Re: [gnso-ff-pdp-may08] Registrant Verification: additional language for 5.7

["George Kirikos" <fastflux@xxxxxxxx>]

Hi Paul,

On Wed, Oct 29, 2008 at 3:08 PM, Paul Stahura wrote:
> Before we go there, shouldn't we show that putting these (probably expensive) 
> "verification" procedures in place actually prevents the bad thing (certain 
> fast fluxing names in this case)?
>
> Plus "verification" is easily defeated by the bad guys - city matches state, 
> matches zip etc.

I'm not sure if you saw my followup post:

http://forum.icann.org/lists/gnso-ff-pdp-may08/msg00720.html

but I was mentioning physical verification through sending a PIN
through the mail, etc. Stuff that is a bit harder to defeat.

> And that's only if the bad guys are really using "bad whois" when registering 
> domains used in bad fast-flux activities.
> Don't that bad guys actually use good whois/credit card info/etc when 
> registering a fast-flux name (so it stays up longer)?

Suppose they used true WHOIS (that was verified physically). Then you
send the cops to their door. :)

As for the expense, suppose once the initial setup costs are in place
to automate things (which might be shared via many gTLDs, or big ones
like VeriSign for .com), the variable costs are mostly postage. I
would say $2 per verification, to be conservative (given a stamp costs
more like 50 cents, and most registrars would be sending locally).

According to a recent press release, GoDaddy has six million customers
and 32 million domains under management, for an average of 5 domains
per customer:

https://www.godaddy.com/gdshop/news/release_view.asp?news%5Fitem%5Fid=192&app%5Fhdr=

It's unclear whether that's typical or not (other registrars might
provide other numbers to compare), but since they're the biggest, I'll
use their numbers.

If we take that $2 per verification, and divide it by an average of 5
domains per customer, that's 40 cents per domain, since you would not
need to verify the same registrant for each domain name they own
(since some registrants have accounts at multiple registrars,
conceivably there could be even greater savings, if there was trust
between the registrars as to the verification by one of them, or if
was done at the registry level instead). This 40 cents might be spread
over multiple years, given that for many people (especially
businesses), their addresses aren't going to change often to require
re-verification.

One could verify via other mechanisms (e.g. SMS, cell phones, etc.)
that might be cheaper than physical mail, but there are a lot of ways
to get a free phone number, so those would probably be insufficient
measures.

> I disagree with your proposed change

Would it change your stance if it was applied equally across all
registrars? (i.e. it doesn't affect your competitive posture at all)
How about only for registrants who own more than a certain number of
domains (e.g. 100 or 500 or whatever)? The cost of verifying me for
500 domains is a lot cheaper, on a per domain basis. (although, then
you'd have to devise ways to ensure that abusive folks don't stay
below that threshold by spreading their registrations across multiple
registrars or by generating a new unique "identity" for each purchase,
even though other elements are the same, e.g. same credit card, same
reseller account, but different WHOIS details so that they can avoid
verification requirements).

5.7 of the document didn't have agreement, by the way, but points were
still listed. From 941 of the October 28 draft on the wiki:

"The ideas for active engagement that were discussed by the WG
included the following; the 941 group did not reach consensus on or
endorse any of them:"

So, I'm proposing listing the idea of registrant verification in the
document, but noting that there was no consensus for it, or
endorsement of it (unless by a miracle we all do agree it's the way to
go!).

As for evidence of effectiveness, I think we'd have data from some
ccTLDs and from some gTLDs that are sponsored (and have paperwork
requirements, maybe .jobs or .travel, etc?). Maybe .int? :) (not many
of us can get a .int domain!!!!) The root itself (how many of us can
get a TLD???!!) has verification requirements. ;) Although, not all
TLD operators are created equally. Even registrars have verification
requirements and paperwork, although even they have some bad apples,
e.g. RegisterFly, the recent EstDomains:

http://voices.washingtonpost.com/securityfix/2008/10/icann_de-accredits_estdomains.html?nav=rss_blog

Sincerely,

George Kirikos
www.LEAP.com