ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

AFNIC/CORE Comment regarding Proposal to Mitigate Name Collision Risks

  • To: comments-name-collision-05aug13@xxxxxxxxx
  • Subject: AFNIC/CORE Comment regarding Proposal to Mitigate Name Collision Risks
  • From: Werner Staub <werner@xxxxxxxx>
  • Date: Tue, 27 Aug 2013 22:11:03 +0200

The Afnic/CORE consortium is the registry service provider for the
.paris TLD. We submit this comment on behalf of the City of Paris,
applicant for the .paris TLD.

In the Interisle study, .paris TLD was categorized as a
“uncalculated risk” in ICANN’s Proposal to Mitigate Name
Collision Risks. This seems to be based on the following findings:

1) In the 2013 DITL data contains 80,000 occurrences of the string
“paris” as a TLD;

2) In the list of internal X.509 certificates issued by well-known
certification authorities involving an applied-for TLD on the top
level, there are three involving “.paris”, two of which expire in
2013 and the remaining one in 2015.

A) Comments on the findings of the Interisle study in the specific
context of .paris

Afnic’s research department has analyzed the information provided
in the Interisle study and compared it with earlier DITL data. Having
done that we find that it is necessary to state - even before any
further analysis of the data is performed – that the label
“uncalculated risk” is unfortunate in that it overstates by
several orders of magnitude any conceivable security risk to any
party. In particular, it must be noted that DITL data for recent
introductions of new TLDs (such as .asia) prior to their launch had
proportionally higher “as-TLD” counts. None of these TLD
introductions have caused any problem.

The threshold below which the Interisle study applies the “low
risk” category is a count of 50,000 “as-TLD” queries in the 2013
DITL data. The .paris TLD has 90,000, whereas applied-for TLDs with a
count of up to 19.8 million – i.e  more than 200 times higher - are
in the same category.

We understand that the point arbitrarily selected to set the threshold
was the one dividing the statistical population between 80% and 20% of
the applied-for TLD strings. A look at the data suggests, however,
that it would have been much more appropriate to put the threshold at
a point where the typical step change in the underlying measurement
value from one rank to the next is more significant.

This would be the case, for instance, with a 95/5 or with a 97/3
split. At that point, the typical step of change in the underlying
measurement value from one rank to the next is in the order of 2%-3%
of the category maximum. The currently proposed 20/80 split occurs at
a point where the typical step of change from one rank to the next is
hardly noticeable as a percentage of the category maximum.

B) Comment on the mitigation proposal

There are many ways to improve the present Mitigation Proposal for the
low-risk category without additional risk. This will avoid pointless
disruption of roll-out plans and further improve preparation. It can
also be used for most TLDs, such as .paris, which currently are
misleadingly labeled as “uncalculated risk”.

One such solution is to allow TLD operators to request more detailed
data from the 2012 and 2013 DITL studies. On this basis, the TLD
operators can make their own studies and contact potentially affected
parties much earlier. The 120-day waiting time after gTLD Registry
Agreement signature can be waived in those cases. Please note that
especially TLDs with strong and credible governance environment, such
as those supported by government authorities, are subject to possible
delays in contract signature due stringent contracting rules.

For most of the TLDs, including most of those in the “uncalculated
risk” category, the amount of data involved is quite small if it
simply contains the raw DNS query data where the string appears as a
TLD in the query.

C) Request for detailed DITL data and minimal information on internal
X.509 certificates for .paris (as TLD)

We request to be able to analyze this data and commit to return to
ICANN our findings. Among other things, Afnic/CORE will contact the
administrators of the networks from which the queries originate.

As pointed out under point B) above, and contrary to a false
impression that may have arisen from the original amount of DITL data,
the amount of DITL data where the string appears as TLD is negligible
for most of the applied-for TLD involved. In the case of .paris, the
full query data of the 90,000 as-TLD DITL queries, even assuming an
average of 300 bytes per query, can comfortably be sent by email.

We furthermore request contact information to the Certification
authority having issued the single .paris internal X.509 certificate
expiring after the end of 2013.

Werner Staub

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy