Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

["Michele Neylon :: Blacknight" <michele@xxxxxxxxxxxxx>]

On 15 Jul 2010, at 17:02, George Kirikos wrote:

> 
> Hello,
> 
> On Thu, Jul 15, 2010 at 11:13 AM, Michele Neylon :: Blacknight
> <michele@xxxxxxxxxxxxx> wrote:
>> On 15 Jul 2010, at 15:41, George Kirikos wrote:
>>> Charter Question A demands that this be taken into
>>> account, because it's an explicit alternative. "Whether a process for
>>> urgent return/resolution of a domain name should be developed." If a
>>> domain name is valuable enough, and you explicitly made a choice for
>>> weaker security, you should bear some of the responsibility.
>> 
>> No - this is where I disagree
> 
> Why should society bear the costs of other people's irresponsibility?
> We see that in the US mortgage market, for example, where some people
> entered into "bad deals" and then wanted a "bailout", to be able to
> renegotiate their loans, have the government pay their mortgages,
> whatever.
> 
> When people don't bear some of the responsibility for their own
> actions, that's far worse. But, at least your position is explicit.
> 
>>> and will cause people to engage in even more risky behaviour, and
>>> place the burden upon someone else (the secondary market, for example,
>>> if irrevocable transfers are eliminated).
>> 
>> So I'm meant to feel sorry for domainers?
> 
> The "secondary market" is not the only example of folks hurt, and the
> secondary market is more than just "domainers."

That maybe so, but if the first example that you give is the secondary market 
.. .. 

In any case I don't see what this has got to do with the 60 day lock

> It's like suggesting
> that the secondary market for housing only consists of "house
> flippers." Suppose MarkMonitor or Marksmen does a stealth acquisition
> on behalf of Google or Microsoft for a domain name. The name is
> acquired, and put to use. What's going to happen when that name is
> clawed back immediately by the ETRP, as currently proposed, due to
> seller's remorse and lack of due process via a dispute mechanism?
> 
> That's why last year it was correctly written that:
> 
> http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00384.html
> 
> "The emergency action procedures should be tested to verify they are
> resilient to tampering and difficult to exploit. In particular, it
> should be difficult or impossible for an attacker to effect a hijack
> or interfere with a transfer under the guise of requesting urgent
> restoration of a domain."
> 
> It's not about feeling "sorry for domainers", it's about not opening
> up a new loophole that can be exploited, when one attempts to fix a
> different problem (same goes for the 60 day lock following registrant
> change, how that can be abused by registrars to essentially rewrite
> the intent of the transfers policy under the guise of "improving
> security"). And as folks clearly know, the loopholes are routinely
> exploited, especially by registrars.
> 
>>> In other words, in
>>> attempting to "help" people who won't help themselves, you make the
>>> situation even worse.
>> 
>> You really should join some of the other fun PDPs .. :)
>> 
>> While I can agree with you to a point I'd still disagree. Domain Registry of 
>> America, for example, use tactics that have been deemed to be misleading and 
>> possibly even illegal. Our clients get hit with their letters all the time. 
>> (Rob Golding mentioned them last night)
>> Personally I would like to see policy that had the "teeth" to stop this kind 
>> of thing.
>> So if a small business owner is duped by these kinds of companies they can 
>> be seen to have "made a bad choice", but do they have the information 
>> available to them to do otherwise?
> 
> You don't need a policy that has "teeth" to "stop this kind of thing."
> If you're a registrar, you can validate outgoing transfers by
> telephone (before unlocking the domain name or issuing an EPP
> auth_info code). It's your choice whether or not you want to educate
> your customers. Other registrars do educate their customers, e.g.
> EasyDNS, to name an example:
> 
> http://support.easydns.com/domain.slammers/index.php
> 
> If you called the client you're about to lose, and asked them why
> they're leaving, you would put a stop to things. Or, if you have legal
> standing, go ahead and sue the "bad guys." If a registrar's business
> model is 100% electronic, and are never going to pick up the phone to
> talk to their own customer, that's their own choice.

So a GoDaddy or Enom is expected to somehow remove all the automation and 
convenience that they give their clients so that they can somehow know about 
each and every transfer and validate them manually?

That doesn't scale 

I'd also suspect that you'd be one of the first to complain if we all started 
charging 100 euro / year for a .com (regardless of its perceived value)


> 
>>> Economics are implicit within all policies, whether you like it or
>>> not.
>> 
>> Again - we have to disagree
> 
> Go look at the AOC document:
> 
> http://www.icann.org/en/announcements/announcement-30sep09-en.htm
> 
> "To ensure that its decisions are in the public interest, and not just
> the interests of a particular set of stakeholders, ICANN commits to
> perform and publish analyses of the positive and negative effects of
> its decisions on the public, including any financial impact on the
> public, and the positive or negative impact (if any) on the systemic
> security, stability and resiliency of the DNS."

