Re: [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

I'd rather have a model where registrars are measured in a more quantifiable 
manner, so an alternative to Mike's proposal is to have metrics to measure and 
assess registrars based on these. These can be published so that registrants 
can decide if they want to do business with a registrar based on how effective 
it is in a number of anti-abuse areas. For example, telcos have MTTR (mean time 
to restore) and MTBSO (mean time between service outages). Possible metrics for 
registrars:



 *   mean time to suspend/takedown a (phishing) domain
 *   inaccurate whois records for which the registrar is sponsoring registrar 
per 1000
 *   number of malicious/phishing domains for which the registrar is sponsoring 
registrar per 1000
 *   number of domains per 1000 registered using stolen identities or credit
 *   number of hijacked domains per 1000

Some people may see these as very radical concepts. However, they are present 
in other industries (buyers' guides come to mind) and they might empower 
registrants while also allowing professionally operated, security-attentive 
registrars to distinguish themselves from their competitors.



On 8/2/08 10:02 AM, "Eric Brunner-Williams" <ebw@xxxxxxxxxxxxxxxxxxxx> wrote:



Mike,

Is there a minimum size, below which you'd like to have ICANN start
de-accrediting registrars, that you'd care to hang your hat on for the
purposes of discussion? I'd like to know what the recurring cost you
propose that registrars include in their baseline business models.

Repeat please for the registry side of business, I'd like to know what
the recurring cost you propose that registries, particularly the smaller
registries, and the post-2008 new gTLD applications, must also include
in their baseline business models.

For the purposes of discussion, I accept your point that appeals to
"resource allocation" must fail because big business exists, and
independently, because it suits "criminal actors".

