Latest news of the domain name industry

Recent Posts

Whois headed for the scrap heap in “paradigm shift”

Kevin Murphy, June 25, 2013, Domain Policy

Whois’ days are numbered.

An “Expert Working Group” assembled by ICANN CEO Fadi Chehade has proposed that the old Whois service we all love to hate be scrapped entirely and replaced with something (possibly) better.

After several months of deliberations the EWG today issued an audacious set of preliminary recommendations that would completely overhaul the current system.

Registrants’ privacy might be better protected under the new model, and parties accessing Whois data would for the first time have obligations to use it responsibly.

There’d also be a greater degree of data validation than we have with today’s Whois, which may appease law enforcement and intellectual property interests.

The new concept may also reduce costs for registries and registrars by eliminating existing Whois service obligations.

The EWG said in its report:

After working through a broad array of use cases, and the myriad of issues they raised, the EWG concluded that today’s WHOIS model—giving every user the same anonymous public access to (too often inaccurate) gTLD registration data—should be abandoned.

Instead, the EWG recommends a paradigm shift whereby gTLD registration data is collected, validated and disclosed for permissible purposes only, with some data elements being accessible only to authenticated requestors that are then held accountable for appropriate use.

The acronym being proposed is ARDS, for Aggregated Registration Data Services.

For the first time, gTLD registrant data would be centralized and maintained by a single authority — likely a company contracted by ICANN — instead of today’s mish-mash of registries and registrars.

The ARDS provider would store frequently cached copies of Whois records provided by registries and registrars, and would be responsible for validating it and handling accuracy complaints.

To do a Whois look-up, you’d need access credentials for the ARDS database. It seems likely that different levels of access would be available depending on the user’s role.

Law enforcement could get no-holds-barred access, for example, while regular internet users might not be able to see home addresses (my example, not the EWG’s).

Credentialing users may go some way to preventing Whois-related spam.

A centralized service would also provide users with a single, more reliable and uniform, source of registrant data.

Registrars and registries would no longer have to provide Whois over port 43 or the web, potentially realizing cost savings as a result, the EWG said.

For those concerned about privacy, the EWG proposes two levels of protection:

  • An Enhanced Protected Registration Service for general personal data privacy needs; and
  • A Maximum Protected Registration Service that offers Secured Protected Credentials Service for At-Risk, Free-Speech uses.

If I understand the latter category correctly, the level privacy protection could even trump requests for registrant data from law enforcement. This could be critical in cases of, for example, anti-governmental speech in repressive regimes.

The proposed model would not necessarily kill off existing privacy/proxy services, but such services would come under a greater degree of ICANN regulation than they are today.

It appears that there’s a lot to like about the EWG’s concepts, regardless of your role.

It is very complex, however. The devil, as always, will be in the details. ARDS is going to need a lot of careful consideration to get right.

But it’s a thought-provoking breakthrough in the age-old Whois debate, all the more remarkable for being thrown together, apparently through a consensus of group members, in such a short space of time.

The EWG’s very existence is somewhat controversial; some say it’s an example of Chehade trying to circumvent standard procedures. But it so far carries no official weight in the ICANN policy-making process.

Its initial report is currently open for public comment either via email direct to the group or planned webinars. After it is finalized it will be submitted to the ICANN board of directors.

The board would then thrown the recommendations at the Generic Names Supporting Organization for a formal Policy Development Process, which would create a consensus policy applicable to all registries and registrars.

With all that in mind, it’s likely to be a few years before (and if) the new model becomes a reality.

New registrar contract could be approved next week

ICANN’s board of directors is set to vote next week on the 2013 Registrar Accreditation agreement, but we hear some last-minute objections have emerged from registrars.

The new RAA has been about two years in the making. It will make registrars verify email addresses and do some rudimentary mailing address validation when new domains are registered.

It will also set in motion a process for ICANN oversight of proxy/privacy services and some aspects of the reseller business. In order to sell domain names in new gTLDs, registrars will have to sign up to the 2013 RAA.

ICANN has put approval of the contract on its board’s June 27 agenda.

But I gather that some registrars are unhappy about some last-minute changes ICANN has made to the draft deal.

For one, some linguistic tweaks to the text have given registrars an “advisory” role in seeking out technical ways to do the aforementioned address validation, which has caused some concern that ICANN may try to mandate expensive commercial solutions without their approval.

There also appears to be some concern that the new contract now requires registrars to make sure their resellers follow the same rules on proxy/privacy services, which wasn’t in previous drafts.

Nominet brings back second-level .uk proposal

Nominet has resurrected Direct.uk, its plan to allow people to register domain names directly under .uk.

But the proposal, which was killed off in February, has been significantly revised in response to complaints from domain investors and others.

The idea is one of a collection being announced by Nominet this afternoon.

It’s also proposing to shake up how it accredits .uk registrars and, borrowing a page from the current ICANN playbook, how .uk registrant Whois information is verified.

Second-level domains make a comeback

If the Direct.uk proposal is approved and you own a .co.uk, .me.uk or .org.uk domain name, you’ll get rights to the matching .uk name, according to Nominet COO Eleanor Bradley.

“The registrant of oldest current domain name at the third level will have first right of refusal to register that name at the second level,” she said.

When a .uk is contested by, for example, the owners of matching .co.uk and .org.uk domains, the older registration would win the name.

The clock on registration period is reset to the date of the current registration if the domain has ever dropped before, but not if it’s been transferred between registrants, she said.

This change may settle some of the concerns emerging from the domain investor community, which was outraged by Nominet’s original plan to give trademark holders first rights to .uk names.

Giving the .uk and .co.uk to different people would stand to confuse internet users, they said, not to mention devaluing their portfolios.

