RE: Proposed Registrar Disqualification Procedure

["Orbeton, Jon" <jorbeton@xxxxxxxxxx>]

Dear Sirs:

Thank you for the opportunity to comment on the draft report published
27 February 2009 entitled "Proposed Registrar Disqualification
Procedure." 

First, disqualification usually implies the use of some neutral third
party which has a set of rules and guidelines which are enforced upon an
actor or player. Someone files a complaint or lodges a protest, a case
is created, the disputing parties argue their case, and a judgment is
made. The rules and guidelines are enforced by someone acting as an
umpire, judge or referee and *require the use of this third party* for
the disqualification process to work. 

Disqualification Requires Rules and a Referee
=============================================

Setting up these rules through the "Proposed Registrar Disqualification
Procedure" is a good first step. However, there is still no indication
ICANN is implementing more than just rules. The "Triggering Action"
listed in the draft procedure can only be invoked by ICANN and does not
appear to provide for a "protest" or a request for disqualification from
an outside party. If a specific Registrar is harming a group, some
representative of that group must be able to protest or bring a case
against this Registrar and to provide evidence supporting a
disqualification. 

ICANN provides this type of external invocation process under the
"Uniform Domain-Name Dispute-Resolution Policy" (UDRP). Given that the
UDNP simply determines who may rightfully own a domain-name, doesn't the
severity of a Registrar being disqualified require -- at the very least
-- a similar level of review? 

As with any disqualification process, there must be:

   -A referee or judge
   -A way to for someone to submit an action (protest) for review by
this referee or judge
 
There must be some way for a harmed or aggrieved party to create a case
and take that case to the judge or referee in order for the rules to be
enforced. If a registrar harms hundreds of Internet users by, for
example, providing DNS naming service for fast-flux botnets and takes no
action to stop the DNS naming, they are obviously harming Internet users
in general and the reports of this abuse and the registrars lack of
response or action must be judged by a third party. 

No Assumption of Self-Policing
==============================

ICANN seems to believe registrars are capable of self-policing, and they
are for the most part. However, there are some registrars are actively
hostile, who are in business to facilitate cybercrime, who are called
"bullet-proof" by those in the industry, and who have no reactive
process, or claim to take action but do nothing. Most of us who handle,
investigate, and respond to cyber-crime know these registrars, know they
will take no action, and have no formal option or recourse to simply
report this problem. 

I would urge you to create a similar type of function to the existing
Uniform Domain-Name Dispute-Resolution Policy, but apply it to this
proposed Disqualification Procedure. Allow those who are being are
harmed (by repeat and non-responsive Registrars hosting and friendly to
fast-flux phishing for example) to bring a case against a known-hostile
Registrar and have the merits debated. The UDRP is in place, it's well
tested, and it seems to work. Consider building upon this existing
success and using the UDRP model in this Disqualification Procedure.    

Harm to Registrants or Internet Users?
======================================

I would like to specifically focus on Section 3, "Determination of
Disqualification" which states:

ICANN may disqualify an individual or entity (that is subject to
potential disqualification, as described in section 2 above) from
registrar accreditation and registry administration where:

   3.1.1.its actions caused or are likely to cause permanent or
irreparable harm to registrants;

   3.1.2.its actions compromised or threatened the security or stability
of the domain name system;

   3.1.3.it yielded financial gain to the registrar or itself through
harm to registrants that was intentional or caused by reckless
disregard;

These disqualifying actions are confusing, specifically the use of the
phrases "harm to registrant" and "security or stability of the domain
name system." The harm that a Registrar can carry out is most often not
directed against other "registrants" or the "domain name system."
Rather, the harm is to general Internet users (fast-flux botnet/phishing
hosting again comes to mind). A hostile or recalcitrant registrar may
receive hundreds or thousands of abuse reports about a specific domain
name that crucial to an attack. They may take no action and make a
pattern of taking no action. 

As mentioned before, these registrars will become known as bullet-proof
-- no matter how many abuse reports are fired into their inbox, they do
nothing. The reason they do nothing is that there is no penalty for
their willful and repeated inaction. 

As such, I would suggest adding another item:
   
    3.1.4.its repeated and willful inaction compromised or threatened
the security of a wide-group Internet users, specifically: personal,
private, financial, and medical information;

It seems the goal of this draft procedure is to disqualify those
registrants who have the infamous distinction of "bullet-proof" and
those who cause harm -- please ensure the protection granted through
this procedure is not limited to registrants and the DNS system, but
rather also includes Internet users, companies who conduct e-commerce
and the wider population than your member organizations.


Sincerely,
Jon Orbeton

Information Security Engineer
PayPal, an eBay company