Eric

Mike Rodenbaugh wrote:
> That text comes from the model agreement in the ICANN-Afilias contract:
>
> http://www.icann.org/en/tlds/agreements/info/appendix-08-08dec06.htm
>
> If it is not contained in any particular registrar agreements with Afilias,
> that would be interesting to understand.
>
> Also would like to know on what basis the RC objected to this clause in the
> Afilias proposal:
>
> Registrars shall promptly investigate complaints alleging any such abusive
> practices, and shall take all appropriate actions based upon such
> investigations.
>
> I think that ought to be a minimal requirement on all registrars, though
> should be more specifically defined wrt 'prompt' and 'appropriate'.
>
> Indeed it is a proposed solution I am now putting forward.  Let's call it
> "24/7 abuse queue".  I am curious to see any reasoning why registrars and
> registries ought not be required to have one that they monitor, and take
> prompt and appropriate action depending upon the severity and clarity of the
> abuse.  Arguments about 'resource allocation' should consider that many
> domain registration online sales channels and business network operations go
> 24/7, and that phishers and other criminal actors tend to target
> facilitating entities that have slow or no abuse investigation.
>
> Thanks,
> Mike
>
>
> -----Original Message-----
> From: Eric Brunner-Williams [mailto:ebw@xxxxxxxxxxxxxxxxxxxx]
> Sent: Friday, August 01, 2008 12:51 PM
> To: icann@xxxxxxxxxxxxxx
> Cc: gnso-ff-pdp-May08@xxxxxxxxx
> Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
>
> Mike,
>
> I'm looking at the rev-31jul08.pdf and redline-31jul08.pdf. Does the
> text you provide come from one of these?
>
> Since it was only just announced, not everyone may know that the
> following two sentences, which up until very recently were in the
> Afilias proposed RSA, have been removed by Afilias:
>
>         "Registrars shall promptly investigate complaints alleging any
>         such abusive practices, and shall take all appropriate actions
>         based upon such investigations. Further, Registrar shall comply
>         promptly with any commercially reasonable requests or
>         recommendations with respect to such abusive practices made by
>         Registry Operator or any competent legal authority."
>
> I hope that formats reasonably well for everyone. I appreciate Afilias'
> listening to the RC on this issue. Most of the reservations and concerns
> expressed privately to Afilias have been restated in this list, though
> in a general context.
>
> Eric
>
> Mike Rodenbaugh wrote:
>
>> Hi Greg,
>>
>> This is from the .info registry agreement with registrars:
>>
>> 3.6.5. acknowledge and agree that Afilias reserves the right to deny,
>> cancel or transfer any registration or transaction, or place any
>> domain name(s) on registry lock, hold or similar status, that it deems
>> necessary, in its discretion; (1) to protect the integrity and
>> stability of the registry; (2) to comply with any applicable laws,
>> government rules or requirements, requests of law enforcement, or any
>> dispute resolution process; (3) to avoid any liability, civil or
>> criminal, on the part of Afilias, as well as its affiliates,
>> subsidiaries, officers, directors, and employees; (4) per the terms of
>> the registration agreement or (5) to correct mistakes made by Afilias
>> or any Registrar in connection with a domain name registration.
>> Afilias also reserves the right to place upon registry lock, hold or
>> similar status a domain name during resolution of a dispute.
>>
>> I believe there is consistent or identical language in all registry
>> agreements with ICANN, most if not all registry-registrar agreements,
>> and most if not all registration agreements.
>>
>> The dotAsia implementation is moving forward, APWG is currently
>> discussing a contract with a vendor to provide accreditation services.
>> I am not sure of the status of implementation by a few interested
>> ccTLDs, but will try to find out.
>>
>> Thanks,
>>
>> Mike
>>
>> ------------------------------------------------------------------------
>>
>> *From:* Greg Aaron [mailto:gaaron@xxxxxxxxxxxx]
>> *Sent:* Friday, August 01, 2008 9:45 AM
>> *To:* icann@xxxxxxxxxxxxxx; gnso-ff-pdp-May08@xxxxxxxxx
>> *Subject:* RE: [gnso-ff-pdp-may08] Proposed solutions
>>
>> Dear Mike:
>>
>> Some of those statements seem over-broad. I don't know of any ICANN
>> contract that "permits de-registration in the event of criminal
>> activity, and/or to protect the interests of the registry/registrar."
>> Can you reference the ICANN contracts (and sections) that you are
>> referring to? The contracts also vary from TLD to TLD.
>>
>> I have been hearing since June 2007 that .ASIA is moving toward
>> adopting the APWG plan, but I have not seen anything happen. What is
>> the status? Are any other registries (gTLD or ccTLD) in the process of
>> adopting the APWG plan?
>>
>> All best,
>>
>> --Greg
>>
>> ------------------------------------------------------------------------
>>
>> *From:* owner-gnso-ff-pdp-may08@xxxxxxxxx
>> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] *On Behalf Of *Mike Rodenbaugh
>> *Sent:* Friday, August 01, 2008 12:00 PM
>> *To:* gnso-ff-pdp-May08@xxxxxxxxx
>> *Subject:* RE: [gnso-ff-pdp-may08] Proposed solutions
>>
>> This concept of the trusted requestor is also embodied in the APWG
>> plan that is moving towards implementation in dotAsia and hopefully
>> elsewhere.
>>
>> The liability issues are manageable. I bet that more than 100,000
>> domains have been taken down without notice to the registrant, in
>> order to mitigate criminal activity, and I am not aware of any
>> lawsuits against a registrar or registry arising from those takedowns.
>> Is anyone aware of such a lawsuit?
>>
>> The entire ICANN contract chain permits de-registration in the event
>> of criminal activity, and/or to protect the interests of the
>> registry/registrar. All of those provisions are beneficial to
>> registrants and end users who are or otherwise would be victimized by
>> criminal behavior.
>>
>> Thanks,
>>
>> Mike
>>
>> ------------------------------------------------------------------------
>>
>> *From:* owner-gnso-ff-pdp-may08@xxxxxxxxx
>> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] *On Behalf Of *Dave Piscitello
