RE: [gnso-ff-pdp-may08] Proposed solutions

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Dear Mike:

 

There is not similar language in the .COM and .NET RRAs.  Nor in the .COM
registry agreement with ICANN as far as I can find.  

 

Language you cite from the .info RRA does not permit "de-registration in the
event of criminal activity, and/or to protect the interests of the
registry/registrar."   The "integrity and stability of the registry" refers
to operational stability and accuracy, which is not threatened by a phish,
or fast-flux domains, etc.  Such threats to the stability of the registry
itself are quite rare.  "Integrity" does not means the interests of the TLD.
As far as I am aware, there are no blanket laws or government rules that
allow gTLD registries to suspend domains etc whenever they like.  Court
orders etc. are specific to particular cases, of course.  

 

All best,

--Greg

 

 

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Mike Rodenbaugh
Sent: Friday, August 01, 2008 3:20 PM
To: gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] Proposed solutions

 

Hi Greg,

 

This is from the .info registry agreement with registrars:

 

3.6.5. acknowledge and agree that Afilias reserves the right to deny,
cancel or transfer any registration or transaction, or place any
domain name(s) on registry lock, hold or similar status, that it deems
necessary, in its discretion; (1) to protect the integrity and
stability of the registry; (2) to comply with any applicable laws,
government rules or requirements, requests of law enforcement, or any
dispute resolution process; (3) to avoid any liability, civil or
criminal, on the part of Afilias, as well as its affiliates,
subsidiaries, officers, directors, and employees; (4) per the terms of
the registration agreement or (5) to correct mistakes made by Afilias
or any Registrar in connection with a domain name registration.
Afilias also reserves the right to place upon registry lock, hold or
similar status a domain name during resolution of a dispute.

 

I believe there is consistent or identical language in all registry
agreements with ICANN, most if not all registry-registrar agreements, and
most if not all registration agreements.

 

The dotAsia implementation is moving forward, APWG is currently discussing a
contract with a vendor to provide accreditation services.  I am not sure of
the status of implementation by a few interested ccTLDs, but will try to
find out.

 

Thanks,

Mike

 

  _____  

From: Greg Aaron [mailto:gaaron@xxxxxxxxxxxx] 
Sent: Friday, August 01, 2008 9:45 AM
To: icann@xxxxxxxxxxxxxx; gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] Proposed solutions

 

Dear Mike:

 

Some of those statements seem over-broad.  I don't know of any ICANN
contract that "permits de-registration in the event of criminal activity,
and/or to protect the interests of the registry/registrar."   Can you
reference the ICANN contracts (and sections) that you are referring to?
The contracts also vary from TLD to TLD. 

 

I have been hearing since June 2007 that .ASIA is moving toward adopting the
APWG plan, but I have not seen anything happen.  What is the status?  Are
any other registries (gTLD or ccTLD) in the process of adopting the APWG
plan?  

 

All best,

--Greg

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Mike Rodenbaugh
Sent: Friday, August 01, 2008 12:00 PM
To: gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] Proposed solutions

 

This concept of the trusted requestor is also embodied in the APWG plan that
is moving towards implementation in dotAsia and hopefully elsewhere.

 

The liability issues are manageable.  I bet that more than 100,000 domains
have been taken down without notice to the registrant, in order to mitigate
criminal activity, and I am not aware of any lawsuits against a registrar or
registry arising from those takedowns.  Is anyone aware of such a lawsuit?

 

The entire ICANN contract chain permits de-registration in the event of
criminal activity, and/or to protect the interests of the
registry/registrar.  All of those provisions are beneficial to registrants
and end users who are or otherwise would be victimized by criminal behavior.

 

Thanks,

Mike

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Dave Piscitello
Sent: Friday, August 01, 2008 8:06 AM
To: Wendy Seltzer
Cc: Diaz, Paul; Joe St Sauver; gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Proposed solutions

 

I don't recall saying "don't hold registrars or registries accountable". I
speculated that the incidence of false positives can be kept very manageably
small when you have trusted (not private) parties. When you keep the
incidents very manageably small, the cost of accountability may also be kept
commensurately small. 

I worry that we spend quite a bit of time worrying over the outlying cases.
If we don't drill down to details before we dismiss a proposal we are very
likely to toss out solutions that might be effective, given appropriate
controls that cater to the outlying cases.

