RE: [gnso-ff-pdp-may08] Meta: Strawman - Process vs. Policy

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

A few quick thoughts:

* Aren't the registrant and/or the registrant's service providers (hosting
providers and consumer-oriented DNS providers) the ones who set
authoritative TTLs?  (If so, registries cannot provide useful TTL info.)
And most registrars don't have authoritative TTL info either (unless they
are acting as the hosting provider as well).

* Registry records allow one to see frequency of flux only for double-flux
domains.  So the regime below could be applicable only to a particular
subset of the problem.  

* As you say, the relevant laws/agreements/policies are wildly divergent.
Apples-to-oranges comparisons would result, and only the most conversant
would be able to make sense of things.  (Therefore of limited use to
registrants.)  Statistics are useful when there is basis for comparison.

* "Action taken" is a relevant metric only if the incoming reports are
actionable and accurate.  Accepting reporting from "any party" would need to
be coupled some form of quality validation as part of the process.  (Recall
that most spam reports from registrants are not actionable, in part because
ordinary users don't understand address spoofing.)

* Whether action can or should be taken by a given party is often debatable.
Phishing is pretty easy to identify.  But determining intent is not easy for
all the problematic activities supported by fast-flux hosting.  For example,
how many registrars or registries are ready to accept responsibility for
taking down sites that offer what are purported to be brand-name watches?  

* A possible implication of the regime below is that registries get held
accountable for non-action by registrars.

All best,
--Greg  



-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Rodney Joffe
Sent: Friday, August 01, 2008 12:37 PM
To: gnso-ff-pdp-may08@xxxxxxxxx
Subject: [gnso-ff-pdp-may08] Meta: Strawman - Process vs. Policy


I wonder if I could launch a strawman that triggered my question to  
the group:

Registries and registrars provide metrics (to be defined, but  
including elements like frequency of flux, date/times, ttls, etc).

Anyone can have access to this data, and can make their own decisions  
based on the metrics, including obviously using additional metrics  
provided by any other entity they trust (like apwg, phishtank, etc.).

Anyone can submit a request for takedown.

Registries and registrars are governed by a combination of contractual  
agreements (with ICANN and/or registries in the case of registrars) as  
well as local/national laws.

Based on these laws/agreements/policies registries/registrars act or  
do not act on requests that include evidence

Metrics relating to actions taken are published by registries/ 
registrars and third parties (like apwg, phishtank, etc)

Users can make decisions about which registries/registrars and or  
third parties to trust in whatever context they operate (anti-spam  
ops, web surfers, domain registrants).

Ultimately the market will influence behavior.

Notes:

Nation/State LEO obviously have the ability to enforce their laws.

ICANN has the ability to proscribe actions to be taken by  
registries(some) and registrars.

The market bears the cost.