Go Daddy Comments on VeriSign Two-Factor Authentication and Who Was Services

["Tim Ruiz" <tim@xxxxxxxxxxx>]

Our comments below are specifically related to the VeriSign
Registry-Registrar Two-Factor Authentication Service. However, we would
like to make clear that Go Daddy was not consulted on either this
service or the Who Was Service. The Registrar Constituency also has
concerns regarding the lack of a more formal process to ensure that such
consultations take place and has submitted comments in that regard. We
fully support those comments.

The VeriSign Registry-Registrar Two-Factor Authentication Service
describes two phases of the service. The first phase involves
communications between the Registrar and the Registry. The second phase
involves communications between the Registrar and the Registrant. Our
concerns involve the second phase.

VeriSign's request goes on to state: "Both phases of thee[sic]
Registry-Registrar Two-Factor Authentication Service would initially be
an optional service for registrars who elect to use it. Once the service
becomes widely adopted, two-factor authentication credentials will
become a requirement for Registry-Registrar transactions."

After reading the above we contacted VeriSign regarding their intent to
eventually require Registrars to provide the service. VeriSign confirmed
that their desire was indeed to eventually make both phases of the
service a requirement. We expressed our concerns regarding requirement
of phase II. VeriSign understood our concerns, agreed to take them in
account, and suggested we also submit comments to ICANN.

As we expressed to VeriSign, we do not believe phase II should ever be
required. It assumes that two-factor authentication is the best option
and dictates that registrars use it with their customers. We do not
believe there is any evidence to support two-factor authentication as
the best or only solution, nor to suggest that a non-OATH proprietary
model (perhaps our own) may not be better or as secure. Requiring phase
II removes the Registrar and consumer choice to decide how/what/when we
want to market/sell/promote/purchase security type services. For
example, Go Daddy offers security products such as Protected
Registrations and SSL Certificates. Numerous other Registrars offer
similar services of their own or through arrangements with third party
providers. Without the opportunity for consultation with VeriSign, it is
difficult to determine the impact of their service on these potentially
competing products, or with products/services that we may have under
development.

Phase II also implies a more direct relationship between Registrants
(our customers) and the Registry, a relationship which is not fully
described or understood at this stage. Again, further consultations with
VeriSign are essential to understand the impact on customer relationship
management, customer support and service, and the costs and impact of
implementation.

We believe ICANN should ask VeriSign to engage Registrars more fully in
consultation on this service before considering the request complete and
actionable. Failing that, phase II should be removed from this request
until such consultations have taken place. In no event should the
service be approved in a way that would allow VeriSign to later require
phase II of Registrars without fully consulting with Registrars and
Registrants.

Tim Ruiz
Vice President
Corporate Development & Policy
GoDaddy.com, Inc.