ICANN dumps the “Whois” in new Whois tool

Of all the jargon regularly deployed in the domain name industry and ICANN community, “Whois” is probably the one requiring the least explanation.
It’s self-explanatory, historically doing exactly what it says on the tin. But it’s on its way out, to be replaced by the far less user-friendly “RDAP”.
The latest piece of evidence of this transition: ICANN has pushed its old Whois query tool aside in favor of a new, primarily RDAP-based service that no longer uses the word “Whois”.
RDAP is the Registration Data Access Protocol, the IETF’s standardized Whois replacement to which gTLD registries and registrars are contractually obliged to migrate their registrant data.
Thankfully, ICANN isn’t branding the service on this rather opaque acronym. Rather, it’s using the word “Lookup” instead.
The longstanding whois.icann.org web site has been deprecated, replaced with lookup.icann.org. Visitors to the old page will be bounced to the new one.
The old site looked like this:

The new site looks like this:

It’s pretty much useless for most domains, if you want to find out who actually owns them.
If you query a .com or .net domain, you’ll only receive Verisign’s “thin” output. This does not included any registrant information.
That’s unlike most commercial Whois services, which also ping the relevant registrar for the full thick record.
For non-Verisign gTLDs, ICANN will return the registry’s thick record, but it will be very likely be mostly redacted, as required under ICANN’s post-GDPR privacy policy.
While contracted parties are still transitioning away from Whois to RDAP, the ICANN tool will fail over to the old Whois output if it receives no RDAP data.
Under current ICANN Whois policy, registries and registrars have until August 26 to deploy RDAP services to run alongside their existing Whois services.

Zimbabwe wants to rebuild its domain market from scratch

Zimbabwe has put out a call for feedback on plans to modernize its almost non-existent domain name industry.
The local ccTLD manager, Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), has issued a consultation document discussing plans to essentially architect the .zw market from scratch.
.zw currently has no automated registration process, no Whois, no formal registry-registrar framework, no DNSSEC, no IPv6, and no governing policies.
POTRAZ is proposing to adopt “best practices” from fellow ccTLDs in Africa and elsewhere, by appointing a new registry operator that will work with a registrar channel under policies created by POTRAZ, as sponsoring organization, itself.
It looks rather like the contract to run the ccTLD could soon be up for grabs.
But first, POTRAZ wants to know how much involvement the Zimbabwean government should have in the operations of the TLD, presenting four options ranging from full governmental control to industry self-regulation.
Currently, POTRAZ, a government regulator, has handed off registry operations for .zw to state-owned telecoms company TelOne.
It has a three-level structure, with TelOne looking after .org.zw, the Zimbabwe Internet Service Providers Association looking after .co.zw and the University of Harare managing .ac.zw.
Interestingly, POTRAZ has not yet decided whether .zw domains should be free or paid for, and whether annual renewals should be required.
The consultation is open until August 9.
Zimbabwe has a population of about 16 million and, according to Internet World Stats, 6.8 million internet users.

Airline hit with $230 million GDPR fine

British Airways is to be fined £183.39 million ($230 million) over a customer data breach last year, by far the biggest penalty to be handed out under the General Data Protection Regulation to date.
This story is not directly related to the domain name industry, but it does demonstrate that European data protection authorities are not messing about when it comes to GDPR enforcement.
About 500,000 BA customers had their personal data — including full payment card details — stolen by attackers between June and September last year, the UK Information Commissioner’s Office said today..
It is believed that they obtained the data not by hacking BA’s database, but rather by inserting a script hosted by third-party domain that executed whenever a customer transacted with the site, allowing credentials to be captured in real time.
The ICO said its decision to fine $183.39 million — which amounts to more than 1.5% of BA’s annual revenue — is preliminary and can be appealed by BA.
Under GDPR, which came into effect in May 2018, companies can be fined up to 4% of revenue.
The biggest pre-GDPR fine is reportedly the £500,000 penalty that Facebook was given due to the Cambridge Analytica scandal.
GDPR is of course of concern to the domain industry due to the ongoing attempts to make sure Whois databases are compliant with the laws.

