Re: [gnso-raa-b] Meeting Invitation / RAA Sub Team B / Monday 08 February 2010 @ 1800 UTC

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

On 2/8/10 8:20 AM  Feb 8, 2010, "Michele Neylon :: Blacknight"
<michele@xxxxxxxxxxxxx> wrote:

> On 8 Feb 2010, at 13:08, Dave Piscitello wrote:
>> 
>> The average user doesn't appreciate antivirus measures... until his PC is
>> infected and he loses time, money and data.
> 
> Nice analogy, though an AV engine just runs in the background and doesn't
> disrupt your workflow ...

Hmmm... Same is true for Zeus and similar browser in the middle malware :-)

>> Average isn't serving the community well, and (my
>> opinion), the community has to take the initiative to improve average or
>> face the possibility of government/regulatory intervention.
> 
> "Average" is what drives the entire internet.

Agree, but "average" has evolved over time. The average user does run AV
(not well, mind you). The average user does employ some form of antispam.
ISPs run AV/antispam gateways in the background. In some cases, it does
disrupt workflows and the average user has adapted to the occasional false
positive.

> Expecting some level of security is one thing, so PCI, for example, would be
> fine. Expecting some of the SSAC recommendations to be adopted by all
> registrars is not.

SAC 040 doesn't say "all registrars must implement all of these measures".
Recommendation (1) says "Registrars are encouraged to offer stronger levels
of protection against domain name registration service exploitation or
misuse for customers who want or need them. Measures enumerated in this
report can be offered as optional services to customers, individually or
bundled."

The community, registrars included, must decide which features are needed by
all customers. I personally believe that *some* of the SSAC recommendations
ought to be adopted by all registrars.

I also think that more differentiation among registrar services is worth
exploring. So registrars can and should identify which of the SAC040
measures are desirable for their existing customers, or for a new
demographic of customers they might want to serve.

> And the governments are more likely to be interested in what registry
> operators are up to - not registrars
> 
> 
>> All that's
>> needed is for the pain threshold to cross a tipping point.
> 
> 
> 
> That's all well and good, but expecting registrants to jump through hoops to
> update nameservers is not an improvement
> 
> If you are managing the DNS for Amazon.com or Microsoft.com then you'd
> probably expect to have to deal with a lot of hurdles to make "simple" changes
> 
> However if you are a personal user or SME you won't have time to deal with
> that kind of stuff and will find it to be more trouble than it's worth.

I'm curious to explore this further. How often do personal users or SMEs
change name server configuration? My admittedly limited insight to this
statistic suggests "not often". If you have better data, please share.