Verisign has been given approval to start restricting who can and cannot register .com and .net domain names in various countries.
Customers of Chinese registrars are the first to be affected by the change to the registry’s back-end system, which was made last year.
ICANN last week gave Verisign a “free to deploy” notice for a new “Verification Code Extension” system that enables the company to stop domains registered via selected registrars from resolving unless the registrant’s identity has been verified and the name is not on China’s banned list.
It appears to be the system Verisign deployed in order to receive its Chinese government license to operate in China.
Under Verification Code Extension, Verisign uses ICANN records to identify which registrars are based in countries that have governmental restrictions. I believe China is currently the only affected country.
Those registrars are able to register domains normally, but Verisign will prevent the names from resolving (placing them in serverHold status and keeping them out of the zone file) unless the registration is accompanied by a verification code.
These codes are distributed to the affected registrars by at least two verification service providers. Verisign, in response to DI questions, declined to name them.
Under its “free to deploy” agreement with ICANN (pdf), Verisign is unable to offer verification services itself. It must use third parties.
The company added the functionality to its .com and .net registry as an option in February 2016, according to ICANN records. It seems to have been implemented last July.
A Verisign spokesperson said the company “has implemented” the system.
The Verification Code Extension — technically, it’s an extension to the EPP protocol pretty much all registries use — was outlined in a Registry Services Evaluation Process request (pdf) last May, and approved by ICANN not long after.
Verisign was approved to operate in China last August in the first wave of gTLD registries to obtain government licenses.
Under Chinese regulations, domain names registered in TLDs not approved by the government may not resolve. Registrars are obliged to verify the identities of their registrants and names containing certain sensitive terms are not permitted.
Other gTLDs, including .vip, .club, .xyz .site and .shop have been granted approval over the last few months.
Some have chosen to work with registration gateway providers in China to comply with the local rules.
Apart from XYZ.com and Verisign, no registry has sought ICANN approval for their particular implementation of Chinese law.
Because Chinese influence over ICANN is a politically sensitive issue right now, it should be pointed out that the Verification Code Extension is not something that ICANN came up with in response to Chinese demands.
Rather, it’s something Verisign came up with in response to Chinese market realities. ICANN has merely rubber-stamped a service requested by Verisign.
This, in other words, is a case of China flexing market muscle, not political muscle. Verisign, like many other gTLD registries, is over-exposed to the Chinese market.
It should also be pointed out for avoidance of doubt that the Chinese restrictions do not apply to customers of non-Chinese registrars.
However, it appears that Verisign now has a mechanism baked into its .com and .net registries that would make it much easier to implement .com restrictions that other governments might choose to put into their own legislation in future.
A British Member of Parliament has been forced to deny he was behind the registration of several domain names promoting him as a future leader of the Labour party.
Clive Lewis, until recently a member of the shadow cabinet, told the Guardian yesterday that he did not register the batch of domains, which included cliveforleader.org.uk, cliveforlabour.org.uk and their matching .org, .uk and .co.uk domains.
“None of this is true: I haven’t done this,” he told the paper, following a Huffington Post article revealing the names had been registered June 29 last year, just a couple of days after he was appointed shadow defence secretary.
Lewis resigned from the shadow cabinet three weeks ago after refusing to vote in favor of triggering the Article 50 process that will take the UK out of the European Union.
The Labour Party has been dogged by stories about potential leadership challenges ever since Jeremy Corbyn — popular among grassroots party members, unpopular with voters — took over.
Questions about Corbyn’s leadership reemerged last week after a disastrous by-election defeat for the party.
The domains were taken as an indication that Lewis had been plotting a coup for many months, which he has denied.
The Whois records do not support a conclusion one way or another.
Under Nominet rules, individuals are allowed to keep their phone number, postal and email addresses out of Whois if the domains are to be used for non-commercial purposes, a right the registrant of the names in question chose to exercise.
Public Whois records show the .uk names registered to “Clive Lewis”, but contain no contact information.
They do contain the intriguing statement “Nominet was able to match the registrant’s name and address against a 3rd party data source on 29-Jun-2016”, a standard notice under Nominet’s Whois validation program.
But Nominet does not validate the identity of registrants, nor does it attempt to link the registrant’s name to their purported address.
The statement in the Whois records translates merely that Nominet was able to discover that a person called Clive Lewis exists somewhere in the world, and that the postal address given is a real address.
The .org and .com domains, registered the same day by the same registrar, use a Whois privacy service and contain no information about the registrant whatsoever.
Lewis himself suspects the batch of names may have been registered by a political opponent in order to force him to deny that he registered them, noting that fellow MP Lisa Nandy had a similar experience last July.