It wasn’t just domainers that stood to lose out under the old plan, however.

British domainer Edwin Hayward compiled a some examples of big brands that have invested in generic .co.uk domains but do not own matching trademarks, meaning they would not necessary get the second-level.

Barclays owns bank.co.uk and Kellogg owns breakfast.co.uk, for examples. Under the new Nominet proposal, it looks like these companies would get first dibs on the matching .uk addresses.

“We feel we’re responding to the feedback we heard, but it’s also our strong view that registrations at the second level are really important for what we do to maintain the relevance of .uk going forward,” Bradley said.

Plans to ramp up Whois verification

The revamped plan will also see Nominet drop its demands for mandatory extra security features under second-level .uk names.

Some critics had said that this would ghettoize .co.uk by suggesting it’s not secure.

Instead, the company is proposing blanket Whois verification for the whole of .uk — second and third-level — and a suite of optional security services to be provided in-house and via partners.

The Whois checks will take the form of email verification, in much the same way as ICANN has proposed for gTLDs in its new Registrar Accreditation agreement.

Nominet also plans to check physical mailing addresses against public databases to make sure they’re genuine. This apparently already happens to an extent.

Three tiers of registrar

The company today also unveiled plans for three types of registrar: Self-Managed, Channel Partner and Accredited Channel Partner.

Self-Managed would be domainers and big corporate users that manage their own portfolios. Channel Partners would be the vanilla registrars we know today, and Accredited would have been certified as having a certain level of security and Whois quality, among other things.

Existing registrars could do nothing and become Channel Partners, or migrate to one of the other two tiers, Bradley said.

Those in the Self-Managed and Accredited tiers would get free inter-registrant transfers, she said. Accredited registrars would also be trusted to handle their own Whois verification.

The proposals are still currently proposals, but it sounds like Nominet is determined to get it right this time.

The Direct.uk consultation is not expected to be over until November, so we’re not likely to see any movement until next year.

Cops say new gTLDs shouldn’t launch without a Big Brother RAA

Law enforcement agencies are not happy with the proposed 2013 Registrar Accreditation Agreement, saying it doesn’t go far enough to help them catch online bad guys.

Europol and the FBI told ICANN’s Governmental Advisory Committee yesterday that people need to have their full identities verified before they’re allowed to register domain names.

They added that new gTLDs shouldn’t be allowed to launch until a tougher RAA is agreed to and signed by registrars.

The draft 2013 RAA would force registrars to validate their customers’ email addresses or phone numbers after selling them a domain, but law enforcement thinks this is not enough.

“We need a bit more in this area,” Troels Oerting, head of Europol’s European Cybercrime Centre, told the GAC during a Sunday session. “We need a bit more to be verified in addition to the phone or email.”

“It’s very, very important that we are able to identify perpetrators able, to identify the originators, and it’s not enough that you just put in the email or phone,” he said.

He added that there should also be re-verification procedures and ongoing compliance monitoring from ICANN, and said that only registrars signing the 2013 RAA should be allowed to sell new gTLD domains.

Europol has sent a letter to ICANN (not yet published, it seems) outlining four areas it wants to see the RAA “improved”, Oerting said.

Given that many GAC members, including the US, seem to support this position, it’s yet another threat to ICANN’s new gTLD launch timetable, not to mention privacy and anonymous speech in general.

The law enforcement recommendations are not new, of course. They’ve been in play and GAC-endorsed for many years, but were watered down during ICANN’s RAA talks with registrars.

Another deadline missed in registrar contract talks

Kevin Murphy, December 16, 2012, Domain Registrars

ICANN and domain name registrars will fail to agree on a new Registrar Accreditation Agreement by the end of the year, ICANN has admitted.

In a statement Friday, ICANN said that it will likely miss its end-of-year target for completing the RAA talks:

While the registrars and ICANN explored potential dates for negotiation in December 2012, both sides have agreed that between holidays, difficult travel schedules and the ICANN Prioritization Draw for New gTLDs, a December meeting is not feasible. Therefore, negotiations will resume in January 2013, and the anticipated date for publication of a draft RAA for community comment will be announced in January as well.

The sticking point appears to still be the recommendations for strengthening registrars’ Whois accuracy commitments, as requested by law enforcement agencies and governments.

At the Toronto meeting in October, progress appeared to have been made on all 12 of the LEA recommendations, but the nitty-gritty of the Whois verification asks had yet to be ironed out.

Potentially confusing matters, ICANN has launched a parallel root-and-branch Whois policy reform initiative, a community process which may come to starkly different conclusions to the RAA talks.

Before the LEA issues are settled, ICANN doesn’t want to start dealing with requests for RAA changes from the registrars themselves, which include items such as dumping their “burdensome” port 43 Whois obligations for gTLD registries that have thick Whois databases.

ICANN said Friday:

Both ICANN and the registrars have additional proposed changes which have not yet been negotiated. As previously discussed, it has been ICANN’s position that the negotiations on key topics within the law enforcement recommendations need to come to resolution prior to concluding negotiations on these additional areas.

Registrars agreed under duress to start renegotiating the RAA following a public berating from the Governmental Advisory Committee at the ICANN Dakar meeting October 2011.

At the time, the law enforcement demands had already been in play for two years with no substantial progress. Following Dakar, ICANN and the registrars said they planned to have a new RAA ready by March 2012.

Judging by the latest update, it seems quite likely that the new RAA will be a full year late.

ICANN has targeted the Beijing meeting in April next year for approval of the RAA. It’s one of the 12 targets Chehade set himself following Toronto.

Given that the draft agreement will need a 42-day public comment period first, talks are going to have to conclude before the end of February if there’s any hope of hitting that deadline.