Re: [gnso-ff-pdp-may08] Proposed solutions

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

I don't recall saying "don't hold registrars or registries accountable". I 
speculated that the incidence of false positives can be kept very manageably 
small when you have trusted (not private) parties. When you keep the incidents 
very manageably small, the cost of accountability may also be kept 
commensurately small.

I worry that we spend quite a bit of time worrying over the outlying cases. If 
we don't drill down to details before we dismiss a proposal we are very likely 
to toss out solutions that might be effective, given appropriate controls that 
cater to the outlying cases.

We all accept this sort of practice every day with medicine. Nearly every 
prescription drug has some side-effect. Before prescription drugs are approved 
for use, tests are run to find the "outlying cases" and (in theory) only when 
the outlying cases are identified as demonstrably few with minimum impact is a 
drug approved. The same discipline can be applied here. This is why I claim the 
liability issue is manageable.

So much for containing this thread to a bar conversation - and oh, I'm missing 
the call.

On 8/1/08 10:19 AM, "Wendy Seltzer" <wendy@xxxxxxxxxxx> wrote:

I think the liability issues are serious ones -- and I think registrants
are made materially worse off if the liability is alleviated by giving
them less recourse.  How can we balance rapid response with due process,
which seems absent if private parties can instigate registrar response,
and the legitimate registrant (mistakenly or maliciously identified)
can't hold the registrar liable for losses?

Of course adding due process increases costs, which again impact
registrants.

--Wendy


Dave Piscitello wrote:
> Paul,
>
> You questions are appropriate and are familiar to those of us who work with 
> the APWG on the Accelerated Suspension Plan.
>
> Let's assume that it is possible to create an accreditation program, that it 
> can be paid for, that credentials can be issued, and that the program has an 
> indemnification/liability component. Such programs have been created many 
> times before. There are many models, and if we were to recommend such a 
> program, I suspect a different and perhaps more appropriately qualified 
> working group than ours could be formed to develop one.
>
> Now, who enforces? I think Joe's correct that the registrar is (currently) 
> the sweet spot but I also think that the solution must consider the 
> possibility of a non-responsive registrar. So I think an "escalation" model 
> is appropriate, where an accredited party can demonstrate a registrar is 
> non-responsive and the registry can take action.
>
> [As an aside, I do think that the liability worry, while present, will prove 
> in practice to be a non-issue. In fact, having accredited responders could 
> further reduce the likelihood of a false positive. But this is a bar 
> conversation so I'll set it aside.]
>
> On 7/31/08 4:11 PM, "Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Joe's proposal may seem straight forward, but it actually raises several
> concerns:
>
> Should such enforcement be handled at the registrar or the registry
> level?
>
> How will the recipient of a complaint verify the bona fides of the
> complainer?
>
> What information will be required to put a "documented" domain on
> (Registrar or Registry) Hold status?
>
> Besides the WDPRS model, have you considered something like the APWG's
> proposed Accelerated Suspension Plan?  If so, what will the
> accreditation criteria look like?
>
> Who pays for any of this?  How?
>
> Who will indemnify the enforcer for any liabilities?
>
>
> The list could go on.  I am not trying to be obstructionist, and realize
> that we're supposed to be discussing proposed solutions.  I just think
> that we need to more fully develop any suggestions that would target a
> single entity in this process when they are posted to the list.
>
> Regards, P
>
> -----Original Message-----
> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Joe St Sauver
> Sent: Thursday, July 31, 2008 2:23 PM
> To: dave.piscitello@xxxxxxxxx
> Cc: gnso-ff-pdp-May08@xxxxxxxxx
> Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
>
>
> Dave mentioned:
>
> #Can we agree at the outset of this discussion that there is no single
> #security measure that defeats fast flux and that the solution, like the
>
> #definition, is multi-faceted, each measure contributing in some way to
> #reducing the threat?
> #
> #I'll be frank. I want to preempt another long discussion of TTLs. I am
> #happy to include a bullet item "TTL monitoring and analysis" as item 1
> #on the list but let's go through the discipline of enumerating all the
> #measures we can think of, as we did with the definition.
>
> In my painfully direct sort of way, I believe that what's ultimately
> needed will be for registrars to accept complaints about fastflux
> domains, acting on documented evidence supplied by the complainant
> to "HOLD" documented fastflux domains. (Envision something like
> http://wdprs.internic.net/ but for reporting fastflux domain names)
> Procedurally, as part of that, I believe a domain name owner should have
>
> a mechanism or channel for appealing a fastflux determination, although
> I strongly suspect that appeals would be likely be quite rare. :-;
>
> Regards,
>
> Joe
>
>
>


--
Wendy Seltzer -- wendy@xxxxxxxxxxx
phone: +1.914.374.0613
Visiting Professor, American University Washington College of Law
Fellow, Berkman Center for Internet & Society
http://cyber.law.harvard.edu/seltzer.html
http://www.chillingeffects.org/
https://www.torproject.org/