>> *Sent:* Friday, August 01, 2008 8:06 AM
>> *To:* Wendy Seltzer
>> *Cc:* Diaz, Paul; Joe St Sauver; gnso-ff-pdp-May08@xxxxxxxxx
>> *Subject:* Re: [gnso-ff-pdp-may08] Proposed solutions
>>
>> I don't recall saying "don't hold registrars or registries
>> accountable". I speculated that the incidence of false positives can
>> be kept very manageably small when you have trusted (not private)
>> parties. When you keep the incidents very manageably small, the cost
>> of accountability may also be kept commensurately small.
>>
>> I worry that we spend quite a bit of time worrying over the outlying
>> cases. If we don't drill down to details before we dismiss a proposal
>> we are very likely to toss out solutions that might be effective,
>> given appropriate controls that cater to the outlying cases.
>>
>> We all accept this sort of practice every day with medicine. Nearly
>> every prescription drug has some side-effect. Before prescription
>> drugs are approved for use, tests are run to find the "outlying cases"
>> and (in theory) only when the outlying cases are identified as
>> demonstrably few with minimum impact is a drug approved. The same
>> discipline can be applied here. This is why I claim the liability
>> issue is manageable.
>>
>> So much for containing this thread to a bar conversation - and oh, I'm
>> missing the call.
>>
>> On 8/1/08 10:19 AM, "Wendy Seltzer" <wendy@xxxxxxxxxxx> wrote:
>>
>> I think the liability issues are serious ones -- and I think registrants
>> are made materially worse off if the liability is alleviated by giving
>> them less recourse. How can we balance rapid response with due process,
>> which seems absent if private parties can instigate registrar response,
>> and the legitimate registrant (mistakenly or maliciously identified)
>> can't hold the registrar liable for losses?
>>
>> Of course adding due process increases costs, which again impact
>> registrants.
>>
>> --Wendy
>>
>>
>> Dave Piscitello wrote:
>>
>>> Paul,
>>>
>>> You questions are appropriate and are familiar to those of us who
>>>
>> work with the APWG on the Accelerated Suspension Plan.
>>
>>> Let's assume that it is possible to create an accreditation program,
>>>
>> that it can be paid for, that credentials can be issued, and that the
>> program has an indemnification/liability component. Such programs have
>> been created many times before. There are many models, and if we were
>> to recommend such a program, I suspect a different and perhaps more
>> appropriately qualified working group than ours could be formed to
>> develop one.
>>
>>> Now, who enforces? I think Joe's correct that the registrar is
>>>
>> (currently) the sweet spot but I also think that the solution must
>> consider the possibility of a non-responsive registrar. So I think an
>> "escalation" model is appropriate, where an accredited party can
>> demonstrate a registrar is non-responsive and the registry can take
>> action.
>>
>>> [As an aside, I do think that the liability worry, while present,
>>>
>> will prove in practice to be a non-issue. In fact, having accredited
>> responders could further reduce the likelihood of a false positive.
>> But this is a bar conversation so I'll set it aside.]
>>
>>> On 7/31/08 4:11 PM, "Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>> Joe's proposal may seem straight forward, but it actually raises several
>>> concerns:
>>>
>>> Should such enforcement be handled at the registrar or the registry
>>> level?
>>>
>>> How will the recipient of a complaint verify the bona fides of the
>>> complainer?
>>>
>>> What information will be required to put a "documented" domain on
>>> (Registrar or Registry) Hold status?
>>>
>>> Besides the WDPRS model, have you considered something like the APWG's
>>> proposed Accelerated Suspension Plan? If so, what will the
>>> accreditation criteria look like?
>>>
>>> Who pays for any of this? How?
>>>
>>> Who will indemnify the enforcer for any liabilities?
>>>
>>>
>>> The list could go on. I am not trying to be obstructionist, and realize
>>> that we're supposed to be discussing proposed solutions. I just think
>>> that we need to more fully develop any suggestions that would target a
>>> single entity in this process when they are posted to the list.
>>>
>>> Regards, P
>>>
>>> -----Original Message-----
>>> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
>>> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx]
>>>
>> <mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d><mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d>
>>  On Behalf Of Joe St Sauver
>>
>>> Sent: Thursday, July 31, 2008 2:23 PM
>>> To: dave.piscitello@xxxxxxxxx
>>> Cc: gnso-ff-pdp-May08@xxxxxxxxx
>>> Subject: Re: [gnso-ff-pdp-may08] Proposed solutions
>>>
>>>
>>> Dave mentioned:
>>>
>>> #Can we agree at the outset of this discussion that there is no single
>>> #security measure that defeats fast flux and that the solution, like the
>>>
>>> #definition, is multi-faceted, each measure contributing in some way to
>>> #reducing the threat?
>>> #
>>> #I'll be frank. I want to preempt another long discussion of TTLs. I am
>>> #happy to include a bullet item "TTL monitoring and analysis" as item 1
>>> #on the list but let's go through the discipline of enumerating all the
>>> #measures we can think of, as we did with the definition.
>>>
>>> In my painfully direct sort of way, I believe that what's ultimately
>>> needed will be for registrars to accept complaints about fastflux
>>> domains, acting on documented evidence supplied by the complainant
>>> to "HOLD" documented fastflux domains. (Envision something like
>>> http://wdprs.internic.net/ but for reporting fastflux domain names)
>>> Procedurally, as part of that, I believe a domain name owner should have
>>>
>>> a mechanism or channel for appealing a fastflux determination, although
>>> I strongly suspect that appeals would be likely be quite rare. :-;
>>>
>>> Regards,
>>>
>>> Joe
>>>
>>>
>>>
>>>
>> --
>> Wendy Seltzer -- wendy@xxxxxxxxxxx
>> phone: +1.914.374.0613
>> Visiting Professor, American University Washington College of Law
>> Fellow, Berkman Center for Internet & Society
>> http://cyber.law.harvard.edu/seltzer.html
>> http://www.chillingeffects.org/
>> https://www.torproject.org/
>>
>>
>
>
>
>