Latest news of the domain name industry

Recent Posts

Banks to write security rules for “.bank”

Kevin Murphy, January 17, 2011, Domain Registries

Financial services firms unhappy with ICANN’s new top-level domains program are to take matters into their own hands by writing security guidelines for TLDs like “.bank”.

BITS, the technology policy arm of the Financial Services Roundtable, said it plans to develop “elevated security standards for financial gTLDs” and wants ICANN to make them mandatory.

The organization, which counts many major world banks as members, is concerned that a “.bank” in the hands of a registry with lax security could increase fraud and reduce confidence in banking online.

BITS said its guidelines would be drafted by a globally diverse working group and submitted to an international standards-setting organization for ratification.

It wants ICANN to include a single sentence in its new TLDs Applicant Guidebook, apparently incorporating the guidelines by reference:

Evaluators will use standards published by the financial services industry to determine if the applicant’s proposed security approach is commensurate with the level of trust necessary for financial services gTLDs.

An ICANN working group is working on the concept of a High Security Zone TLD for precisely this kind of application, but in September the ICANN board abruptly decided that it “will not be certifying or enforcing” the idea, apparently in order to mitigate its own corporate risk.

The BITS project appears to be in direct response to that move.

It certainly seems to be a more productive avenue of engagement than hinting at a lawsuit, which it did in a November letter to ICANN.

I’m attempting to confirm whether the BITS plan, submitted as a response to the Applicant Guidebook public comment period, is being proposed with ICANN’s backing. (UPDATE: it isn’t.)

Beckstrom: ICANN accountable to world, not just US

Kevin Murphy, December 6, 2010, Domain Policy

ICANN chief Rod Beckstrom opened the organization’s 39th public meeting in Cartagena, Colombia, with a speech that touched on many of the organization’s recent controversies and appeared to take a strong stance against US government interference.

Everything from its political tangles with the International Telecommunications Union, to the recent calls for high-security top-level domains for financial services, to Beckstrom’s own controversial pet project, the proposed DNS-CERT, got a mention.

But probably Beckstrom’s strongest statement was the one which indirectly addressed recent moves by the US government to slam the brakes on ICANN’s new top-level domains program:

We are accountable to the world, not to any one country, and everything we do must reflect that.

Beckstrom acknowledged the controversies in the new TLDs policy, given last week’s strongly worded letter from the US Department of Commerce, which was highly critical of the program.

Commerce assistant secretary Lawrence Strickling has called on ICANN to delay the program until it has justified its decision under the Affirmation of Commitments.

But this morning, Beckstrom echoed sentiments expressed on the ICANN blog last week (my emphasis):

As is often the case with policy decisions in that multi-stakeholder model, not everyone is pleased, and this diversity of opinion contributes to the policy process. For example, last week we received a critical letter from the US Department of Commerce. As with all contributions, ICANN will give these comments careful consideration as part of the implementation of the GNSO policy. We welcome the transparent way that Commerce provided their comments through the public comment process.

How ICANN chooses to deal with the demands of its former master, the US government, is one of the Cartagena meeting’s Big Questions.

Another such question is how ICANN plans to deal with ongoing threats to its legitimacy from international bodies such as the International Telecommunications Union.

Addressing ITU secretary general Hamadoun Toure directly, Beckstrom said:

We have always sought to build our relationships based on mutual respect and integrity, taking into account the unique and distinct mandates entrusted to our organizations. The strengthening of communication between us is a personal priority for me.

Security

Security is one of ICANN’s watchwords, and Beckstrom is a security guy by trade. His speeches typically address the topic to a greater or lesser extent and Cartagena was no exception.

Security policies inherently create tensions. Take, for example, controversies about the strength and enforceability of of Whois policies, or Beckstrom’s own call for a DNS-CERT to oversee DNS risk.

This morning, he said:

The staff under my leadership is willing to go as far on security as the community is willing. And whatever security effort this community decides, we will do our utmost to implement and support, given sufficient resources. Because when it comes to security, how can we ever say we’ve done enough?

And now you need to tell us: where do you want us to go?

Of course, I am sure we can agree that when it comes to security, the question is not what do we want to do? Or what is popular or easy? It’s what do we owe the world? Because all of us care about the global public interest.

He took, in my view, a subtle swing at the Governmental Advisory Committee for putting security at the heart of its ongoing policy demands, while largely failing to cooperate with ICANN’s requests for information on security issues in their own jurisdictions. Beckstrom said:

We have asked GAC members to provide information about security activities in their countries. We appreciate the information some have shared but there have been few responses. As governments urge us to remain committed to security efforts, we in turn request that they help us by responding and working with the ICANN community on this vital mission.

