Network Working Group M. Loffredo Internet-Draft M. Martinelli Intended status: Standards Track IIT-CNR/Registro.it Expires: 5 January 2026 J.G. Gould VeriSign, Inc. 4 July 2025 Registration Data Access Protocol (RDAP) Extension for Verified Contact Information draft-loffredo-regext-rdap-verified-contacts-00 Abstract This document describes an extension to the Registration Data Access Protocol (RDAP) that allows the inclusion of verification status information for contact fields such as email addresses and phone numbers. The goal is to improve data quality and trustworthiness of RDAP responses by indicating which pieces of contact data have been verified and how. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 5 January 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Loffredo, et al. Expires 5 January 2026 [Page 1] Internet-Draft Verifying Contacts in RDAP July 2025 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 3. RDAP Conformance . . . . . . . . . . . . . . . . . . . . . . 3 4. JSON Structure . . . . . . . . . . . . . . . . . . . . . . . 3 5. verifiedContacts_data Structure . . . . . . . . . . . . . . . 3 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 7. Security Considerations . . . . . . . . . . . . . . . . . . . 4 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 8.1. Normative References . . . . . . . . . . . . . . . . . . 4 8.2. Informative References . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction The Registration Data Access Protocol (RDAP) provides access to registration data for domain names, IP addresses, and autonomous system numbers. However, RDAP responses do not currently include explicit information about whether contact information such as email addresses or phone numbers has been verified. This document defines a simple extension that enables RDAP providers to include verification status for contact fields. This is useful in contexts where contact verification may be legally required or strongly recommended. In particular, Article 28 of Directive (EU) 2022/2555 ([NIS2]) requires top-level domain (TLD) name registries and domain name registrars to collect and maintain accurate and complete domain name registration data. It also mandates them to verify, to the extent possible, the accuracy of such data. The extension defined in this document can support compliance with this obligation by enabling the inclusion of verification status for contact fields in RDAP responses. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Loffredo, et al. Expires 5 January 2026 [Page 2] Internet-Draft Verifying Contacts in RDAP July 2025 3. RDAP Conformance Servers implementing this extension MUST include the string "verifiedContacts" in the "rdapConformance" ([RFC9083]) array of all relevant RDAP responses. The registration of the "verifiedContacts" extension identifier is described in Section 6. 4. JSON Structure The verification information is conveyed via a new top-level object member named "verifiedContacts_data" within the entity objects. { "objectClassName": "entity", "handle": "ABC123-EXAMPLE", "rdapConformance": ["rdap_level_0", "verifiedContacts"], ... "verifiedContacts_data": { "email": { "verificationDate": "2025-03-15T12:00:00Z", "method": "email-verification" } ... } } Figure 1: Entity object including the "verifiedContacts_data" member 5. verifiedContacts_data Structure The "verifiedContacts_data" member is an object whose keys are contact details (e.g., "email", "phone", "address"). Each value is an object containing: 1. verificationDate: A required string with the date and time of verification. 2. method: An optional string indicating the verification method (e.g., "email-verification", "sms-token", "manual-review", "eid- validation"). Instead of returning an object for each verified contact detail, a server MAY use the "all" key to signal that all data has been verified. Loffredo, et al. Expires 5 January 2026 [Page 3] Internet-Draft Verifying Contacts in RDAP July 2025 6. IANA Considerations IANA is requested to register the following value in the RDAP Extensions Registry: Extension identifier: verifiedContacts Registry operator: Any Published specification: This document. Contact: IETF Intended usage: This extension identifies RDAP extension for verified contact information. 7. Security Considerations Contact verification data may have privacy implications. Servers MUST ensure that disclosure of this information complies with applicable data protection laws and policies. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the Registration Data Access Protocol (RDAP)", STD 95, RFC 9083, DOI 10.17487/RFC9083, June 2021, . 8.2. Informative References [NIS2] European Parliament and Council, "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)", December 2022, . Loffredo, et al. Expires 5 January 2026 [Page 4] Internet-Draft Verifying Contacts in RDAP July 2025 Authors' Addresses Mario Loffredo IIT-CNR/Registro.it Via Moruzzi,1 56124 Pisa Italy Email: mario.loffredo@iit.cnr.it URI: http://www.iit.cnr.it Maurizio Martinelli IIT-CNR/Registro.it Via Moruzzi,1 56124 Pisa Italy Email: maurizio.martinelli@iit.cnr.it URI: http://www.iit.cnr.it James Gould VeriSign, Inc. 12061 Bluemont Way Reston, VA 20190 United States of America Email: jgould@verisign.com URI: http://www.verisigninc.com Loffredo, et al. Expires 5 January 2026 [Page 5]