His initial statement to HuffPo, on which he reportedly declined to elaborate, was:
A lesson from LBJ [US President Lyndon B Johnson] in how to smash an opponent. Legend has it that LBJ, in one of his early congressional campaigns, told one of his aides to spread the story that Johnson’s opponent f*cked pigs. The aide responded: ‘Christ, Lyndon, we can’t call the guy a pigf*cker. It isn’t true.’ To which LBJ supposedly replied: ‘Of course it ain’t true, but I want to make the son-of-a-bitch deny it.’
Since then, along with his denial to the Guardian, he’s told his local Norwich newspaper that he’s tasked his lawyers with finding out who registered the names.
“I have instructed a solicitor to go away and look at this. They can try and make sure we find the identity, the IP address and the payment details,” he told the Eastern Daily Press.
Verisign has boosted its reportable .com domain count by almost 750,000 by starting to count expired and suspended names.
The change in methodology, which is a by-product of ICANN’s much more stringent Whois accuracy regime, happened on Friday afternoon.
Before the change, the company reported on its web site that there were 116,788,107 domains in the .com zone file, with another 167,788 names that were registered but not configured.
That’s a total of 116,955,895 domains.
But just a few hours later, the same web page said .com had a total of 117,704,800 names in its “Domain Name Base”.
That’s a leap of 748,905 pretty much instantly; the number of names in the zone file did not move.
.net jumped 111,110 names to 15,143,356.
The reason for the sudden spikes is that Verisign is now including two types of domain in its count that it did not previously. The web page states:
Beginning with the first quarter, 2015, the domain name base on this website and in subsequent filings found in the Investor Relations site includes domains that are in a client or server hold status.
I suspect that the bulk of the 750,000 newly reported names are on clientHold status, which I believe is used much more often than serverHold.
The clientHold EPP code is often applied by registrars to domains that have expired.
However, registrars signed up to the year-old 2013 Registrar Accreditation Agreement are obliged by ICANN to place domains on clientHold status if registrants fail to respond within 15 days to a Whois verification email.
The 2013 RAA reads (my emphasis):
Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.
Last June, registrars claimed that the new policy — which came after pressure from law enforcement — had resulted in over 800,000 domains being suspended.
It’s an ongoing point of contention between ICANN, its registrars, and cops.
Verisign changing its reporting methodology may well be a reaction to this increase in the number of clientHold domains.
While its top-line figure has taken a sharp one-off boost, it will still permit daily apples-to-apples comparisons on an ongoing basis.
My assumption about the link to the 2013 RAA was correct.
Verisign CFO George Kilguss told analysts on February 5.
Over the last several years, the average amount of names in the on-hold status category has been approximately 400,000 names and the net change year-over-year has been very small.
While still immaterial, during 2014, we saw an increase in the amount of names registrars have placed on hold status, which appears to be a result of these registrars complying with the new mandated compliance mechanisms in ICANN’s 2013 Registrar Accreditation Agreement or RAA.
In 2014, we saw an increase in domain names placed on hold status from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.
German registrar Cronon, which retails domains under the Strato brand, has stopped carrying .uk domains due to what it says are onerous Whois validation rules.
In a blog post, company spokesperson Christina Witt said that over one third of all .uk sales the registrar has been making are failing Nominet’s registry-end validation checks, which she said are “buggy”.
With the introduction of direct second-level registration under .uk, Nominet introduced a new requirement that all new domains must have a UK address in the Whois for legal service, even if the registrant is based overseas.
According to its web site, Nominet checks registrant addresses against the Royal Mail Postcode Address file, which contains over 29 million UK addresses, and does a confidence-based match.
If attempts to match the supplied address with a UK address in this file prove fruitless, and after outreach to the registrant, Nominet suspends the domain 30 days after registration and eventually deletes it.
It’s this policy of terminating domains that has caused Strato to despair and stop accepting new .uk registrations.
“Databases of street directories or company registers are often inaccurate and out of date,” Witt wrote (translated from the original German). “The result: addresses that are not wrong, in fact, are be found to be invalid.”
Nominet is throwing back over a third of all .uk names registered via Strato, according to the blog post, creating a customer support nightmare.
Its affected registrants are also confused about the verification emails they receive from Nominet, a foreign company of which they have often never heard, Witt wrote.
I don’t know how many .uk names the registrar has under management, but it’s reasonably large in the gTLD space, with roughly 650,000 domains under management at the last count.
If Strato’s claim that Nominet is rejecting a third of valid addresses (and how Strato could know they’re valid is open to question), that’s quite a scary statistic.
