<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal
- To: icann@xxxxxxxxxxxxxx
- Subject: Re: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal
- From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 02 Aug 2008 15:00:48 -0400
Mike,
I appreciate you are a man of beliefs. Thank you for your estimation of
the cost of your "24/7 abuse queue" proposal, which I don't understand,
lacking your beliefs or some other context that would result in numeric
values for a spreadsheet.
Eric
Mike Rodenbaugh wrote:
I believe that if any business can operate 24/7 (i.e. maintain a website,
take orders, etc.), then it also ought to deal with abuse 24/7. This simply
ought to be a cost of doing business for the contracting parties, naturally
passed on to registrants.
-Mike
-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Eric
Brunner-Williams
Sent: Saturday, August 02, 2008 7:02 AM
To: icann@xxxxxxxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal
Mike,
Is there a minimum size, below which you'd like to have ICANN start
de-accrediting registrars, that you'd care to hang your hat on for the
purposes of discussion? I'd like to know what the recurring cost you
propose that registrars include in their baseline business models.
Repeat please for the registry side of business, I'd like to know what
the recurring cost you propose that registries, particularly the smaller
registries, and the post-2008 new gTLD applications, must also include
in their baseline business models.
For the purposes of discussion, I accept your point that appeals to
"resource allocation" must fail because big business exists, and
independently, because it suits "criminal actors".
Eric
Mike Rodenbaugh wrote:
That text comes from the model agreement in the ICANN-Afilias contract:
http://www.icann.org/en/tlds/agreements/info/appendix-08-08dec06.htm
If it is not contained in any particular registrar agreements with
Afilias,
that would be interesting to understand.
Also would like to know on what basis the RC objected to this clause in
the
Afilias proposal:
Registrars shall promptly investigate complaints alleging any such abusive
practices, and shall take all appropriate actions based upon such
investigations.
I think that ought to be a minimal requirement on all registrars, though
should be more specifically defined wrt 'prompt' and 'appropriate'.
Indeed it is a proposed solution I am now putting forward. Let's call it
"24/7 abuse queue". I am curious to see any reasoning why registrars and
registries ought not be required to have one that they monitor, and take
prompt and appropriate action depending upon the severity and clarity of
the
abuse. Arguments about 'resource allocation' should consider that many
domain registration online sales channels and business network operations
go
24/7, and that phishers and other criminal actors tend to target
facilitating entities that have slow or no abuse investigation.
Thanks,
Mike
-----Original Message-----
From: Eric Brunner-Williams [mailto:ebw@xxxxxxxxxxxxxxxxxxxx]
Sent: Friday, August 01, 2008 12:51 PM
To: icann@xxxxxxxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
Mike,
I'm looking at the rev-31jul08.pdf and redline-31jul08.pdf. Does the
text you provide come from one of these?
Since it was only just announced, not everyone may know that the
following two sentences, which up until very recently were in the
Afilias proposed RSA, have been removed by Afilias:
"Registrars shall promptly investigate complaints alleging any
such abusive practices, and shall take all appropriate actions
based upon such investigations. Further, Registrar shall comply
promptly with any commercially reasonable requests or
recommendations with respect to such abusive practices made by
Registry Operator or any competent legal authority."
I hope that formats reasonably well for everyone. I appreciate Afilias'
listening to the RC on this issue. Most of the reservations and concerns
expressed privately to Afilias have been restated in this list, though
in a general context.
Eric
Mike Rodenbaugh wrote:
Hi Greg,
This is from the .info registry agreement with registrars:
3.6.5. acknowledge and agree that Afilias reserves the right to deny,
cancel or transfer any registration or transaction, or place any
domain name(s) on registry lock, hold or similar status, that it deems
necessary, in its discretion; (1) to protect the integrity and
stability of the registry; (2) to comply with any applicable laws,
government rules or requirements, requests of law enforcement, or any
dispute resolution process; (3) to avoid any liability, civil or
criminal, on the part of Afilias, as well as its affiliates,
subsidiaries, officers, directors, and employees; (4) per the terms of
the registration agreement or (5) to correct mistakes made by Afilias
or any Registrar in connection with a domain name registration.
Afilias also reserves the right to place upon registry lock, hold or
similar status a domain name during resolution of a dispute.
I believe there is consistent or identical language in all registry
agreements with ICANN, most if not all registry-registrar agreements,
and most if not all registration agreements.
The dotAsia implementation is moving forward, APWG is currently
discussing a contract with a vendor to provide accreditation services.
I am not sure of the status of implementation by a few interested
ccTLDs, but will try to find out.
Thanks,
Mike
------------------------------------------------------------------------
*From:* Greg Aaron [mailto:gaaron@xxxxxxxxxxxx]
*Sent:* Friday, August 01, 2008 9:45 AM
*To:* icann@xxxxxxxxxxxxxx; gnso-ff-pdp-May08@xxxxxxxxx
*Subject:* RE: [gnso-ff-pdp-may08] Proposed solutions
Dear Mike:
Some of those statements seem over-broad. I don't know of any ICANN
contract that "permits de-registration in the event of criminal
activity, and/or to protect the interests of the registry/registrar."
Can you reference the ICANN contracts (and sections) that you are
referring to? The contracts also vary from TLD to TLD.
I have been hearing since June 2007 that .ASIA is moving toward
adopting the APWG plan, but I have not seen anything happen. What is
the status? Are any other registries (gTLD or ccTLD) in the process of
adopting the APWG plan?
