Re: [gnso-raa-b] Meeting Invitation / RAA Sub Team B / Monday 08 February 2010 @ 1800 UTC

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

I think Michele calls attention to an important element of SAC 040.

SAC040 identifies many measures. Certain measures would improve overall
security for registration services and would help mitigate unauthorized
access and malicious registrations. There are also measures that one could
classify as "secondary lines of defense". These are most appropriate for
corporations, savvy small business/power users, and could perhaps be a
managed service but might challenge non-technical registrants. This second
type of measure could be part of a targeted service offering or measures you
"add to your cart".

Michele also mentions that "normal" registrants wouldn't recognise the value
in this kind of service (referring to a VSGN package). I think it's
important to realize that security measures are not just for registrants,
but parties affected when registration services are misused or compromised.
We had this discussion in the HSTLD group. The gist of the discussion is
that we can't only think about "cost", but "cost versus benefit", and not
only costs and benefits to registrars and registrants, but the broader,
affected community.

On 2/7/10 8:30 PM  Feb 7, 2010, "Michele Neylon :: Blacknight"
<michele@xxxxxxxxxxxxx> wrote:

> 
> 
> 
> On 8 Feb 2010, at 00:20, Holly Raiche wrote:
> 
>> HI Steven
>> 
>> The item on steps registrars can take is in SAC040 - and lists steps
>> registrars can take - hard to summarise
> 
> Domain hijacking etc.,
> 
> It's worth reading, but it would be very hard to implement ALL of their
> suggestions while maintaining reasonable pricing etc., Also, some of their
> suggestions would render domain management almost unworkable for non-corporate
> registrants (read the section about DNS changes for example)
> 
> Some of it is common sense eg. using role accounts for company registrations
> instead of allowing individual employees' email addresses to be used
> 
> Verisign has introduced a premium service in recent months which would suit
> "high value" domains, but I suspect that most "normal" registrants wouldn't
> recognise the value in this kind of service.
> 
> The security level / standard discussion came up a couple of times in recent
> ICANN meetings, but I don't recall if anyone settled on anything that they
> could all agree on. PCI compliance, as mentioned in the document, is probably
> the most appropriate measure, since most registrars process payment by credit
> card and would have to be PCI compliant at some level.
> 
> 
>> The next is SAC 028 on what registrars can do to deter impersonation phishing
>> attacks, and gives recommendations on what information should - and should
>> not  -be in email contact with registrants.
> 
> SAC028 is mainly common sense, but unfortunately trying to balance security
> concerns with ease of use causes headaches ie. from our experience if we don't
> include account specific info in emails registrants complain
> 
>> I'm appreciate Michaela's response to the recommendations  as well
> 
> 
> You mean me?? :)
> 
> 
>> 
>> Holly
>> On 08/02/2010, at 10:25 AM, Metalitz, Steven wrote:
>> 
>>> Thanks Holly this is helpful! If anyone can summarize what is in SSAC
>>> recommendations re malicious conduct that would further facilitate our call
>>> tomorrow.
>>> 
>>> Steve
>>> 
>>> 
>>> From: Holly Raiche
>>> To: Metalitz, Steven
>>> Cc: Gisella.Gruber-White@xxxxxxxxx ; gnso-raa-b@xxxxxxxxx
>>> Sent: Sun Feb 07 14:58:13 2010
>>> Subject: Re: [gnso-raa-b] Meeting Invitation / RAA Sub Team B / Monday 08
>>> February 2010 @ 1800 UTC
>>> 
>>> Hi Steven and Everyone
>>> 
>>> I note that there is a list of issues all run together that I raised and
>>> that are in the matrix
>>> 
>>> To save a bit of time on discussion, I suggest the following:
>>> the suggestion on redirection is perhaps better discussed under topic 2
>>> steps registrars can take, and the later item on actions registrars can take
>>> on phishing are perhaps better located in topic 3
>>> the abuse point of contact we have already discussed under 3.4
>>> whois data accuracy has already been discussed under topic 6
>>> front running is already covered under 2.1
>>> 
>>> So really the only new items are about steps registrars can take to stop
>>> malicious conduct
>>> 
>>> That should make the discussion a lot shorter
>>> 
>>> Kind regards
>>> 
>>> Holly Raiche
>>> Executive Director,
>>> Internet Society of Australia (ISOC-AU)
>>> ed@xxxxxxxxxxxxxx
>>> Mob: 0412 688 544
>>> Ph: (02) 9436 2149
>>> 
>>> The Internet is For Everyone
>>> 
>>> 
>>> 
>>> 
>> 
>> Kind regards
>> 
>> Holly Raiche
>> Executive Director,
>> Internet Society of Australia (ISOC-AU)
>> ed@xxxxxxxxxxxxxx
>> Mob: 0412 688 544
>> Ph: (02) 9436 2149
>> 
>> The Internet is For Everyone
>> 
>> 
>> 
>> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Fax. +353 (0) 1 4811 763
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
> Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
>