



Network Working Group                                        M. Loffredo
Internet-Draft                                             M. Martinelli
Intended status: Standards Track                     IIT-CNR/Registro.it
Expires: 18 April 2026                                        J.G. Gould
                                                          VeriSign, Inc.
                                                              P. Kowalik
                                                                DENIC eG
                                                         15 October 2025


Registration Data Access Protocol (RDAP) Extension for Verified Contact
                              Information
            draft-loffredo-regext-rdap-verified-contacts-02

Abstract

   This document describes an extension to the Registration Data Access
   Protocol (RDAP) that allows the inclusion of verification status
   information for contact fields such as email addresses and phone
   numbers.  The goal is to improve data quality and trustworthiness of
   RDAP responses by indicating which pieces of contact data have been
   verified and how.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 18 April 2026.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.



Loffredo, et al.          Expires 18 April 2026                 [Page 1]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   3.  RDAP Conformance  . . . . . . . . . . . . . . . . . . . . . .   3
   4.  JSON Structure  . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  verifiedContacts_data Structure . . . . . . . . . . . . . . .   3
   6.  Extension Version Identifier  . . . . . . . . . . . . . . . .   5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  RDAP Extensions Registry  . . . . . . . . . . . . . . . .   5
     7.2.  RDAP JSON Values Registry . . . . . . . . . . . . . . . .   5
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     10.2.  Informative References . . . . . . . . . . . . . . . . .  10
   Appendix A.  Change History . . . . . . . . . . . . . . . . . . .  10
     A.1.  Change from 00 to 01  . . . . . . . . . . . . . . . . . .  10
     A.2.  Change from 01 to 02  . . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The Registration Data Access Protocol (RDAP) provides access to
   registration data for domain names, IP addresses, and autonomous
   system numbers.  However, RDAP responses do not currently include
   explicit information about whether contact information such as email
   addresses or phone numbers has been verified.

   This document defines a simple extension that enables RDAP providers
   to include verification status for contact fields.  This is useful in
   contexts where contact verification may be legally required or
   strongly recommended.

   In particular, Article 28 of Directive (EU) 2022/2555 ([NIS2])
   requires top-level domain (TLD) name registries and domain name
   registrars to collect and maintain accurate and complete domain name
   registration data.  It also mandates them to verify, to the extent
   possible, the accuracy of such data.  The extension defined in this
   document can support compliance with this obligation by enabling the
   inclusion of verification status for contact fields in RDAP
   responses.



Loffredo, et al.          Expires 18 April 2026                 [Page 2]

Internet-Draft         Verifying Contacts in RDAP           October 2025


2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  RDAP Conformance

   Servers implementing this extension MUST include the string
   "verifiedContacts" in the "rdapConformance" ([RFC9083]) array of all
   relevant RDAP responses.  The registration of the "verifiedContacts"
   extension identifier is described in Section 7.

4.  JSON Structure

   The verification information is conveyed via a new top-level object
   member named "verifiedContacts_data" within the entity objects.

         {
           "objectClassName": "entity",
           "handle": "ABC123-EXAMPLE",
           "rdapConformance": ["rdap_level_0", "verifiedContacts"],
           ...
           "verifiedContacts_data": {
             "email": {
               "verificationDate": "2025-03-15T12:00:00Z",
               "method": "email verification"
             }
             ...
           }
         }

    Figure 1: Entity object including the "verifiedContacts_data" member

5.  verifiedContacts_data Structure

   The "verifiedContacts_data" member is an object whose keys are
   contact details, using one of the RDAP JSON Values Registry "verified
   contact detail" type values (e.g., "all", "email", "voice", "fax",
   "addr").  Each value is an object containing:

   "verificationDate":  (REQUIRED) Date and time of verification, as
       defined in [RFC3339].

   "method":  (OPTIONAL) Verification method, using one of the RDAP JSON




Loffredo, et al.          Expires 18 April 2026                 [Page 3]

Internet-Draft         Verifying Contacts in RDAP           October 2025


       Values Registry “verified contact method” type values.  The
       initial set of “verified contact method” values are:

       "email verification":  Sending a confirmation link to the
           specified email address and requiring user interaction (e.g.,
           clicking the link) to confirm ownership.

       "sms token":  Sending a one-time token (OTP) via SMS to the
           provided phone number and requiring the user to submit the
           token to confirm ownership.

       "manual review":  Manual review of contact data by a human
           operator (e.g., calling the phone number, making a live video
           call, inspecting submitted documentation).

       "eid validation":  Validation of contact data using a digital
           identity service, either before or after registration (e.g.,
           eIDAS-compliant identity providers).

       "address verification":  Verification of the postal address using
           a geolocation or address validation service (e.g., Google
           Maps API, OpenStreetMap, postal databases).