I'm reading the same paragraph as you and I do not interpret it as that at all

"any" financial impact does not mean that all policies will have an impact

It only means that there should be consideration *if* there is one .. if there 
isn't it's completely moot

> 
> It cannot be more clear. If economics were not implicit (and heck even
> explicit), then these policies would be religious edicts, not
> carefully balanced policies as they should be. If you only look at
> "benefits", your job is only half-done, because you've not weighed the
> "costs." (and the job is not even half-done, as even the "benefits"
> for this workgroup remain unknown, because of the lack of data to
> date)
> 
> 
>>> As I said, it was unscientific. But, the "average SME" isn't going to
>>> be suffering an "emergency", is he/she?
>> 
>> I don't think you are qualified to judge that
> 
> Yes, I am.

Based on what exactly?


> By definition, a policy meant for "emergencies" is meant
> for *extreme* events, not "average" events. If the imaginary "average
> SME" could even qualify for an "emergency" (where the damages are high
> and return is urgent), then by definition they weren't "average" to
> begin with.
> 
> For example, in the financial crisis, some banks were *allowed* to
> fail. Some were "too big to fail." I'm sure those small banks that got
> wiped out felt they were in an "emergency", but there was no systemic
> risk due to their failure.

An American  viewpoint again

Over here none were allowed to fail

> 
>> We, Blacknight, are an SME. If blackreg.com were hijacked it would cause a 
>> LOT of headaches for us and our clients, which we would classify as an 
>> "emergency"
>> 
>> In any case an "emergency" is subjective
>> The key thing is that there is one and there is urgency
> 
> 1) You don't get to self-declare that "we're in an emergency" -- it
> has to be according to a 3rd party standard (i.e. one this workgroup
> was *supposed* to develop, to distinguish between "urgent" and
> "non-urgent" cases). Otherwise, *every* case becomes an "emergency",
> which subverts the policy.
> 
> 2) Just because something is "subjective" doesn't mean one "gives up."
> One applies rules, makes judgments about "subjective" things *all the
> time.* If you can't come up with a standard, leave it to someone who
> can, i.e. an independent court.
> 
> 3) Simply saying "there is one" and "there is urgency." doesn't make
> it one. Go back to the "too big to fail" example. Some are bigger than
> others, and one has to draw a line somewhere. If one is incapable of
> drawing that line anywhere at all, then perhaps one shouldn't be a
> decision-maker, and leave it to those who can make the tough
> decisions.
> 
>>> Educate them, then. That was one of the recommendations from 5 years
>>> ago. Has it been implemented? If not, why not?
>> 
>> How?
> 
> Registrants are educated via WHOIS reminders to keep their WHOIS up to
> date.

Which are often treated as spam .. 


> There are advisories by ICANN.

Who reads them?

> Registrars can proactively hold
> seminars.

Same question


> They can blog, as MarkMonitor has done about VeriSign Lock
> on CircleID, etc.

Same question

> 
> People learn, e.g. Facebook and privacy, whatever.

Facebook privacy is semi-"sexy" but I honestly can't see how anyone can make 
domains "sexy" enough to attract that level of attention

> 
> 
>>> And I note that no one has responded to the thread that directly asks
>>> those questions, to get a better sense of the actual damages,
>>> statistics, etc.:
>> 
>> Don't take it personally, but not all of us have the time to do our dayjobs 
>> and answer each and every post on every single list we're on  ..
> 
> Yes, but that's one of the most fundamental questions, that questions
> the entire basis for this workgroup.

If there was a prize for non-sequitirs you'd win hands down!



> You don't need a policy if there
> are no benefits, or if the benefits are miniscule (i.e. because
> there's only a small number of hijackings that are serious and not
> undone in a timely manner) relative to the costs. That will need to be
> answered at some point (before a final report, although it should have
> been done before the preliminary report!), one can be sure, otherwise
> it leaves the policy to be challenged due to Paragraph 4 of the AOC
> via a reconsideration request, etc.

Ok - this is _way_ off topic but .. 



> If you can't analyze the positive
> and negative effects, then I repeat this is just a religious
> endeavour, and not a scientifically-based data-driven policy group.

Show me one that is?

Most of the ICANN PDPs (not all) come from a perceived issue being identified 
and a group of volunteers trying their best to come up with some kind of 
solution (or not) to whatever the problem is

In the case of IRTP we have had some hard data from ICANN Compliance, so 
claiming that there was none at all is a misrepresentation of the facts. 


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://blacknight.mobi/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845