I know there are some European ccTLD registries a bit miffed that ICANN has in recent months gone over their heads, direct to their governments, for this information, highlighting what a tricky political situation it is.

The speech also touched on internationalized domain names, with a shout-out to the recent launch of Russia’s Cyrillic ccTLD, and general global inclusion activities. I expect the text and audio to be published on the ICANN web site to be published shortly.

“Beware of Hookers”, ICANN attendees told

Kevin Murphy, October 6, 2010, Domain Policy

ICANN has published a security guide for delegates planning to attend its meeting in Cartagena, Colombia, this December, which makes quite entertaining reading.

A highlight of the report (pdf), prepared by outside consultants Control Risks, warns attendees to steer clear of bar prostitutes who plan to take advantage of them.

All travelers should avoid bars which have public touts (or “spruikers”) standing outside encouraging them to enter. Many of these bars attract high levels of local prostitutes, some who intend to rob tourists by drugging them in the bar or in their hotel rooms.

Sage advice.

The report also recommends staying off the streets after 11pm, using official taxis, keeping your wallets clean of identifying information, and not resisting muggers/abductors.

Fight for your life, but not your possessions.

I’m cherry-picking the scary stuff here, obviously. In general, the report says Cartagena is fairly safe. Last year, there were only two kidnappings in the city.

Cartagena enjoys a mostly deserved reputation as one of the safe destinations for foreign travelers in Colombia. Certainly, violent crime rarely affects foreign visitors to the city.

ICANN has said that it will commission such reports when there is a concern that security at its chosen meeting locations may not be up to scratch.

I believe the new meetings security plan was introduced in response to the vague terrorism threats that clouded the Nairobi meeting earlier this year, keeping many flighty Americans at home.

eNom to crack down on fake pharma sites

Kevin Murphy, September 17, 2010, Domain Registrars

Demand Media is to tighten security at its domain registrar arm, eNom, after bad press blighted its recent IPO announcement.

The company has signed a deal with fake pharmacy watchdog LegitScript, following allegations that eNom sometimes turns a blind eye to illegal activity on its customers’ domains.

The news emerged in the company’s amended S-1 registration statement (large HTML file), filed with the US Securities and Exchange Commission yesterday. New text reads:

We recently entered into an agreement with LegitScript, LLC, an Internet pharmacy verification and monitoring service recognized by the National Association of Boards of Pharmacy, to assist us in identifying customers who are violating our terms of service by operating online pharmacies in violation of U.S. state or federal law.

LegitScript will provide eNom with a regularly updated list of domain names selling fake pharma, so the registrar can more efficiently turn them off. The companies have also agreed to work together on research into illegal online pharmacies.

Surrounding text has also been modified to clarify that eNom is not required, under ICANN rules, to turn off domains that are being used to conduct illegal activity.

This is a bit of a PR win for the small security outfits KnuJon and HostExploit, firms which had used the occasion of Demand’s S-1 filing to give eNom a good kicking in the tech and financial press.

HostExploit reported last month that eNom was statistically the “worst” registrar as far as illegal content goes.

ICANN executives are reportedly going to be hauled to Washington DC at the end of the month to explain the problem of fake pharma to the White House.

Registries and registrars have also been invited, and I’d be surprised if eNom is not among them.

IPv4 pool to dry up in 2011

Kevin Murphy, September 14, 2010, Domain Tech

ICANN has confirmed that it will run out of unassigned IPv4 address space some time next year.

In an update to its Plan for Enhancing Internet Security, Stability and Resiliency, published yesterday, ICANN said it “expects to make the last allocations of IPv4 unicast space to the Regional Internet Registries (RIRs) during the calendar year 2011.”

While this means ICANN will largely be out of the IPv4 business, it does not of course mean that there will be no IPv4 address space left to be allocated to ISPs and businesses.

ICANN points out that the RIRs will still have their pools of unallocated addresses, and that they’ve been drawing up plans to hand out smaller blocks to new ISPs as well as allowing the transfer of IPv4 addresses between networks.

The confirmation that 2011 is the year that IPv4 dries up is not unanticipated. ICANN has been flagging it up as the likely timeframe for a few years now.

The solution to the problem is IPv6, which is large enough to never run out of addresses. The trick is making sure the new protocol is universally supported, so IPv6 networks can talk to IPv4 networks and vice versa.

The updated security plan document contains a few other nibbles of interest.

For instance, the security budget for the next year is down slightly on the last, $11.52 million versus $12.8 million, largely due to a requirement last year to build out a secure data center.

There’s also the admission that ICANN has developed an as-yet unpublished “Meetings Security Plan”, presumably in response to the terrorism fears that kept many constituents at home for the Nairobi meeting in March.