       "cross validation":  Cross-checking of contact details (e.g.,
           name, VAT number, postal address) against trusted third-party
           repositories (e.g., EU VIES).

       "third party assertion":  Relying on a trusted third party (e.g.,
           registrar, CSP, certification authority) to assert that
           contact data has been verified externally.

   "verifierId":  (OPTIONAL) Verifier identifier, that is a server
       unique number or a delimited string using a '-' as a separator
       character to support a regional or globally unique identifier.
       The minimum length is 1 character and the maximum length is 40
       characters.  The set of verifiers and verifier identifiers is up
       to server policy.

   "verifierName":  (OPTIONAL) Verifier name of the verifier that is a
       simple character string, with a minimum length of 1 character and
       a maximum length of 40 characters.  The set of verifiers and
       verifier identifiers is up to server policy.

   "verificationId":  (OPTIONAL) Verification identifier that is unique
       for the verification performed by the verifier, that is
       represented as a number with the option of a '-' separator for
       grouping verifications by region or verifier.  The minimum length
       is 1 character and the maximum length is 40 characters.  For



Loffredo, et al.          Expires 18 April 2026                 [Page 4]

Internet-Draft         Verifying Contacts in RDAP           October 2025


       example, the "verificationId" could follow the Augmented
       Backus-Naur Form (ABNF) grammar [RFC5234] scheme verifierId "-"
       verificationNumber, where the "verificationNumber" is unique to
       the "verifierId", making the "verificationId" unique across many
       verifiers supported by the server.

6.  Extension Version Identifier

   This extension supports the following versioning types as defined in
   [I-D.ietf-regext-rdap-versioning]:

   *  Opaque Versioning: The Opaque Extension Version Identifier is
      "verifiedContacts".

   *  Semantic Versioning: The Semantic Extension Version Identifier is
      "verifiedContacts-0.3".  The Semantic Extension Version Identifier
      is "verifiedContacts-0.2" for draft-loffredo-regext-rdap-verified-
      contacts-02 and "verifiedContacts-0.1" for draft-loffredo-regext-
      rdap-verified-contacts-01.  When there are interface changes to
      the extension, the Semantic Extension Version Identifier will be
      incremented, which may not match the draft version number.  When
      the draft becomes a working group document and passes Working
      Group Last Call (WGLC), the Semantic Extension Version Identifier
      will be changed to "verifiedContacts-1.0".

7.  IANA Considerations

7.1.  RDAP Extensions Registry

   IANA is requested to register the following value in the RDAP
   Extensions Registry:

   Extension identifier:  verifiedContacts
   Registry operator:  Any
   Published specification:  This document.
   Contact:  IETF <iesg@ietf.org>
   Intended usage:  This extension identifies RDAP extension for
      verified contact information.

7.2.  RDAP JSON Values Registry

   Section 10.2 of [RFC9083] defines the RDAP JSON Values Registry with
   pre-defined Type field values and the use of the "Expert Review"
   policy defined in [RFC8126].  This specification defines two new RDAP
   JSON Values Registry Type field values that can be used to register
   pre-defined "verified contact detail" and "verified contact method"
   values.  IANA is requested to update the RDAP JSON Values Registry to
   accept these additional type field values as follows:



Loffredo, et al.          Expires 18 April 2026                 [Page 5]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   "verified contact detail":  Verified contact detail being registered.
       The registered "verified contact detail" is referenced using a
       sub-field of the verified contacts "verifiedContacts_data" field.

   "verified contact method":  Verified contact method being registered.
       The "verified contact method" is referenced using the "method"
       field of the verified contacts detail (e.g., "email", "voice",
       "fax", "addr") field.

   IANA is requested to register the following in the RDAP JSON Values
   Registry, described in [RFC9083]:

   Value:  all

   Type:  verified contact detail

   Description:  All contact data has been verified.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  email

   Type:  verified contact detail

   Description:  Email contact verification detail.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  voice

   Type:  verified contact detail

   Description:  Voice telephone number contact verification detail.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org






Loffredo, et al.          Expires 18 April 2026                 [Page 6]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   Value:  fax

   Type:  verified contact detail

   Description:  Facsimile telephone number contact verification detail.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  addr

   Type:  verified contact detail

   Description:  Address contact verification detail.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  email verification

   Type:  verified contact method

   Description:  Sending a confirmation link to the specified email
       address and requiring user interaction (e.g., clicking the link)
       to confirm ownership.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  sms token

   Type:  verified contact method

   Description:  Sending a one-time token (OTP) via SMS to the provided
       phone number and requiring the user to submit the token to
       confirm ownership.

   Registrant Name:  IETF




Loffredo, et al.          Expires 18 April 2026                 [Page 7]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   Registrant Contact Information:  iesg@ietf.org



   Value:  manual review

   Type:  verified contact method

   Description:  Manual review of contact data by a human operator
       (e.g., calling the phone number, making a live video call,
       inspecting submitted documentation).

