values (e.g., "all", "email", "voice", "fax", "addr"). Each value is an object containing:

"verificationDate":

(REQUIRED) Date and time of verification, as defined in .

"method":

(OPTIONAL) Verification method, using one of the RDAP JSON Values Registry “verified contact method” type values. The initial set of “verified contact method” values are:

"email verification":

Sending a confirmation link to the specified email address and requiring user interaction (e.g., clicking the link) to confirm ownership.

"sms token":

Sending a one-time token (OTP) via SMS to the provided phone number and requiring the user to submit the token to confirm ownership.

"manual review":

Manual review of contact data by a human operator (e.g., calling the phone number, making a live video call, inspecting submitted documentation).

"eid validation":

Validation of contact data using a digital identity service, either before or after registration (e.g., eIDAS-compliant identity providers).

"address verification":

Verification of the postal address using a geolocation or address validation service (e.g., Google Maps API, OpenStreetMap, postal databases).

"cross validation":

Cross-checking of contact details (e.g., name, VAT number, postal address) against trusted third-party repositories (e.g., EU VIES).

"third party assertion":

Relying on a trusted third party (e.g., registrar, CSP, certification authority) to assert that contact data has been verified externally.

"verifierId":

(OPTIONAL) Verifier identifier, that is a server unique number or a delimited string using a '-' as a separator character to support a regional or globally unique identifier. The minimum length is 1 character and the maximum length is 40 characters. The set of verifiers and verifier identifiers is up to server policy.

"verifierName":

(OPTIONAL) Verifier name of the verifier that is a simple character string, with a minimum length of 1 character and a maximum length of 40 characters. The set of verifiers and verifier identifiers is up to server policy.

"verificationId":

(OPTIONAL) Verification identifier that is unique for the verification performed by the verifier, that is represented as a number with the option of a '-' separator for grouping verifications by region or verifier. The minimum length is 1 character and the maximum length is 40 characters. For example, the "verificationId" could follow the Augmented Backus-Naur Form (ABNF) grammar scheme verifierId "-" verificationNumber, where the "verificationNumber" is unique to the "verifierId", making the "verificationId" unique across many verifiers supported by the server.

This extension supports the following versioning types as defined in :

• Opaque Versioning: The Opaque Extension Version Identifier is "verifiedContacts".
• Semantic Versioning: The Semantic Extension Version Identifier is "verifiedContacts-0.3". The Semantic Extension Version Identifier is "verifiedContacts-0.2" for draft-loffredo-regext-rdap-verified-contacts-02 and "verifiedContacts-0.1" for draft-loffredo-regext-rdap-verified-contacts-01. When there are interface changes to the extension, the Semantic Extension Version Identifier will be incremented, which may not match the draft version number. When the draft becomes a working group document and passes Working Group Last Call (WGLC), the Semantic Extension Version Identifier will be changed to "verifiedContacts-1.0".

IANA Considerations

RDAP Extensions Registry IANA is requested to register the following value in the RDAP Extensions Registry:

Extension identifier:

verifiedContacts

Registry operator:

Any

Published specification:

This document.

Contact:

IETF <iesg@ietf.org>

Intended usage:

This extension identifies RDAP extension for verified contact information.

RDAP JSON Values Registry Section 10.2 of defines the RDAP JSON Values Registry with pre-defined Type field values and the use of the "Expert Review" policy defined in . This specification defines two new RDAP JSON Values Registry Type field values that can be used to register pre-defined "verified contact detail" and "verified contact method" values. IANA is requested to update the RDAP JSON Values Registry to accept these additional type field values as follows:

"verified contact detail":

Verified contact detail being registered. The registered "verified contact detail" is referenced using a sub-field of the verified contacts "verifiedContacts_data" field.

"verified contact method":

Verified contact method being registered. The "verified contact method" is referenced using the "method" field of the verified contacts detail (e.g., "email", "voice", "fax", "addr") field.

IANA is requested to register the following in the RDAP JSON Values Registry, described in :

Value:

all

Type:

verified contact detail

Description:

All contact data has been verified.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

email

Type:

verified contact detail

Description:

Email contact verification detail.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

voice

Type:

verified contact detail

Description:

Voice telephone number contact verification detail.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

fax

Type:

verified contact detail

Description:

Facsimile telephone number contact verification detail.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

addr

Type:

verified contact detail

Description:

Address contact verification detail.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

email verification

Type:

verified contact method

Description:

Sending a confirmation link to the specified email address and requiring user interaction (e.g., clicking the link) to confirm ownership.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

sms token

Type:

verified contact method

Description:

Sending a one-time token (OTP) via SMS to the provided phone number and requiring the user to submit the token to confirm ownership.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

manual review

Type:

verified contact method

Description:

Manual review of contact data by a human operator (e.g., calling the phone number, making a live video call, inspecting submitted documentation).

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

eid validation

Type:

verified contact method

Description:

Validation of contact data using a digital identity service, either before or after registration (e.g., eIDAS-compliant identity providers).

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

address verification

Type:

verified contact method

Description:

Verification of the postal address using a geolocation or address validation service (e.g., Google Maps API, OpenStreetMap, postal databases).

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

cross validation

Type:

verified contact method

Description:

Cross-checking of contact details (e.g., name, VAT number, postal address) against trusted third-party repositories (e.g., EU VIES).

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Value:

third party assertion

Type:

verified contact method

Description:

Relying on a trusted third party (e.g., registrar, CSP, certification authority) to assert that contact data has been verified externally.

Registrant Name:

IETF

Registrant Contact Information:

iesg@ietf.org

Security Considerations Contact verification data may have privacy implications. Servers MUST ensure that disclosure of this information complies with applicable data protection laws and policies.

The authors wish to thank the following persons for their feedback and suggestions: .

References Normative References European Parliament and Council

Change History

Change from 00 to 01

1. Made The "verifiedContacts_data" keys consistent with those defined in draft-ietf-regext-rdap-jscontact.
2. Further specified the verification methods and changed their format to CamelCase.

Change from 01 to 02

1. Added definition of the "verified contact detail" and "verified contact method" RDAP JSON Values types and added a set of RDAP JSON Values registrations.
2. Updated the "method" values to be lowercase with a space word separator to match the requirement for registered RDAP JSON Values.
3. Added support for semantic versioning using the versioning extension and included the semantic versions for the prior draft versions.
4. Added the "all", "email", "voice", "fax", and "addr" verified contact detail registration.
5. Added the "verifierId" optional field to reference who performed the verification.
6. Added the "verificationId" optional field to reference the unique verification performed by the verification provider.