All best,
--Greg
------------------------------------------------------------------------
*From:* owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] *On Behalf Of *Mike Rodenbaugh
*Sent:* Friday, August 01, 2008 12:00 PM
*To:* gnso-ff-pdp-May08@xxxxxxxxx
*Subject:* RE: [gnso-ff-pdp-may08] Proposed solutions
This concept of the trusted requestor is also embodied in the APWG
plan that is moving towards implementation in dotAsia and hopefully
elsewhere.
The liability issues are manageable. I bet that more than 100,000
domains have been taken down without notice to the registrant, in
order to mitigate criminal activity, and I am not aware of any
lawsuits against a registrar or registry arising from those takedowns.
Is anyone aware of such a lawsuit?
The entire ICANN contract chain permits de-registration in the event
of criminal activity, and/or to protect the interests of the
registry/registrar. All of those provisions are beneficial to
registrants and end users who are or otherwise would be victimized by
criminal behavior.
Thanks,
Mike
------------------------------------------------------------------------
*From:* owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] *On Behalf Of *Dave Piscitello
*Sent:* Friday, August 01, 2008 8:06 AM
*To:* Wendy Seltzer
*Cc:* Diaz, Paul; Joe St Sauver; gnso-ff-pdp-May08@xxxxxxxxx
*Subject:* Re: [gnso-ff-pdp-may08] Proposed solutions
I don't recall saying "don't hold registrars or registries
accountable". I speculated that the incidence of false positives can
be kept very manageably small when you have trusted (not private)
parties. When you keep the incidents very manageably small, the cost
of accountability may also be kept commensurately small.
I worry that we spend quite a bit of time worrying over the outlying
cases. If we don't drill down to details before we dismiss a proposal
we are very likely to toss out solutions that might be effective,
given appropriate controls that cater to the outlying cases.
We all accept this sort of practice every day with medicine. Nearly
every prescription drug has some side-effect. Before prescription
drugs are approved for use, tests are run to find the "outlying cases"
and (in theory) only when the outlying cases are identified as
demonstrably few with minimum impact is a drug approved. The same
discipline can be applied here. This is why I claim the liability
issue is manageable.
So much for containing this thread to a bar conversation - and oh, I'm
missing the call.
On 8/1/08 10:19 AM, "Wendy Seltzer" <wendy@xxxxxxxxxxx> wrote:
I think the liability issues are serious ones -- and I think registrants
are made materially worse off if the liability is alleviated by giving
them less recourse. How can we balance rapid response with due process,
which seems absent if private parties can instigate registrar response,
and the legitimate registrant (mistakenly or maliciously identified)
can't hold the registrar liable for losses?
Of course adding due process increases costs, which again impact
registrants.
--Wendy
Dave Piscitello wrote:
Paul,
You questions are appropriate and are familiar to those of us who
work with the APWG on the Accelerated Suspension Plan.
Let's assume that it is possible to create an accreditation program,
that it can be paid for, that credentials can be issued, and that the
program has an indemnification/liability component. Such programs have
been created many times before. There are many models, and if we were
to recommend such a program, I suspect a different and perhaps more
appropriately qualified working group than ours could be formed to
develop one.
Now, who enforces? I think Joe's correct that the registrar is
(currently) the sweet spot but I also think that the solution must
consider the possibility of a non-responsive registrar. So I think an
"escalation" model is appropriate, where an accredited party can
demonstrate a registrar is non-responsive and the registry can take
action.
[As an aside, I do think that the liability worry, while present,
will prove in practice to be a non-issue. In fact, having accredited
responders could further reduce the likelihood of a false positive.
But this is a bar conversation so I'll set it aside.]
On 7/31/08 4:11 PM, "Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx> wrote:
Joe's proposal may seem straight forward, but it actually raises several
concerns:
Should such enforcement be handled at the registrar or the registry
level?
How will the recipient of a complaint verify the bona fides of the
complainer?
What information will be required to put a "documented" domain on
(Registrar or Registry) Hold status?
Besides the WDPRS model, have you considered something like the APWG's
proposed Accelerated Suspension Plan? If so, what will the
accreditation criteria look like?
Who pays for any of this? How?
Who will indemnify the enforcer for any liabilities?
The list could go on. I am not trying to be obstructionist, and realize
that we're supposed to be discussing proposed solutions. I just think
that we need to more fully develop any suggestions that would target a
single entity in this process when they are posted to the list.
Regards, P
-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx]
<mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d> On Behalf Of Joe St Sauver
Sent: Thursday, July 31, 2008 2:23 PM
To: dave.piscitello@xxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
Dave mentioned:
#Can we agree at the outset of this discussion that there is no single
#security measure that defeats fast flux and that the solution, like the
#definition, is multi-faceted, each measure contributing in some way to
#reducing the threat?
#
#I'll be frank. I want to preempt another long discussion of TTLs. I am
#happy to include a bullet item "TTL monitoring and analysis" as item 1
#on the list but let's go through the discipline of enumerating all the
#measures we can think of, as we did with the definition.
In my painfully direct sort of way, I believe that what's ultimately
needed will be for registrars to accept complaints about fastflux
domains, acting on documented evidence supplied by the complainant
to "HOLD" documented fastflux domains. (Envision something like
http://wdprs.internic.net/ but for reporting fastflux domain names)
Procedurally, as part of that, I believe a domain name owner should have
a mechanism or channel for appealing a fastflux determination, although
I strongly suspect that appeals would be likely be quite rare. :-;
Regards,
Joe
--
Wendy Seltzer -- wendy@xxxxxxxxxxx
phone: +1.914.374.0613
Visiting Professor, American University Washington College of Law
Fellow, Berkman Center for Internet & Society
http://cyber.law.harvard.edu/seltzer.html
http://www.chillingeffects.org/
https://www.torproject.org/
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|