RE: [gnso-whois-wg] Means of Verification / Consent - (was Draft outcomes report v 1.6)

["Scoville, Adam" <ascoville@xxxxxxxxx>]

Thanks, Ross, your explanation helps. 

 

First, just so I'm sure I understand, when you say "out-of band
verification" and "offline verification" you don't mean offline, as in
paper, right? You mean that we have to be able get that verification
through some kind of interaction other than the person viewing the web
site who is seeking to register the domain, right? 

 

It seems that the underlying goals of sections 2.3 and 2.4 are that if
the registrant's own contact info is removed: a) the functioning of the
OPoC's e-mail address should be checked, so there is some indication
that electronic communications will get passed to the registrant
promptly; and b) it should be checked that the OPoC is aware it is the
OPoC and agrees to its responsibilities. I don't read the report as
limiting the ways that could be obtained by the registrar. Other than
eliminating these goals entirely, are there other ways you would like to
see accommodated as implementation options, and is there language in the
report that (perhaps inadvertently) excludes them?

 

Dan - 

I agree that verification and consent are, in theory, separate. But a) I
see both as necessary, if the registrant's own contact info is to be
removed, and b) in at least some implementations they could probably be
accomplished simultaneously.

For better or worse, "broader support" is what it takes for any change
at ICANN, and there are a lot of people who view safeguards for
accountability and consumer protection--whether they be the precise
measures set out in the report, or similarly robust ones--as essential,
rather than "detritus." So if you're saying change from the status quo
isn't worth what the OPoC system would take, then so be it. Hopefully we
can work on other, perhaps more targeted, mechanisms to improve privacy
in the future.

 

adam

 

-----Original Message-----
From: owner-gnso-whois-wg@xxxxxxxxx
[mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Dan Krimm
Sent: Friday, August 10, 2007 1:06 PM
To: gnso-whois-wg@xxxxxxxxx
Subject: RE: [gnso-whois-wg] Draft outcomes report v 1.6

 

There were two independent issues considered in the report at this
point:

consent and verification, two different things.

 

Auto-verification of a working email address by a registrar (as a
necessary

component of a domain registration process) need not come with a formal

consent agreement with the registrar.  Conflation of these two items is

either mistaken or misleading.

 

If the cost of "broader support" is a system that has too much spurious

detritus in it to support its own weight without collapsing, then it is
too

high a price to pay.

 

I don't see that involving registrars in formal consent processes is at
all

necessary to avoid "disrupt[ing] the operation of the rule of law."
That

analysis is specious, in my view.

 

Dan

 

 

 

 

-----Original Message-----
From: Ross Rader 

Sent: Friday, August 10, 2007 12:24 PM
To: Scoville, Adam
Cc: gnso-whois-wg@xxxxxxxxx
Subject: Re: [gnso-whois-wg] Draft outcomes report v 1.6

 

Scoville, Adam wrote:

> I think it's only fair for the engineers

> to explain your issues in non-technical terms, an not to assert that

> only an engineer is qualified to comment.

 

Thankfully, I'm neither a lawyer nor an engineer - I'm simply pushing 

back on the assertion that implementing out-of-band verification would 

be "easy".

 

There is nothing simple about the domain registration system, the DNS or


its policy and regulatory overlays. In a nutshell, we have built a 

registration system that takes input from a variety of sources - 

telephone, email, fax, API, web, etc. and converts them, through a 

variety of means, to an EPP XML expression which gets transmitted to the


registries. Every superimposition must work within this context. Simply 

picking an implementation (offline verification) and a protocol (email) 

doesn't complete the work. In fact, doing so is the ultimate in bad 

manners when it comes to developing policy & regulation. The 

registration system works because we have settled on a loose collection 

of core standards (EPP and DNS mostly) that are easily coupled with 

non-specified systems that work at the edge. This policy recommendation 

reduces the number of implementation options at the edge, which has the 

implication of drastically increasing the complexity of the
implementation.

 

Imagine if the banking industry were only able to verify account holder 

identity using smoke signals. This is precisely the parallel that has 

been proposed.