We all accept this sort of practice every day with medicine. Nearly every
prescription drug has some side-effect. Before prescription drugs are
approved for use, tests are run to find the "outlying cases" and (in theory)
only when the outlying cases are identified as demonstrably few with minimum
impact is a drug approved. The same discipline can be applied here. This is
why I claim the liability issue is manageable.

So much for containing this thread to a bar conversation - and oh, I'm
missing the call. 

On 8/1/08 10:19 AM, "Wendy Seltzer" <wendy@xxxxxxxxxxx> wrote:

I think the liability issues are serious ones -- and I think registrants
are made materially worse off if the liability is alleviated by giving
them less recourse.  How can we balance rapid response with due process,
which seems absent if private parties can instigate registrar response,
and the legitimate registrant (mistakenly or maliciously identified)
can't hold the registrar liable for losses?

Of course adding due process increases costs, which again impact
registrants.

--Wendy


Dave Piscitello wrote:
> Paul,
>
> You questions are appropriate and are familiar to those of us who work
with the APWG on the Accelerated Suspension Plan.
>
> Let's assume that it is possible to create an accreditation program, that
it can be paid for, that credentials can be issued, and that the program has
an indemnification/liability component. Such programs have been created many
times before. There are many models, and if we were to recommend such a
program, I suspect a different and perhaps more appropriately qualified
working group than ours could be formed to develop one.
>
> Now, who enforces? I think Joe's correct that the registrar is (currently)
the sweet spot but I also think that the solution must consider the
possibility of a non-responsive registrar. So I think an "escalation" model
is appropriate, where an accredited party can demonstrate a registrar is
non-responsive and the registry can take action.
>
> [As an aside, I do think that the liability worry, while present, will
prove in practice to be a non-issue. In fact, having accredited responders
could further reduce the likelihood of a false positive. But this is a bar
conversation so I'll set it aside.]
>
> On 7/31/08 4:11 PM, "Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Joe's proposal may seem straight forward, but it actually raises several
> concerns:
>
> Should such enforcement be handled at the registrar or the registry
> level?
>
> How will the recipient of a complaint verify the bona fides of the
> complainer?
>
> What information will be required to put a "documented" domain on
> (Registrar or Registry) Hold status?
>
> Besides the WDPRS model, have you considered something like the APWG's
> proposed Accelerated Suspension Plan?  If so, what will the
> accreditation criteria look like?
>
> Who pays for any of this?  How?
>
> Who will indemnify the enforcer for any liabilities?
>
>
> The list could go on.  I am not trying to be obstructionist, and realize
> that we're supposed to be discussing proposed solutions.  I just think
> that we need to more fully develop any suggestions that would target a
> single entity in this process when they are posted to the list.
>
> Regards, P
>
> -----Original Message-----
> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx]
<mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d>  On Behalf Of Joe St Sauver
> Sent: Thursday, July 31, 2008 2:23 PM
> To: dave.piscitello@xxxxxxxxx
> Cc: gnso-ff-pdp-May08@xxxxxxxxx
> Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
>
>
> Dave mentioned:
>
> #Can we agree at the outset of this discussion that there is no single
> #security measure that defeats fast flux and that the solution, like the
>
> #definition, is multi-faceted, each measure contributing in some way to
> #reducing the threat?
> #
> #I'll be frank. I want to preempt another long discussion of TTLs. I am
> #happy to include a bullet item "TTL monitoring and analysis" as item 1
> #on the list but let's go through the discipline of enumerating all the
> #measures we can think of, as we did with the definition.
>
> In my painfully direct sort of way, I believe that what's ultimately
> needed will be for registrars to accept complaints about fastflux
> domains, acting on documented evidence supplied by the complainant
> to "HOLD" documented fastflux domains. (Envision something like
> http://wdprs.internic.net/ but for reporting fastflux domain names)
> Procedurally, as part of that, I believe a domain name owner should have
>
> a mechanism or channel for appealing a fastflux determination, although
> I strongly suspect that appeals would be likely be quite rare. :-;
>
> Regards,
>
> Joe
>
>
>


--
Wendy Seltzer -- wendy@xxxxxxxxxxx
phone: +1.914.374.0613
Visiting Professor, American University Washington College of Law
Fellow, Berkman Center for Internet & Society
http://cyber.law.harvard.edu/seltzer.html
http://www.chillingeffects.org/
https://www.torproject.org/