Nominet seems to be using an address database, from the Royal Mail, which is about as close to definitive as it gets. And it’s only verifying addresses from a single country.
I shudder to imagine what the false negative rate would be like for a gTLD registrar compelled to validate addresses across 200-odd countries and territories.
The latest version of the ICANN Registrar Accreditation Agreement requires registrars to partially validate addresses, such as checking whether the street and postal code exist in the given city, but there’s no requirement for domains to be suspended if these checks fail.
[UPDATE: Thanks to Michele Neylon of the Registrars Stakeholder Group for the reminder that this RAA requirement hasn’t actually come into force yet, and won’t until the RrSG and ICANN come to terms on its technical and commercial feasibility.]
Where the 2013 RAA does require suspension is when the registrant fails to verify their email address (or, less commonly, phone number), which as we’ve seen over the last year leads to hundreds of thousands of names being yanked for no good reason.
If Strato’s story about .uk is correct and its experience shared by other registrars, I expect that will become and important data point the next time law enforcement or other interests push for even stricter Whois rules in the ICANN world.
While many members of the community are getting upset about the plan to make it harder for ICANN’s board to overrule GAC advice, today we got a reminder that the board is not the GAC’s lapdog.
The New gTLD Program Committee is standing firm on the way it creatively reinterpreted Governmental Advisory Committee advice to make it less punishing on a few dozen new gTLD registries.
The NGPC passed a resolution on Monday approving an updated scorecard to send to the GAC. ICANN chair Steve Crocker delivered it to GAC chair Heather Dryden yesterday.
A “GAC scorecard” is a table of the GAC’s demands, taken from the formal advice it issues at the end of each public meeting, with the NGPC’s formal responses listed alongside.
The latest scorecard (pdf) addresses issues raised in the last five ICANN meetings, dating back to the Beijing meeting in April 2013.
The issues mainly relate to the GAC’s desire that certain new gTLDs, such as those related to regulated industries, be locked down much tighter than many of the actual applicants want.
One big point of contention has been the GAC’s demand that registrants in gTLDs such as .attorney, .bank and .doctor should be forced to provide a relevant licence or other credentials at point of sale.
The GAC’s exact words, from its Beijing communique (pdf), were:
At the time of registration, the registry operator must verify and validate the registrants’ authorisations, charters, licenses and/or other related credentials for participation in that sector.
However, when the NGPC came up with its first response, in November last year, it had substantially diluted the advice. The creative reinterpretation I mentioned earlier read:
Registry operators will include a provision in their Registry-Registrar Agreements that requires Registrars to include in their Registration Agreements a provision requiring a representation that the Registrant possesses any necessary authorisations, charters, licenses and/or other related credentials for participation in the sector associated with the Registry TLD string.
In other words, rather than presenting your medical licence to a registrar when buying a .doctor domain, registrants would merely assert they have such a licence on the understanding that they could lose their domain if they fail to present it on demand in future.
The GAC, which isn’t entirely stupid, spotted ICANN’s reimagining of the Beijing communique.
At the Singapore meeting this March, it issued a list of passive-aggressive questions (pdf) for the NGPC, noting that its Beijing advice had been “amended” by the board and wondering whether this would lead to “greater risks of fraud and deception” in new gTLDs.
ICANN’s response this week is quite lengthy.
The NGPC said it had “to balance many competing positions” when figuring out how to respond to the Beijing communique, and that it tried “to address all of the completing concerns in a way that respected the spirit and intent of the GAC’s advice.”
The committee gives a number of examples (starting on page 15 of this PDF) explaining why the GAC’s original demands would be unreasonably burdensome not only on registries and registrars but also on registrants.
Here’s one example:
consider a potential registrant that is a multinational insurance company seeking to register a domain name in the .insurance TLD. Suppose the multinational insurance company has locations in over 30 countries, including the United States and Kenya. If the potential registrant insurance company attempts to register a domain name in the .insurance TLD, would that trigger an obligation to verify and validate its credentials, licenses, charters, etc. in the location of its headquarters, or all of the places around the globe where it does business. Is it realistic for a Registry Operator or Registrar to have the knowledge and expertise to determine precisely what credentials or authorizations are required in every country around the world (and in every city, county or other political division if those political subdivisions also require credentials [e.g. in the United States, insurance is primarily regulated at the state level and require a license in each of the 50 states])?
The short version is that the NGPC isn’t budging on this particular issue.
Rather than backpedaling, it’s giving the GAC the reasons it disagreed with its advice and explaining how it attempted to at least comply with the spirit, if not the letter, of Beijing.
As far as I can tell, that seems to be the case in each of the 39 items in the new scorecard — explanation not capitulation. Read the full thing here.