Latest news of the domain name industry

Recent Posts

.secure applicant claims NCC stole her idea

Domain Security Company CEO Mary Iqbal claims that NCC Group took many of her ideas for a high-security .secure top-level domain following unproductive investment talks.

Iqbal is also hinting at “potential future litigation” over the issue.

The surprising claims, made in emails to DI today, follow the announcement last week that a new NCC subsidiary, Artemis Internet, will also apply to ICANN for .secure.

“NCC Group has taken many of the security measures outlined in the Domain Security Company LLC security plan and incorporated them into the NCC Group’s proposed security measures,” Iqbal said.

Artemis chief technology officer Alex Stamos, a veteran security industry technologist, has dismissed the allegations as “completely ridiculous”.

“The only reason I know she is applying is because we did some Google searches when we were putting together our announcement,” he said.

Iqbal claims she was first contacted by NCC in January this year to talk about signing up for data escrow services – one of the technical services all new gTLD applicants need.

However, she says these talks escalated into discussions about a possible NCC investment in Domain Security Company, during which she shared the company’s security and business plans.

She said in an email:

These disclosures were made based on assurances from the NCC Group that the NCC Group was not then involved with any other applications for a secure Top Level Domain. Specific assurances were also given that the NCC Group was not involved with any other potential application for a .SECURE Top Level Domain.

But Stamos said that he’s been working on .secure at NCC since late last year, and he has no knowledge of any talks about investing in Iqbal’s company.

“All I know is that she talked to one of our salespeople about escrow,” he said. “I’ve never seen a business plan or security plan.”

Emails from an NCC executive sent to Iqbal in January and forwarded to DI by Iqbal today appear to be completely consistent with a sales call.

Iqbal said she has emails demonstrating that the talks went further, but she declined to provide them “since I may have to use it in any potential future litigation”.

Stamos pointed out that if NCC was in the habit with competing with its escrow clients, it would have applied for considerably more gTLDs than just .secure.

Artemis is proposing a significant technology development as part of its .secure bid, he said: the Domain Policy Framework, which he outlines on his personal blog here.

He added that Artemis is happy to compete with other .secure applicants – he evidently expects more to emerge – but on the merits of the application rather than “spurious claims”.

Domain Security Company “already has a very troubling history of using the legal process to overcome problems that should be based on merit”, he said.

That’s a reference to the company’s almost-successful attempt to secure US trademarks on .secure and .bank, in spite of the US trademark office’s rules against granting trademarks on TLDs.

Expect more stories like this to emerge about other gTLDs after ICANN’s Big Reveal of the applicant list next month.

Whether her claims have any merit or not, Iqbal’s not the first to claim that another applicant stole her idea, and she certainly won’t be the last.

How NCC plans to revolutionize domain name security with .secure gTLD

The proposed .secure generic top-level domain is now officially contested, after NCC Group, best known in the domain industry for its data escrow services, announced a bid.

Newly formed NCC subsidiary Artemis Internet Inc, based in San Francisco, is the official applicant.

According to Artemis chief technology officer Alex Stamos, who co-founded security testing firm iSEC Partners and sold it to NCC for $22.8 million two years ago, this is a hard security play.

The .secure gTLD would be all about enforcing strict security policies on registrants, he said.

“Right now there are a lot of interesting security technologies out there, but they’re generally not very effective because they’re optional,” he said.

As well as premium pricing and a manual registrant verification process expected to take about two weeks – complete with mailing address confirmation and two-factor authentication tokens – Artemis plans to force registrants to adhere to certain baseline security policies.

For example, all .secure web sites would have to be completely HTTPS, Stamos said. The only permissible use of a standard port 80 URL would be to redirect to the encrypted site.

The same would go for mail servers – they’d all have to use TLS to encrypt email as standard.

“When you go to bank.secure you’ll know that the software and servers at the other end are going to make the most secure decisions possible,” Stamos said.

Artemis would scan its registrants’ sites for compliance with these baseline rules, looking out for things such as botched SSL implementations.

But Artmeis wants to take it a step further. It is also proposing a new protocol, Domain Policy Framework, which would let registrants publish their security policies in the DNS.

Stamos said the company has set up a Domain Policy Working Group to develop the spec, which it plans to submit to the IETF for standardization before the end of the year.

The other members of the working group, which promise to include some “influential” names in financial services, software and social media, will be announced in July.

DPF would work alongside the existing DNSSEC and DANE protocols to enable registrants to specify, for example, which Certificate Authorities browsers should trust when accessing their .secure domain, preventing certain types of attacks, Stamos said.

Obviously, this system is not going to work without support from browser software, but Stamos said he’s hopeful that the big vendors will embrace the DPF spec.

“The most innovative and forward-leaning browsers will support it first,” he said.

Domains in .secure would still be accessible by non-compliant browsers, he said.

ARI Registry Services has been hired to manage the back-end registry, but Artemis is also building a secondary registry system for storing the DPF records, which it plans to offer to other TLD registries.

NCC plans to invest up to £6 million ($9.7 million) in Artmeis over the next 15 months, according to a press release.

Another firm, Domain Security Company, also plans to apply for .secure.

  • Page 2 of 2
  • <
  • 1
  • 2