RE: [gnso-ff-pdp-may08] Proposed solutions

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Paul mentioned:

#Joe's proposal may seem straight forward, but it actually raises several
#concerns:
# 
#Should such enforcement be handled at the registrar or the registry
#level?  

My preference would be to work at the registrar level where possible,
in part because some registrants will shotgun fastflux registrations
across multiple TLDs, while only using a single registrar. In that
scenario, if action takes place at the registry, multiple registries
would potentially need to be involved, while if action takes place
at the registrar level, only a single registrar might need take action.

I also like the fact that the registrar is closer to the customer
who did the fastflux registration.

Involving the registrar in the issue also aligns the work of dealing
with potential abuse with the party who accepted the customer's 
registration in the first place, thereby reinforcing the benefits
of efforts to avoid getting bad customers in the first place. 

On the other hand, if we hypothesize a non-responsive registrar, or
a miscreant working within one TLD across multiple parallel registrars,
one could obviously make a case for homing this sort of function at the 
registry instead of the registrar.

I'd be interested in hearing what folks think about this important point. 

#How will the recipient of a complaint verify the bona fides of the
#complainer?  

The good thing about fastflux is that a complaint should be independently
and objectively varifiable, which minimizes or eliminates the need for 
assessing the reputation of a complainant (the complainant is 
basically just a finger pointer: "Look here, you'll find the following
objective characteristics which are associated with fastflux" rather than
someone employing subjective expert judgement, "I know it is fastflux 
because it, uh, looks that way to me, but I can't articulate why")

At the same time, if complainants are required to provide their name and
username, as they currently are for WDPRS, that would provide a mechanism
for identifying those making frivilous or abusive reports. 

#What information will be required to put a "documented" domain on
#(Registrar or Registry) Hold status?  

This comes back to the definition of fastflux, I'm afraid. I think
that at a minimum, a complainant would need to show that the domain
complained of met the technical characteristics which we will 
(eventually :-)) agree upon. 

If criminal use of a domain is an essential element of being fastflux 
(although I'm hearing that people may NOT want to do that), it would then
also be incumbent upon the complainant to explain what's illegal about the 
domain (implemented on compromised systems w/o the permission of the
system owner/operator, hosting inherently illegal content such as 
a phishing site or pirated software, or whatever). 

#Besides the WDPRS model, have you considered something like the APWG's
#proposed Accelerated Suspension Plan?  If so, what will the
#accreditation criteria look like?

I'd be open to that sort of model, sure, although I view it as a more
complex approach than one which focusses strictly on technical 
characteristics.

#Who pays for any of this?  How?

If you'll let me argue in the alternative here:

1) The number of fastflux domain clusters will rapidly become small once
   enforcement becomes routine, so costs will quickly drop to de minimus
   levels and should be expensed by the registrar as a cost of doing
   business; if you're a registrar that does thorough/agressive customer
   vetting, it is unlikely that you'd see many complaints about fastflux
   customers, so your costs will be comparably low. 

2) If a tiered domain model were adopted, where fees were charged for
   repeated changes to name server records, those fees might be devoted
   to underwriting enforcement

3) Donations from those negatively affected by fastflux might be still
   another funding model

#Who will indemnify the enforcer for any liabilities?

Who currently indeminfies a registrar when they "HOLD" a domain for bad
whois data following a WDPRS report and investigation?

#The list could go on.  I am not trying to be obstructionist, and realize
#that we're supposed to be discussing proposed solutions.  I just think
#that we need to more fully develop any suggestions that would target a
#single entity in this process when they are posted to the list.  

I think you're asking precisely the right kind of questions, and I encourage
you to ask any others along the same line that you might be contemplating. 

Regards,

Joe

Disclaimer: all opinions strictly my own