ICANN RAA Consultation

[TOUCHE Julien <Julien.Touche@xxxxxxxxxx>]

Hi

Some feedback concerning consultation as exposed in
http://www.icann.org/announcements/announcement-27jul07.htm

(comments on existing proposition are marked with a '=>')

Main suggestions seems very positive.
    *   Incorporating provisions to govern the terms under which a
registrar can be sold and continue to retain its ICANN accreditation.
=> need ICANN validation (and maybe some other unrelated registrar) to
keep it or pass again all controls

    * Including additional contract enforcement tools offering more
options than the current one option - terminating accreditation.
=> i think SLA must be included with penalties for registrar to
registrant and eventually ICANN. Points could be long interruption of
service, bad domain name transfer, important unresponse to registrant,
...

    * Addressing the responsibilities of a parent owner/manager when one
or more of a "family" of registrars fails to comply with ICANN
requirements.
=> with 3 or more registrars in a group, it would be better to mark RAA
to become mandatory at the group level, so means could be mutualized and
penalties too.

    * Requiring registrars to escrow contact information for customers
who register domain names using Whois privacy and Whois proxy services.
=> contact information is very important for CERT as investigation mean.
So a quick way to contact registrant must be kept. (mail, uniq dedicated
mail address or web form; firms could be encouraged to put a generic
contact@ dnsmaster@ e-mail address)

    * Augmenting the responsibilities placed on registrars with regard
to their relationships with resellers.
=> forbid use of spam to get record name, same for abuse. Also forbid
auction of domain name.

    * Requiring operator skills training and testing for all
ICANN-accredited Registrars.


Big point, as member of a CERT-like, it would great to include
statements and help means to avoid cybercriminality and fraud.
Few more suggestions, 
* discourage typosquatting, misuse of branding. On a given threshold,
penalties could be inflicted to registrar
A registrar-shared database to avoid recording a domain name by a
registrar which was made invalid by a another one or the ones an udrp
has been done (in the same tld). Better but harder because of
country-linked brand, to do the same between gTLD and ccTLD.

* another usage for this kind of database would be to avoid too much
domain tasting. We observe regularly a given domain to be in tasting for
months by switching between multiple registrar with the same registrant
(sometimes different, but same behind). Would really be best to block
this continous tasting ...

* impose a way to contact registrant when a proxy/anonymizing service is
used, if possible a way to contact them quickly and somthing which could
be recognize by law.

* try to get the same evolution with all NIC for others TLD, so this
kind of RAA be the standard. One thing also to bring together is which
data are displayed by whois service.
For example, .com gives plenty of details and nearly nothing for some
.de.
I think Registrar Name, Registrant One, Creation Date, Last
Modification, and E-mail/Phone would be the minimal mandatory set.

* to improve security, registrar could be required:
to offer an option to support DNSSec, 
to _block fast flux_ as default option (can't change dns servers of
domain, more than 5 times a week for example). 
confirmation for some modifications by phone or letter for contact
change (to avoid a phisher take control of your domain)

* another solution would be a code of conduct: previous aspect, don't
try to abuse/force to record a ns, and so on ...


Thanks for consultation
Regards

        Julien Touche


=======================================================

Ce message et toutes les pieces jointes (ci-apres le "message") 
sont confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite. 
Tout message electronique est susceptible d'alteration. 
La SOCIETE GENERALE et ses filiales declinent toute responsabilite
au titre de ce message s'il a ete altere, deforme ou falsifie.
                                 
=======================================================

This message and any attachments (the "message") are confidential
and intended solely for the addressees.
Any unauthorized use or dissemination is prohibited. 
E-mails are susceptible to alteration.   
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates
shall be liable for the message if altered, changed or falsified. 

=======================================================