[gnso-irtp-pdp-jun08] Cross-posting a recent note -- IRTP topic - "out of band" verification

["Mike O'Connor" <mike@xxxxxxxxxx>]

hi all,

George just posted this to a thread in the Fast Flux working group, 
but i think it's relevant to our conversation as well -- he's 
describing examples of "out of band" verification systems used by 
various folks (registrars and other Internet-based businesses).
i know, i know...  it brings up the dreaded WHOIS discussion 
again...  i'm starting to understand why it keeps coming back 
around.  i wish there was a way to separate the "operational aspects 
of WHOIS" discussion from the "privacy aspects of WHOIS" discussion...
anyway -- i like George's examples a lot.

mikey



> Date: Thu, 18 Sep 2008 11:15:45 -0400
> From: "George Kirikos" <fastflux@xxxxxxxx>
> To: "gnso-ff-pdp-May08@xxxxxxxxx" <gnso-ff-pdp-May08@xxxxxxxxx>
> Subject: [gnso-ff-pdp-may08] Address Verification
> X-Google-Sender-Auth: 8b994fd648738851
> X-Virus-Scanned: ClamAV 0.93.3/8279/Thu Sep 18 05:42:42 2008 on 
> pechora2.lax.icann.org
> X-Virus-Status: Clean
> X-Greylist: IP, sender and recipient auto-whitelisted, not delayed 
> by milter-greylist-4.0 (pechora2.lax.icann.org [208.77.188.37]); 
> Thu, 18 Sep 2008 08:16:07 -0700 (PDT)
> Sender: owner-gnso-ff-pdp-may08@xxxxxxxxx
> List-id: gnso-ff-pdp-may08@xxxxxxxxx
> X-Antivirus: AVG for E-mail 8.0.169 [270.6.21/1678]
>
>
> Hi folks,
>
> Just to followup on the prior discussion, here are some thoughts/links
> that expand on the topic.
>
> Apparently .dk does/did exactly what I was suggesting, namely:
>
> http://www.icannwatch.org/comments.pl?sid=1540&cid=12938
> http://www.dk-hostmaster.dk/index.php?id=140
>
> (not clear from the latter link that it's sent to a postal mail, as
> opposed to an email)
>
> ECash, used by Intercasino and other online casinos, uses a PIN system
> for verification, see the FAQ at:
>
> http://www.ecashdirect.net/faq/faq-pin.html
>
> The Canada Revenue Agency (Canada's equivalent to the IRS) sends a
> security code by postal mail, as part of their online account
> verification:
>
> http://www.cra-arc.gc.ca/esrvc-srvce/tx/psssrvcs/pss_fq_scrty-eng.html#security10
>
> There are at least 3 reasons why one would want WHOIS verification:
>
> 1) provides audit trail for law enforcement or civil litigation
> 2) curbs abuse by linking a finite physical identifier (physical
> address) to a domain's activation, as opposed to an identifier that is
> in infinite supply (i.e. emails).
> 3) using the principles of Signalling (from economics), e.g.
>
> http://en.wikipedia.org/wiki/Signalling_(economics)
>
> it's a lot more costly for a malevolent individual to provide physical
> location verification than for innocent individuals to provide that
> information.
>
> Note, there are people that might be concerned that the physical
> location is published in the WHOIS (e.g. rape crisis centers, etc.).
> This concern can be allayed by keeping the information with the
> registrar (i.e. registrar does the authentication before activation of
> the domain, but can still use Proxy WHOIS for public address
> information). Note, once the registrant has authenticated their
> address with a registrar, they can re-use that PIN (assuming they keep
> their address constant) for multiple registrations (e.g. on the first
> domain, they get authenticated, and then can register 20 more, etc.).
> PINs should probably not be portable between registrars (otherwise
> you'd need a central blacklist of bad addresses, which might be tricky
> to manage; although, through a hash of the address, it might be
> possible to have a hashed central list). It can be portable to
> multiple TLDs within a registrar, though, and ICANN can punish
> registrars that don't properly authenticate before domain activation.
>
> And if we want to do this in relation to Fast Flux, and allay
> registrars concerned about lack of instant activation for customers,
> conceivably a non-authenticated domain (i.e. a customer waiting for
> their PIN code in the mail) could perhaps get activated only on
> special nameservers, i.e. those of the registrar themselves. So,
> example.com registered today by Jane Smith of 100 Main Street,
> Anytown, USA. at GoDaddy can use ns1.domaincontrol.com and
> ns2.domaincontrol.com instantly (which don't flux). But, to have "full
> use" of the domain, i.e. switching to their own nameservers, etc.,
> Jane needs to enter the PIN sent to 100 Main Street. After that, she
> can register example2.com, example3.com, etc.
>
> Sincerely,
>
> George Kirikos
> www.LEAP.com
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.169 / Virus Database: 270.6.21/1678 - Release Date: 
> 9/18/2008 9:01 AM

voice: 651-647-6109
fax: 866-280-2356

web: www.haven2.com