RE: [gnso-ff-pdp-may08] Proposed solutions

["Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>]

This concept of the trusted requestor is also embodied in the APWG plan that
is moving towards implementation in dotAsia and hopefully elsewhere.

 

The liability issues are manageable.  I bet that more than 100,000 domains
have been taken down without notice to the registrant, in order to mitigate
criminal activity, and I am not aware of any lawsuits against a registrar or
registry arising from those takedowns.  Is anyone aware of such a lawsuit?

 

The entire ICANN contract chain permits de-registration in the event of
criminal activity, and/or to protect the interests of the
registry/registrar.  All of those provisions are beneficial to registrants
and end users who are or otherwise would be victimized by criminal behavior.

 

Thanks,

Mike

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Dave Piscitello
Sent: Friday, August 01, 2008 8:06 AM
To: Wendy Seltzer
Cc: Diaz, Paul; Joe St Sauver; gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Proposed solutions

 

I don't recall saying "don't hold registrars or registries accountable". I
speculated that the incidence of false positives can be kept very manageably
small when you have trusted (not private) parties. When you keep the
incidents very manageably small, the cost of accountability may also be kept
commensurately small. 

I worry that we spend quite a bit of time worrying over the outlying cases.
If we don't drill down to details before we dismiss a proposal we are very
likely to toss out solutions that might be effective, given appropriate
controls that cater to the outlying cases.

We all accept this sort of practice every day with medicine. Nearly every
prescription drug has some side-effect. Before prescription drugs are
approved for use, tests are run to find the "outlying cases" and (in theory)
only when the outlying cases are identified as demonstrably few with minimum
impact is a drug approved. The same discipline can be applied here. This is
why I claim the liability issue is manageable.

So much for containing this thread to a bar conversation - and oh, I'm
missing the call. 

On 8/1/08 10:19 AM, "Wendy Seltzer" <wendy@xxxxxxxxxxx> wrote:

I think the liability issues are serious ones -- and I think registrants
are made materially worse off if the liability is alleviated by giving
them less recourse.  How can we balance rapid response with due process,
which seems absent if private parties can instigate registrar response,
and the legitimate registrant (mistakenly or maliciously identified)
can't hold the registrar liable for losses?

Of course adding due process increases costs, which again impact
registrants.

--Wendy


Dave Piscitello wrote:
> Paul,
>
> You questions are appropriate and are familiar to those of us who work
with the APWG on the Accelerated Suspension Plan.
>
> Let's assume that it is possible to create an accreditation program, that
it can be paid for, that credentials can be issued, and that the program has
an indemnification/liability component. Such programs have been created many
times before. There are many models, and if we were to recommend such a
program, I suspect a different and perhaps more appropriately qualified
working group than ours could be formed to develop one.
>
> Now, who enforces? I think Joe's correct that the registrar is (currently)
the sweet spot but I also think that the solution must consider the
possibility of a non-responsive registrar. So I think an "escalation" model
is appropriate, where an accredited party can demonstrate a registrar is
non-responsive and the registry can take action.
>
> [As an aside, I do think that the liability worry, while present, will
prove in practice to be a non-issue. In fact, having accredited responders
could further reduce the likelihood of a false positive. But this is a bar
conversation so I'll set it aside.]
>
> On 7/31/08 4:11 PM, "Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Joe's proposal may seem straight forward, but it actually raises several
> concerns:
>
> Should such enforcement be handled at the registrar or the registry
> level?
>
> How will the recipient of a complaint verify the bona fides of the
> complainer?
>
> What information will be required to put a "documented" domain on
> (Registrar or Registry) Hold status?
>
> Besides the WDPRS model, have you considered something like the APWG's
> proposed Accelerated Suspension Plan?  If so, what will the
> accreditation criteria look like?
>
> Who pays for any of this?  How?
>
> Who will indemnify the enforcer for any liabilities?
>
>
> The list could go on.  I am not trying to be obstructionist, and realize
> that we're supposed to be discussing proposed solutions.  I just think
> that we need to more fully develop any suggestions that would target a
> single entity in this process when they are posted to the list.
>
> Regards, P
>
> -----Original Message-----
> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx]
<mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d>  On Behalf Of Joe St Sauver
> Sent: Thursday, July 31, 2008 2:23 PM
> To: dave.piscitello@xxxxxxxxx
> Cc: gnso-ff-pdp-May08@xxxxxxxxx
> Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
>
>
> Dave mentioned:
>
> #Can we agree at the outset of this discussion that there is no single
> #security measure that defeats fast flux and that the solution, like the
>
> #definition, is multi-faceted, each measure contributing in some way to
> #reducing the threat?
> #
> #I'll be frank. I want to preempt another long discussion of TTLs. I am
> #happy to include a bullet item "TTL monitoring and analysis" as item 1
> #on the list but let's go through the discipline of enumerating all the
> #measures we can think of, as we did with the definition.
>
> In my painfully direct sort of way, I believe that what's ultimately
> needed will be for registrars to accept complaints about fastflux
> domains, acting on documented evidence supplied by the complainant
> to "HOLD" documented fastflux domains. (Envision something like
> http://wdprs.internic.net/ but for reporting fastflux domain names)
> Procedurally, as part of that, I believe a domain name owner should have
>
> a mechanism or channel for appealing a fastflux determination, although
> I strongly suspect that appeals would be likely be quite rare. :-;
>
> Regards,
>
> Joe
>
>
>


--
Wendy Seltzer -- wendy@xxxxxxxxxxx
phone: +1.914.374.0613
Visiting Professor, American University Washington College of Law
Fellow, Berkman Center for Internet & Society
http://cyber.law.harvard.edu/seltzer.html
http://www.chillingeffects.org/
https://www.torproject.org/