PwC wants to be your Whois gatekeeper

PricewaterhouseCoopers has built a Whois access system that may help domain name companies and intellectual property interests call a truce in their ongoing battle over access to private Whois data.
Its new TieredAccess Platform will enable registries and registrars to “outsource the entire process of providing access to non-public domain registration data”.
That’s according to IP lawyer Bart Lieben, partner at the Belgian law firm ARTES, who devised the system and is working with PwC to develop it.
The offering is designed to give trademark lawyers access to the data they lust after, while also reducing costs and mitigating domain name industry liability under the General Data Protection Regulation.
TieredAccess would make PwC essentially the gatekeeper for all requests for private Whois data (at least, in the registries plugged into the platform) coming from the likes of trademark owners, security researchers, lawyers and law enforcement agencies.
At one end, these requestors would be pre-vetted by PwC, after which they’d be able to ask for unredacted Whois records using PwC as an intermediary.
They’d have to pick from one of 43 pre-written request scenarios (such as cybersquatting investigation, criminal probe or spam prevention) and assert that they will only use the data they obtain for the stated purposes.
At the other end, registries and registrars will have adopted a set of rules that specify how such requests should be responded to.
A ruleset could say that cops get more access to data than security researchers, for example, or that a criminal investigation is more important than a UDRP complaint.
PwC has created a bunch of templates, but registrars and registries would be able to adapt these policies to their own tastes.
Once the rules are put in place, and the up-front implementation work has been done to plug PwC into their Whois servers, they wouldn’t have to worry about dealing with Whois requests manually as most are today. The whole lot would be automated.
Not even PwC would have human eyes on the requests. The private data would only be stored temporarily.
One could argue that there’s the potential for abusive or non-compliant requests making it through, which may give liability-nervous companies pause.
But the requests and response metadata would be logged for audit and compliance, so abusive users could be fingered after the act.
Lieben says the whole system has been checked for GDPR compliance, assuming its prefabricated baseline scenarios and templates are adopted unadulterated.
He said that the PwC brand should give clients on both sides “peace of mind” that they’re not breaking privacy law.
If a registrar requires an affidavit before releasing data, the assertions requestors make to PwC should tick that box, he said.
Given that this is probably a harder sell to the domain name industry side of the equation, it’s perhaps not surprising that it’s the requestors that are likely to shoulder most of the cost burden of using the service.
Lieben said a pricing model has not yet been set, but that it could see fees paid by registrars subsidized by the fees paid by requestors.
There’s a chance registries could wind up paying nothing, he said.
The project has been in the works since September and is currently in the testing phase, with PwC trying to entice registries and registrars onto the platform.
Lieben said some companies have already agreed to test the service, but he could not name them yet.
The service was developed against the backdrop of ongoing community discussions within ICANN in the Expedited Policy Development Working group, which is trying to create a GDPR-compliant policy for access to private Whois records.
ICANN Org has also made it known that it is considering making itself the clearinghouse for Whois queries, to allow its contracted parties to offload some liability.
It’s quite possible that once the policies are in place, ICANN may well decide to outsource the gatekeeper function to the likes of PwC.
That appears to be what Lieben has in mind. After all, it’s what he did with the Trademark Clearinghouse almost a decade ago — building it independently with Deloitte while the new gTLD rules were still being written and then selling the service to ICANN when the time came.
The TieredAccess service is described in some detail here.

Major registries posting “fabricated” Whois data

One or more of the major gTLD registries are publishing Whois query data that may be “fabricated”, according to some of ICANN’s top security minds.
The Security and Stability Advisory Committee recently wrote to ICANN’s top brass to complain about inconsistent and possibly outright bogus reporting of Whois port 43 query volumes.
SSAC said (pdf):

it appears that the WHOIS query statistics provided to ICANN by registry operators as part of their monthly reporting obligations are generally not reliable. Some operators are using different methods to count queries, some are interpreting the registry contract differently, and some may be reporting numbers that are fabricated or otherwise not reflective of reality. Reliable reporting is essential to the ICANN community, especially to inform policy-making.

