High Security Top-Level Domain (HSTLD) - Draft Program Development Snapshot

[Paul Foody <paulfoody@xxxxxxxxx>]

Dear Sirs

I thank you for the opportunity to comment on ICANN's Request for  
comments on the High Security Top-Level Domain (HSTLD) - Draft Program  
Development Snapshot as posted on 22 February 2010.
As a domain registrant and internet user, the certainty that  
information, important or not, is being transferred, securely when  
necessary, to and from my machine and whichever other machine I am  
attempting to contact is absolutely critical to the functionality and  
usability of the internet.   Accordingly, any attempt by any party  
genuinely interested in increasing that certainty has to be applauded  
especially since the goals of the paper appear reasonable and the  
practices and safeguards being suggested do not appear even as onerous  
as the sort of standards required to qualify for recognition by the  
International Organisation for Standardisation (which maintains ISO  
9000 & 9001). (Furthermore, whilst there was much resistance when ISO  
9001 was introduced into the Commercial Property Market back in the  
early 90's, the policies and procedures companies were required to  
follow in order to qualify for the designation are frequently cited as  
having improved the quality of work being produced and or the  
efficiency with which the various organisations produce it.)
I am concerned however that the goals being addressed ("Principle 1 :  
The Registry maintains effective controls to provide reasonable  
assurance that the security, availability and confidentiality of  
systems and information assets supporting critical registry IT and  
business operations are maintained..";  Principle 2 : The Registry  
maintains effective controls to provide reasonable assurance that the  
processing of core Registry functions are authorised, accurate,  
complete and performed in a timely manner.."; Principle 3 : The  
Registry shall ensure it's registrars are behaving as they should;  
Principle 4 Registrants "are expected to maintain current and accurate  
information, and to commit to refrain from activities designed to  
confuse or mislead the internet-using public." ) are of such  
fundamental importance to the secure operation of the internet that to  
permit any registry refusing even to consider such changes where such  
changes advance those lofty aims, to continue operating as a registry  
would not be in the public interest.
Accordingly, I believe the HSTLD Review Team should focus on improving  
the minimum standards of all TLDs, especially existing TLD's such as  
DotCom, to as far as possible completely eradicate these problems  
since to demand improved procedures for new TLDs, which cannot have  
been affected by the problems motivating this study in the first  
place, would in effect be an abandonment of those existing TLDs, which  
hardly does anything for the stability of the internet.
I am also a little concerned that this report appears only to consider  
the security of the end-destination site and does not appear to  
address any of the compromises that could occur in the journey from  
origin machine to destination.  Whilst a desire for screening  
processes for Registry employees is entirely understandable, it is  
unlikely any such employee could cause the sort of problems that a  
rogue ISP could, yet there does not appear to be any consideration of  
the role of the ISP in this paper.
Finally on a personal note, having had concerns a while ago that my  
email and web hosting accounts had been compromised only for my email  
account host (Yahoo) and my web host (NetSol), to refuse to  
communicate in writing except by email I would like to make a  
suggestion.  Could ICANN please encourage registries (and other  
businesses such as Yahoo, Priceline, Expedia etc) to provide physical  
contact addresses so that customers writing to those addresses can be  
provided with written responses, on company letter headed paper,  
albeit perhaps for a small charge, to confirm, since email is not the  
most secure of communications, as far as possible, that whatever email  
correspondence might have been received is genuine and authorised .
Once again I thank you for the opportunity to make these comments and  
submit a suggestion.
Yours sincerely

Paul Foody