Re: [gnso-vi-feb10] SRSU

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

On 7/2/10 10:11 AM, Volker Greimann - Key-Systems GmbH wrote:

[I mention leaking from rfc1918 address space to the globally routed 
address space]
> This may be true for some, but not all dotBrands in the pipeline. The
> switch from intranet to internet will require a large investment into
> the infrastructure and safety for the companies involved, but is not
> something we should worry about with our focus on CO/VI registries.
OK. But you do realize that we're being asked (attempting to get the 
SR couples to get a room of their own has failed) to change complex 
rules to simply DUPLICATE stuff that already exists. It isn't about 
control or users or ... its all about signage.
> > > 2) TLD is non-transferrable (if the business dies, TLD is taken down
> > > in a controlled fashion)
> > The merger, acquisition and divestiture cases, while not "business
> > dies", are real problems to address. In the addressing world these
> > cause renumbering, a major pain for the corporate networking staff.
> > In the public DNS these events would require at least as much public
> > management as changes of iso3166 allocations, such as the changes of
> > the Soviet Union, Yugoslavia and Czechoslavia allocations or the
> > change of name of Burma to Myanmar.
> This will have to be addressed, but I do not see it as unsurmountable.
> In any case, it is a problem with new gTLDs in general, not one
> regarding VI/CO

For real TLDs we have failover and redelegation, and even changes of 
RSP. These don't look useful when thinking about the finite future of 
some working name for a random capitalization.

> > > 3) There could be a limit to number of names if that makes it more
> > > acceptable to some, but my sense is that it doesn’t really matter as
> > > the names are private anyway
> > It does matter to registry operators that the reserved names list,
> > their only tool other than their registration criteria to affect the
> > content of the zone they publish, is finite.
> I agree, as far as you are referring to a reserved names list.
I hope that didn't hurt too much.

> Limiting the availability of names to a predefined list will pretty
> much make the application non-appealing for many dotBrands. No special
> campaigns could be initiated without adapting this list with ICANN
> first, which will of course result in danger of leakage of
> information. However, a limit to the number of names may be workable.

Somewhere, on the Mountains of the Moon, peering through the mists at 
distant Nairobi, and wondering where ICANN came from, and where it 
went, there is a product planner and a marketing planner who are going 
to risk blowing their product launch surprise on the public reserved 
list rather than just slipping a dollar and change, maybe a bit more, 
to an obliging registrar to execute a coordinated just-in-time buy of 
every name the marketing plan for the product calls for.
In bad fiction.

The corporation has already blown a quarter mil just to get here, and 
they are going to risk strategic information disclosure on a registrar 
margin?????
Even NetSol at $35 a pop is a bargain by comparison.

> As long as the total number of currently registered domain names in
> the TLD does not exceed X, a dotBrand could provide itself with names.
> > > 4) I could even live with normal fees attached to every name SRSU TLD
> > > registers
> > Of course, this is a nuisance cost. See below.
> I see no reason why non-SRSUs should indirectly pay the registration
> and ICANN fees of SRSUs. Every new gTLD domain should have the same
> basic ICANN fees attached.

If this were the only form of cross subsidization.


> > > * 1) An amendment to registry agreement would have to be negotiated
> > > with ICANN
> > *If an SRSU TLD fails to comply with any of the above:
> >
> > Willful breech of contract results in renegotiation so that the
> > breech falls within the contract? There has to be a better tool to
> > ensure efficient breech lacks incentive.
> I agree with Eric here. Willful breach should lead to at least
> temporary suspension of services, and substancial financial penalties.
> If they want an exception, they will need to negotiate with ICANN in
> advance, not after the fact.

I hope that didn't hurt too much either.


> > 2) Normal VI rules would start to apply
> >
> > Umm. I see a problem.
> >
> > Having gotten into the root, having launched competitively with all
> > registries, bought a Super Bowl ad or lots of glossy pages in
> > magazines to ensure mindshare, the corporate planner may convert
> > this brand marketing property into a direct sales channel, and when
> > ICANN compliance catches up (which may be a very long time, see
> > .travel), the corporate property has to adopt the costs it has
> > avoided up to this point and, with all this initial advantage, now
> > compete with public facing registry propositions.
> >
> > For a mass market corporation with millions of CRM relations, the
> > conversion from an empty "brand" registry to a very large
> > "subscription" registry appears to be likely, given the lack of
> > compliance and disincentive for intentional breech.
> Lets beef up compliance then and increase the disincentive to a level
> where it hurts. If a SRSU TLD is being distributed against contractual
> obligations, ICANN should be empowered to shut it down and terminate
> or reassign the registry contract.
> Please note however, that this may just as well (you named .Travel)
> happen in a registry with no CO or VI.
>
> > > innovation in internet I have a couple of positive implications.
> > > * 1) Full Vertical integration doesn’t risk consumer protection
> > > because no names are sold
> > *For those of you that think that closed TLDs won’t promote open
> >
> > The parties which have opposed all new gTLDs (I was just looking at
> > http://www.cadna.org/ yesterday afternoon) have been pretty good at
> > ensuring the benefit that there is no risk of consumer protection
> > because no names are sold.
> >
> > Restated, doing nothing also achieves this benefit.
> Well, of course we could go back to ICANN and tell them that we agree
> the only way to prevent any abuse is not to open the root to new TLDs.
> And we would have failed our purpose.

