



Network Working Group                                        M. Loffredo
Internet-Draft                                             M. Martinelli
Intended status: Standards Track                     IIT-CNR/Registro.it
Expires: 22 January 2026                                      J.G. Gould
                                                          VeriSign, Inc.
                                                            21 July 2025


Registration Data Access Protocol (RDAP) Extension for Verified Contact
                              Information
            draft-loffredo-regext-rdap-verified-contacts-01

Abstract

   This document describes an extension to the Registration Data Access
   Protocol (RDAP) that allows the inclusion of verification status
   information for contact fields such as email addresses and phone
   numbers.  The goal is to improve data quality and trustworthiness of
   RDAP responses by indicating which pieces of contact data have been
   verified and how.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 22 January 2026.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components



Loffredo, et al.         Expires 22 January 2026                [Page 1]

Internet-Draft         Verifying Contacts in RDAP              July 2025


   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   3.  RDAP Conformance  . . . . . . . . . . . . . . . . . . . . . .   3
   4.  JSON Structure  . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  verifiedContacts_data Structure . . . . . . . . . . . . . . .   3
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   5
   Appendix A.  Change History . . . . . . . . . . . . . . . . . . .   5
     A.1.  Change from 00 to 01  . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   The Registration Data Access Protocol (RDAP) provides access to
   registration data for domain names, IP addresses, and autonomous
   system numbers.  However, RDAP responses do not currently include
   explicit information about whether contact information such as email
   addresses or phone numbers has been verified.

   This document defines a simple extension that enables RDAP providers
   to include verification status for contact fields.  This is useful in
   contexts where contact verification may be legally required or
   strongly recommended.

   In particular, Article 28 of Directive (EU) 2022/2555 ([NIS2])
   requires top-level domain (TLD) name registries and domain name
   registrars to collect and maintain accurate and complete domain name
   registration data.  It also mandates them to verify, to the extent
   possible, the accuracy of such data.  The extension defined in this
   document can support compliance with this obligation by enabling the
   inclusion of verification status for contact fields in RDAP
   responses.










Loffredo, et al.         Expires 22 January 2026                [Page 2]

Internet-Draft         Verifying Contacts in RDAP              July 2025


2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  RDAP Conformance

   Servers implementing this extension MUST include the string
   "verifiedContacts" in the "rdapConformance" ([RFC9083]) array of all
   relevant RDAP responses.  The registration of the "verifiedContacts"
   extension identifier is described in Section 6.

4.  JSON Structure

   The verification information is conveyed via a new top-level object
   member named "verifiedContacts_data" within the entity objects.

         {
           "objectClassName": "entity",
           "handle": "ABC123-EXAMPLE",
           "rdapConformance": ["rdap_level_0", "verifiedContacts"],
           ...
           "verifiedContacts_data": {
             "email": {
               "verificationDate": "2025-03-15T12:00:00Z",
               "method": "emailVerification"
             }
             ...
           }
         }

    Figure 1: Entity object including the "verifiedContacts_data" member

5.  verifiedContacts_data Structure

   The "verifiedContacts_data" member is an object whose keys are
   contact details (e.g., "email", "voice", "fax", "addr").  Each value
   is an object containing:

   "verificationDate":  (REQUIRED) A string with the date and time of
       verification.

   "method":  (OPTIONAL) An string indicating the following verification
       methods:




Loffredo, et al.         Expires 22 January 2026                [Page 3]

Internet-Draft         Verifying Contacts in RDAP              July 2025


       "emailVerification":  Sending a confirmation link to the
           specified email address and requiring user interaction (e.g.,
           clicking the link) to confirm ownership.

       "smsToken":  Sending a one-time token (OTP) via SMS to the
           provided phone number and requiring the user to submit the
           token to confirm ownership.

       "manualReview":  Manual review of contact data by a human
           operator (e.g., calling the phone number, making a live video
           call, inspecting submitted documentation).

       "eidValidation":  Validation of contact data using a digital
           identity service, either before or after registration (e.g.,
           eIDAS-compliant identity providers).

       "addressVerification":  Verification of the postal address using
           a geolocation or address validation service (e.g., Google
           Maps API, OpenStreetMap, postal databases).

       "crossValidation":  Cross-checking of contact details (e.g.,
           name, VAT number, postal address) against trusted third-party
           repositories (e.g., EU VIES).

       "thirdPartyAssertion":  Relying on a trusted third party (e.g.,
           registrar, CSP, certification authority) to assert that
           contact data has been verified externally.

   Instead of returning an object for each verified contact detail, a
   server MAY use the "all" key to signal that all data has been
   verified.

6.  IANA Considerations

   IANA is requested to register the following value in the RDAP
   Extensions Registry:

   Extension identifier:  verifiedContacts
   Registry operator:  Any
   Published specification:  This document.
   Contact:  IETF <iesg@ietf.org>
   Intended usage:  This extension identifies RDAP extension for
      verified contact information.








Loffredo, et al.         Expires 22 January 2026                [Page 4]

Internet-Draft         Verifying Contacts in RDAP              July 2025


7.  Security Considerations

   Contact verification data may have privacy implications.  Servers
   MUST ensure that disclosure of this information complies with
   applicable data protection laws and policies.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9083]  Hollenbeck, S. and A. Newton, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 9083, DOI 10.17487/RFC9083, June 2021,
              <https://www.rfc-editor.org/info/rfc9083>.

8.2.  Informative References

   [NIS2]     European Parliament and Council, "Directive (EU) 2022/2555
              of the European Parliament and of the Council of 14
              December 2022 on measures for a high common level of
              cybersecurity across the Union, amending Regulation (EU)
              No 910/2014 and Directive (EU) 2018/1972, and repealing
              Directive (EU) 2016/1148 (NIS 2 Directive)", December
              2022, <https://eur-lex.europa.eu/legal-content/EN/TXT/
              PDF/?uri=CELEX:02022L2555-20221227>.

Appendix A.  Change History

A.1.  Change from 00 to 01

   1.  Made The "verifiedContacts_data" keys consistent with those
       defined in draft-ietf-regext-rdap-jscontact.
   2.  Further specified the verification methods and changed their
       format to CamelCase.

Authors' Addresses






Loffredo, et al.         Expires 22 January 2026                [Page 5]

Internet-Draft         Verifying Contacts in RDAP              July 2025


   Mario Loffredo
   IIT-CNR/Registro.it
   Via Moruzzi,1
   56124 Pisa
   Italy
   Email: mario.loffredo@iit.cnr.it
   URI:   http://www.iit.cnr.it


   Maurizio Martinelli
   IIT-CNR/Registro.it
   Via Moruzzi,1
   56124 Pisa
   Italy
   Email: maurizio.martinelli@iit.cnr.it
   URI:   http://www.iit.cnr.it


   James Gould
   VeriSign, Inc.
   12061 Bluemont Way
   Reston, VA 20190
   United States of America
   Email: jgould@verisign.com
   URI:   http://www.verisigninc.com


























Loffredo, et al.         Expires 22 January 2026                [Page 6]
