Re: [gnso-raa-b] Meeting Invitation / RAA Sub Team B / Monday 08 February 2010 @ 1800 UTC

["Michele Neylon :: Blacknight" <michele@xxxxxxxxxxxxx>]

On 8 Feb 2010, at 03:53, Dave Piscitello wrote:

> I think Michele calls attention to an important element of SAC 040.
> 
> SAC040 identifies many measures. Certain measures would improve overall
> security for registration services and would help mitigate unauthorized
> access and malicious registrations. There are also measures that one could
> classify as "secondary lines of defense". These are most appropriate for
> corporations, savvy small business/power users, and could perhaps be a
> managed service but might challenge non-technical registrants. This second
> type of measure could be part of a targeted service offering or measures you
> "add to your cart".
> 
> Michele also mentions that "normal" registrants wouldn't recognise the value
> in this kind of service (referring to a VSGN package). I think it's
> important to realize that security measures are not just for registrants,
> but parties affected when registration services are misused or compromised.
> We had this discussion in the HSTLD group. The gist of the discussion is
> that we can't only think about "cost", but "cost versus benefit", and not
> only costs and benefits to registrars and registrants, but the broader,
> affected community.

Dave

With all due respect try explaining that to registrants

It's all well and good for people to come up with "visions" and "ideals", but 
the reality is that the average registrant won't appreciate it.

Seriously

As things stand we get plenty of headaches, abuse and legal threats from 
registrants because we take security more  seriously than some companies.

Regards

Michele

> 
> On 2/7/10 8:30 PM  Feb 7, 2010, "Michele Neylon :: Blacknight"
> <michele@xxxxxxxxxxxxx> wrote:
> 
>> 
>> 
>> 
>> On 8 Feb 2010, at 00:20, Holly Raiche wrote:
>> 
>>> HI Steven
>>> 
>>> The item on steps registrars can take is in SAC040 - and lists steps
>>> registrars can take - hard to summarise
>> 
>> Domain hijacking etc.,
>> 
>> It's worth reading, but it would be very hard to implement ALL of their
>> suggestions while maintaining reasonable pricing etc., Also, some of their
>> suggestions would render domain management almost unworkable for 
>> non-corporate
>> registrants (read the section about DNS changes for example)
>> 
>> Some of it is common sense eg. using role accounts for company registrations
>> instead of allowing individual employees' email addresses to be used
>> 
>> Verisign has introduced a premium service in recent months which would suit
>> "high value" domains, but I suspect that most "normal" registrants wouldn't
>> recognise the value in this kind of service.
>> 
>> The security level / standard discussion came up a couple of times in recent
>> ICANN meetings, but I don't recall if anyone settled on anything that they
>> could all agree on. PCI compliance, as mentioned in the document, is probably
>> the most appropriate measure, since most registrars process payment by credit
>> card and would have to be PCI compliant at some level.
>> 
>> 
>>> The next is SAC 028 on what registrars can do to deter impersonation 
>>> phishing
>>> attacks, and gives recommendations on what information should - and should
>>> not  -be in email contact with registrants.
>> 
>> SAC028 is mainly common sense, but unfortunately trying to balance security
>> concerns with ease of use causes headaches ie. from our experience if we 
>> don't
>> include account specific info in emails registrants complain
>> 
>>> I'm appreciate Michaela's response to the recommendations  as well
>> 
>> 
>> You mean me?? :)
>> 
>> 
>>> 
>>> Holly
>>> On 08/02/2010, at 10:25 AM, Metalitz, Steven wrote:
>>> 
>>>> Thanks Holly this is helpful! If anyone can summarize what is in SSAC
>>>> recommendations re malicious conduct that would further facilitate our call
>>>> tomorrow.
>>>> 
>>>> Steve
>>>> 
>>>> 
>>>> From: Holly Raiche
>>>> To: Metalitz, Steven
>>>> Cc: Gisella.Gruber-White@xxxxxxxxx ; gnso-raa-b@xxxxxxxxx
>>>> Sent: Sun Feb 07 14:58:13 2010
>>>> Subject: Re: [gnso-raa-b] Meeting Invitation / RAA Sub Team B / Monday 08
>>>> February 2010 @ 1800 UTC
>>>> 
>>>> Hi Steven and Everyone
>>>> 
>>>> I note that there is a list of issues all run together that I raised and
>>>> that are in the matrix
>>>> 
>>>> To save a bit of time on discussion, I suggest the following:
>>>> the suggestion on redirection is perhaps better discussed under topic 2
>>>> steps registrars can take, and the later item on actions registrars can 
>>>> take
>>>> on phishing are perhaps better located in topic 3
>>>> the abuse point of contact we have already discussed under 3.4
>>>> whois data accuracy has already been discussed under topic 6
>>>> front running is already covered under 2.1
>>>> 
>>>> So really the only new items are about steps registrars can take to stop
>>>> malicious conduct
>>>> 
>>>> That should make the discussion a lot shorter
>>>> 
>>>> Kind regards
>>>> 
>>>> Holly Raiche
>>>> Executive Director,
>>>> Internet Society of Australia (ISOC-AU)
>>>> ed@xxxxxxxxxxxxxx
>>>> Mob: 0412 688 544
>>>> Ph: (02) 9436 2149
>>>> 
>>>> The Internet is For Everyone
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> Kind regards
>>> 
>>> Holly Raiche
>>> Executive Director,
>>> Internet Society of Australia (ISOC-AU)
>>> ed@xxxxxxxxxxxxxx
>>> Mob: 0412 688 544
>>> Ph: (02) 9436 2149
>>> 
>>> The Internet is For Everyone
>>> 
>>> 
>>> 
>>> 
>> 
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612
>> UK: 0844 484 9361
>> Locall: 1850 929 929
>> Direct Dial: +353 (0)59 9183090
>> Fax. +353 (0) 1 4811 763
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
>> Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>> 
>> 
>> 
>> 
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845