ICANN's doing a pretty good job of that already, helped by no small 
number of brand holders who don't want any new gTLDs ... except 
theirs. See the IPC's contribution on this subject.

> > 2) Consumers could have tangible benefits with .brand TLDs.
> >
> > Things consumers could have tangible benefits from is rather vague.
> Banks could: Increase consumer safety, reduce phishing, educate the
> public on safety, build consumer trust.
> Transportation companies could: Provide easy access to relevant
> information, build consumer trust, increase safety.
> We could probably name dozens of tangible benefits, criticizing that
> we generalize does not help.

Unless I'm mistaken, you've just made SRSU into one for every bank and 
every trucking company. Are there any other sectors you'd like to 
place every corporate entity -- as a "single user" -- in the root?

> > > with .brand. This would work extremely well with an entity like Red
> > > Cross, which is struggling with all the scam donation sites every time
> > > there’s a major catastrophy. Internet users would know that it is
> > > genuine Red Cross site, if the name ends with .redcross.
> > *Example:* a brand could educate that all their legimite web pages end
> >
> > Part of the ICRC uses "redcross.org", so I'll use .org here. The
> > .org zone is now signed. The root will be signed before anything the
> > VI PDP WG does is reflected in changes to the root.
> Does everyone know the Red Cross uses .org? Does its use of .org
> prevent registrations of reddcross.org or red-cross.org? If the
> consumer knows that he can go to charity.redcross and risk no
> potential misdirection, is that not a benefit?
> > Why is an unsigned ".charity" a better public policy choice than a
> > signed "charity.org"?
> Who knows .charity will be unsigned? Maybe it will. Consumers will
> judge TLDs on their safety features and surf accordingly.
> > Would the same security claim mean an unsigned ".bank" is a better
> > public policy choice than a signed "bank.tld", where "tld" is a
> > signed zone?
> Likewise, why should .bank not be signed. If makes perfect sense to
> have zones like this signed.

I think you've missed the point. Jaarko said ".redcross" reduces the 
American Red Cross' losses from misrepresentation. He didn't say it 
was signed, just that it exists. In the time it takes to get anything 
new into the root (other than ccTLD IDN FT adds), as .org is signed, 
redcross.org could be signed.
Jaarko's claim, and it is his choice to use a humanitarian relief 
agency to motivate a corporate loophole, is that .redcross is 
necessary. Therefore signed redcross.org, easier to obtain, is being 
offered as less effective to obtain the loss reduction goal of the ARC.
This reduces to the assertion that DNSSEC's value proposition is less 
than ease of use of the DNS as a search, rather than lookup 
technology, as users don't have to "search" for ".redcross" -- it is 
auto-found by being in the root, and this offsets the value of DNSSEC.
I disagree. I don't like the example, knowing the purpose, and parties 
making financial transactions, whether contributory or depository, 
deserve better than unsigned transactions.
What would be nice here is if someone wrote "Oops! Signed 
redcross.org. Didn't think of that. Yup. Faster and more secure. Will 
think of another motivating SRSU use case soonest. Best. s/Someone"

> > Since this organization is offered as an example of a "single user",
> > here is a portion of para 2 of section 7.1 of the ByLaws of the ARC:
> >
> > "Membership is open to all people of the United States and its
> > territories and its possessions. Any individual shall be a member of
> > the Corporation if he or she (a) makes a monetary contribution to
> > the Corporation, including a monetary contribution made directly to
> > a Chartered Unit, (b) performs volunteer services for the
> > Corporation, including volunteer services performed directly for a
> > Chartered Unit, or (c) donates blood to the Corporation."
> You are raising a concern of mine here, namely abuse of SRSU policies
> for circumvention of equal registrar access. The poilcy we propose for
> SRSU will have to exclude registrations for such membership structures.
Just so long as you don't wave a magic wand and change the ByLaws of 
the Red Cross and turn all those nice people into brainless corporate 
zombies.
Eric