DRPF Use Case

Corporate Information

In addition to identifying domain relationships, the DRPF enables companies to publish official corporate and operational information for easy, verifiable discovery. Doing so enables the company to vastly improve discoverability of information by search engines and other applications, all under the control of the authorized domain administrator. It can also help companies publish terms of service, privacy policies, and other required statements in a common, easily-discoverable format.

When seeking information about the company that operates a domain, a relying party can retrieve a domain policy with all sorts of useful corporate information. And while the data primitives defined by the default vocabulary typically only define domain relationships and uses, the DRPF enables nearly infinite flexibility. Just about any information a company would want to provide (e.g. legal name, location, contact details, DUNS Number, etc.) can all be published using standard, publicly available ontologies such as those published by Schema.org (which, let's be honest, every website is already employing in their never-ending quest for SEO).

Relationship Policies

Organizations can define innumerable relationships between the domains they operate for various purposes (e.g. as a subsidiary, individual product brands, specific uses, etc.).

Business Information

Companies can publish official information about their business and use of the domain in a structured format that can be discovered and displayed by search engines and other applications.

Abuse Reporting

Introducing a common method for companies to publish threat abuse reporting mechanisms that enable customers and the security community with a way to report potential abuse.

Authoratative Information

When seeking information about the company that operates a domain, a relying party can retrieve a domain policy with all sorts of useful corporate information. The data primitives defined by the default domain policy vocabulary are primarily focused on the relationships between domains, and relies on the existence of other ontoligies to that define more detailed information. For example, many useful elements such as legal company name, headquarters location, doing business as (DBA) names, DUNS Number, and other standardized identifiers are identified by reference.

Consider the information available about a company via Google, Bing, Yahoo, or on Wikipedia. The information is scraped from websites and varies in reliability, as most search engines and other aggregate sources are left to infer the veracity of information. By comparison, consider the information available from a company's own website. By most measures, the information on their site is more reliable, and it's retrieved via the same DNS query mechanics being proposed here. The difference is that the DRPF provides useful information in a more structured, machine-readable format.

Something else worth pointing out is that while most people think of domains as being inherently related to websites, a lot of domains are used for purposes other than to serve web pages. For examople, domains may be registered to serve as API endpoints, for ad/click tracking, or used for content delivery caching without dedicated websites. Each of which would benefit from employing DRPF assertions and associated policies that provide more information about the use of the domain.

NOTE: Unlocking the full value of the DRPF relies on a reasonable working knowledge of ontologies used in the context of the semantic web and how to invoke them. It helps to be familiar with the Web Ontology Language (OWL) and its demenutive cousins Microformats and Schema.org. Essentially, any well-defined vocabulary can be used within DRPF Policy Documents, whether it's already well-known or you define it yourself.

A (Super) Brief List of Corporate Info Use Cases

There are so many different use cases for publishing easily discoverable, authorotative corporate information that it's impossible to do them justice. Below is a mere smattering of ideas (in no specific order) that illustrate the breadth of possibilities supported by DRPF policies:

Contact Information: The ability for a company to publish official, authoritative contact information (e.g. phone numbers, email addresses, links to web forms, etc.) enable domain administrators to take control over what information is published, discovered, and displayed.
Abuse Reporting: As companies begin to differentiate between simple feedback and comment channels to support specific abuse reporting, DRPF policy documents can identify what channel should be used for what purpose. For example, they may want to clearly identify how to report email abuse (e.g. spam) as distinct from potential violations of corporate abuse policies.
Official Social Media Accounts: To avoid confusion between legitimately authorized social media accounts and imposters, a domain administrator can publish DRPF policy documents that announce the official corporate accounts used on various platforms. The DRPF further enables the ability for various brands under a conglomerate to each publish their own set of official accounts, all while being officially discoverable and verifiable as being legitimate.
Regulatory Policies: Complying with various regulatory policies across jurisdictions can be complicated, and it is becoming a requirement for companies to make their compliance policies publicly discoverable. Leveraging the DRPF to publish corporate-controlled terms of service and privacy policies can vastly simplify administrative control and compliance.
Authorized Redirection Services: A common abuse pattern is when a threat actor attempts to redirect users to malicious destinations via services such as Bit.ly. Domain administrators may publish an comprehensive list of redirection services (and potential end point patterns) authorized for use in conjunction with the business of the company.

NOTE: The above list is only illustrative of possibilities, and is woefully inadequate in describing how to implement the DRPF, but it should provide a glimpse into the vast breadth of the authoritative information that can be published for various uses. A lot is left to be defined, and the specific use cases of interest to the community will drive what is fleshed out in more detail. Let us know what informational use cases you'd like to chase to ground!