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  eid validation

   Type:  verified contact method

   Description:  Validation of contact data using a digital identity
       service, either before or after registration (e.g., eIDAS-
       compliant identity providers).

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  address verification

   Type:  verified contact method

   Description:  Verification of the postal address using a geolocation
       or address validation service (e.g., Google Maps API,
       OpenStreetMap, postal databases).

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  cross validation




Loffredo, et al.          Expires 18 April 2026                 [Page 8]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   Type:  verified contact method

   Description:  Cross-checking of contact details (e.g., name, VAT
       number, postal address) against trusted third-party repositories
       (e.g., EU VIES).

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org



   Value:  third party assertion

   Type:  verified contact method

   Description:  Relying on a trusted third party (e.g., registrar, CSP,
       certification authority) to assert that contact data has been
       verified externally.

   Registrant Name:  IETF

   Registrant Contact Information:  iesg@ietf.org

8.  Security Considerations

   Contact verification data may have privacy implications.  Servers
   MUST ensure that disclosure of this information complies with
   applicable data protection laws and policies.

9.  Acknowledgements

   The authors wish to thank the following persons for their feedback
   and suggestions: Scott Hollenbeck.

10.  References

10.1.  Normative References

   [I-D.ietf-regext-rdap-versioning]
              Gould, J., Keathley, D., and M. Loffredo, "Versioning in
              the Registration Data Access Protocol (RDAP)", Work in
              Progress, Internet-Draft, draft-ietf-regext-rdap-
              versioning-03, 23 June 2025,
              <https://datatracker.ietf.org/doc/html/draft-ietf-regext-
              rdap-versioning-03>.





Loffredo, et al.          Expires 18 April 2026                 [Page 9]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
              <https://www.rfc-editor.org/info/rfc3339>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <https://www.rfc-editor.org/info/rfc5234>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9083]  Hollenbeck, S. and A. Newton, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 9083, DOI 10.17487/RFC9083, June 2021,
              <https://www.rfc-editor.org/info/rfc9083>.

10.2.  Informative References

   [NIS2]     European Parliament and Council, "Directive (EU) 2022/2555
              of the European Parliament and of the Council of 14
              December 2022 on measures for a high common level of
              cybersecurity across the Union, amending Regulation (EU)
              No 910/2014 and Directive (EU) 2018/1972, and repealing
              Directive (EU) 2016/1148 (NIS 2 Directive)", December
              2022, <https://eur-lex.europa.eu/legal-content/EN/TXT/
              PDF/?uri=CELEX:02022L2555-20221227>.

Appendix A.  Change History

A.1.  Change from 00 to 01

   1.  Made The "verifiedContacts_data" keys consistent with those
       defined in draft-ietf-regext-rdap-jscontact.
   2.  Further specified the verification methods and changed their
       format to CamelCase.




Loffredo, et al.          Expires 18 April 2026                [Page 10]

Internet-Draft         Verifying Contacts in RDAP           October 2025


A.2.  Change from 01 to 02

   1.  Added definition of the "verified contact detail" and "verified
       contact method" RDAP JSON Values types and added a set of RDAP
       JSON Values registrations.
   2.  Updated the "method" values to be lowercase with a space word
       separator to match the requirement for registered RDAP JSON
       Values.
   3.  Added support for semantic versioning using the versioning
       extension and included the semantic versions for the prior draft
       versions.
   4.  Added the "all", "email", "voice", "fax", and "addr" verified
       contact detail registration.
   5.  Added the "verifierId" optional field to reference who performed
       the verification.
   6.  Added the "verificationId" optional field to reference the unique
       verification performed by the verification provider.

Authors' Addresses

   Mario Loffredo
   IIT-CNR/Registro.it
   Via Moruzzi,1
   56124 Pisa
   Italy
   Email: mario.loffredo@iit.cnr.it
   URI:   http://www.iit.cnr.it


   Maurizio Martinelli
   IIT-CNR/Registro.it
   Via Moruzzi,1
   56124 Pisa
   Italy
   Email: maurizio.martinelli@iit.cnr.it
   URI:   http://www.iit.cnr.it


   James Gould
   VeriSign, Inc.
   12061 Bluemont Way
   Reston, VA 20190
   United States of America
   Email: jgould@verisign.com
   URI:   http://www.verisigninc.com






Loffredo, et al.          Expires 18 April 2026                [Page 11]

Internet-Draft         Verifying Contacts in RDAP           October 2025


   P Kowalik
   DENIC eG
   Theodor-Stern-Kai 1
   Frankfurt am Main
   Germany
   Email: pawel.kowalik@denic.de
   URI:   https://denic.de












































Loffredo, et al.          Expires 18 April 2026                [Page 12]
