ICANN has set up a study into whether certain applied-for new gTLD strings pose a security risk to the internet, admitting that some gTLDs may be rejected as a result.
Its board of directors on Saturday approved new research into the risk of new gTLD clashes with “internal name certificates”, saying that the results could kill off some gTLD applications.
In its rationale, the board stated:
it is possible that study might uncover risks that result in the requirement to place special safeguards for gTLDs that have conflicts. It is also possible that some new gTLDs may not be eligible for delegation.
Internal name certificates are the same digital certificates used in secure, web-based SSL transactions, but assigned to domain names in private, non-standard namespaces.
Many companies have long used non-existent TLDs such as .corp, .mail and .home on their private networks and quite often they obtain SSL certs from the usual certificate authorities in order to enable encryption between corporate resources and their internal users.
The problem is that browsers and other applications on laptops and other mobile devices can attempt to access these private namespaces from anywhere, not only from the local network.
If ICANN should set these TLD strings live in the authoritative DNS root, registrants of clashing domain names might be able to hijack traffic intended for secure resources and, for example, steal passwords.
That’s obviously a worry, but it’s one that did not occur to ICANN’s Security and Stability Advisory Committee until late last year, when it immediately sought out the help of the CA/Browser Forum.
It turned out the the CA/Browser forum, an alliance of certificate authorities and browser makers, was already on the case. It has put in new rules that state certificates issued to private TLDs that match new gTLDs will be revoked 120 days after ICANN signs a contract with the new gTLD registry.
But it’s still not entirely clear whether this will sufficiently mitigate risk. Not every CA is a member of the Forum, and some enterprises might find 120 day revocation windows challenging to work with.
Verisign recently highlight the internal certificate problem, along with many other potential risks, in an open letter to ICANN.
But both ICANN CEO Fadi Chehade and the chair of SSAC, Patrick Falstrom, have said that the potential security problems are already being addressed and not a reason to delay new gTLDs.
The latest board resolution appears to modify that position.
The board has now asked CEO Fadi Chehade and SSAC to “consider the potential security impacts of applied-for new-gTLD strings in relation to this usage.”
The Root Server Stability Advisory Committee and the CA/Browser Forum will also be tapped for data.
While the study will, one assumes, not be limited to any specific applied-for gTLD strings, it’s well known that some strings are more risky than others.
The root server operators already receive vast amounts of erroneous DNS traffic looking for .home and .corp, for example. If any gTLD applications are at risk, it’s those.
There are 10 remaining applications for .home and five for .corp.
ICANN has approved a new UDRP resolution provider, the first to be based in the Arab region, despite the objections of domainers.
The Arab Center for Dispute Resolution will now be able to service UDRP complaints. But it won’t be bound to an ICANN contract, as had been demanded by the Internet Commerce Association and others.
The ACDR was approved by the ICANN board last week, almost three years after it originally applied for the privilege.
The board said in its rationale that the move would be good for geographic diversity and that its rigorous community review process highlighted community accountability.
On the issue of UDRP provider contracts, it merely noted:
commenters suggested that ICANN develop contracts with each of its UDRP providers as a means to require uniformity among providers. Contracts have never been required of UDRP providers.
the proposal now includes an affirmative recognition that if ICANN imposes further requirements on providers, the ACDR will follow those requirements
The ACDR will come as a knock to the ICA, which recently celebrated the fact that ICANN intends to have formal contracts with providers of Uniform Rapid Suspension services.
ICANN has picked Los Angeles for the third of its three 2014 public meetings.
The decision was approved by its board of directors at its retreat in Amsterdam last week.
As you may know, ICANN’s meeting schedule cycles through its five geographic regions, and North America’s next turn comes next year, picking up hopes that it might finally choose Las Vegas.
Alas, we get LA instead.
According to the board’s resolution, the cost of holding a meeting in LA should come in a couple hundred grand below the price of holding it elsewhere, presumably due to reduced travel expenses.
It will be the fourth time ICANN has gathered community members in its home town, but the first time since 2007. Back when ICANN did four meetings a year, LA was the home of its annual general meetings.
Recent North American meetings have been held in Toronto, San Francisco and Puerto Rico. The Mexico City meeting in 2009 counts as Latin America on ICANN’s map of the world.
Singapore and London have already been named at 2014 venues for Asia and Europe respectively.
Did would-be new gTLD registry services provider GMO Registry fail its ICANN technical evaluations?
The Japanese company has made a deal that will see CentralNic take over the back-end operations for all 27 of the applications it was signed up to service, it has emerged.
In a letter, provided by GMO to ICANN last week as part of its sweeping application change requests, CentralNic says:
CentralNic Ltd has entered into a contract with GMO Registry, Inc. (GMO) to provide backend gTLD registry services for their generic top-level domains.
The letter (pdf) goes on to enumerate the 10 critical technical functions — basically everything from EPP to DNSSEC to registrar management — that CentralNic will be taking over.
The letter seems to have been attached last week to change requests for each of the 27 applications for which the DI PRO database lists GMO as the back-end registry provider.
That list includes big dot-brands such as .toshiba, .sharp and .nissan, generics such as .shop and .mail, and city TLDs including .tokyo and .osaka. Even the original dot-brand, .canon, and GMO’s own .gmo are switching back-ends.
The requested changes certainly seem to explain why GMO has yet to pass any of its Initial Evaluations (as we noted on Twitter a couple weeks back) despite having prioritization numbers as low as 111.
GMO parent GMO Internet may not be widely known outside of Japan, but it’s a pretty big deal. The company had 2012 revenue of about JPY 75 billion ($730 million) and it owns a top-ten registrar, Onamae.
Per ICANN rules, the change request switching the applications to CentralNic back-ends are open for public comment for 30 days.
ICANN has released its weekly batch of new gTLD Initial Evaluation results and it includes the program’s second and third failures.
Two dot-brand applications — .olayangroup and .mckinsey, filed by Olayan Investments and McKinsey Holdings — didn’t get passing scores and are now categorized as “Eligible for Extended Evaluation”.
Both — like the only other failure to date, also filed by Olayan — passed the technical evaluation but failed on question 45, which asks the applicant to provide financial statements.
The strings that have passed IE this week are:
.dog, .pharmacy, .sener, .skydrive, .soy, .sport, .grocery, .rightathome, .scjohnson, .jll, .hosting, .americanexpress, .yamaxun, .analytics, .construction, .land, .management, .systems, .surgery, .news, .data, .reisen, .rugby, .theater, .university, .cba, .ads, .how, .chrome, .vanguard, .meo, .lotte, .hughes, .praxi, .uno, .versicherung, .blog, .bmw, .shangrila, .yandex and .bbc
There are now 341 passing applications and three failures.