SSAC says that the inconsistency of the data makes it very difficult to make informed decisions about the future of Whois access and to determine the impact of GPDR.
While the letter does not name names, I’ve replicated some of SSAC’s research and I think I’m in a position to point fingers.
In my opinion, Google, Verisign, Afilias and Donuts appear to be the causes of the greatest concern for SSAC, but several others exhibit behavior SSAC is not happy about.
I reached out to these four registries on Wednesday and have published their responses, if I received any, below.
SSAC’s concerns relate to the monthly data dumps that gTLD registries new and old are contractually obliged to provide ICANN, which publishes the data three months later.
Some of these stats concern billable transactions such as registrations and renewals. Others are used to measure uptime obligations. Others are largely of academic interest.
One such stat is “Whois port 43 queries”, defined in gTLD contracts as “number of WHOIS (port-43) queries responded during the reporting period”.
According to SSAC, and confirmed by my look at the data, there appears to be a wide divergence in how registries and back-end registry services providers calculate this number.
The most obvious example of bogosity is that some registries are reporting identical numbers for each of their TLDs. SSAC chair Rod Rasmussen told DI:

The largest issue we saw at various registries was the reporting of the exact or near exact same number of queries for many or all of their supported TLDs, regardless of how many registered domain names are in those zones. That result is a statistical improbability so vanishingly small that it seems clear that they were reporting some sort of aggregate number for all their TLDs, either as a whole or divided amongst them.

While Rasmussen would not name the registries concerned, my research shows that the main culprit here appears to be Google.
In its December data dumps, it reported exactly 68,031,882 port 43 queries for each of its 45 gTLDs.
If these numbers are to be believed, .app with its 385,000 domains received precisely the same amount of port 43 interest as .gbiz, which has no registrations.
As SSAC points out, this is simply not plausible.
A Google spokesperson has not yet responded to DI’s request for comment.
Similarly, Afilias appears to have reported identical data for a subset of its dot-brand clients’ gTLDs, 16 of which purportedly had exactly 1,071,939 port 43 lookups in December.
Afilias has many more TLDs that did not report identical data.
An Afilias spokesperson told DI: “Afilias has submitted data to ICANN that addresses the anomaly and the update should be posted shortly.”
SSAC’s second beef is that one particular operator may have reported numbers that “were altered or synthesized”. SSAC said in its letter:

In a given month, the number of reported WHOIS queries for each of the operator’s TLDs is different. While some of the TLDs are much larger than others, the WHOIS query totals for them are close to each other. Further statistical analysis on the number of WHOIS queries per TLD revealed that an abnormal distribution. For one month of data for one of the registries, the WHOIS query counts per TLD differed from the mean by about +/- 1%, nearly linearly. This appeared to be highly unusual, especially with TLDs that have different usage patterns and domain counts. There is a chance that the numbers were altered or synthesized.

I think SSAC could be either referring here to Donuts or Verisign
Looking again at December’s data, all but one of Donuts’ gTLDs reported port 43 queries between 99.3% and 100.7% of the mean average of 458,658,327 queries.
Is it plausible that .gripe, with 1,200 registrations, is getting almost as much Whois traffic as .live, with 343,000? Seems unlikely.
Donuts has yet to provide DI with its comments on the SSAC letter. I’ll update this post and tweet the link if I receive any new information.
All of the gTLDs Verisign manages on behalf of dot-brand clients, and some of its own non-.com gTLDs, exhibit the same pattern as Donuts in terms of all queries falling within +/- 1% of the mean, which is around 431 million per month.
So, as I put to Verisign, .realtor (~40k regs) purportedly has roughly the same number of port 43 queries as .comsec (which hasn’t launched).
Verisign explained this by saying that almost all of the port 43 queries it reports come from its own systems. A spokesperson told DI:

The .realtor and .comsec query responses are almost all responses to our own monitoring tools. After explaining to SSAC how Verisign continuously monitors its systems and services (which may be active in tens or even hundreds of locations at any given time) we are confident that the accuracy of the data Verisign reports is not in question. The reporting requirement calls for all query responses to be counted and does not draw a distinction between responses to monitoring and non-monitoring queries. If ICANN would prefer that all registries distinguish between the two, then it is up to ICANN to discuss that with registry operators.

It appears from the reported numbers that Verisign polls its own Whois servers more than 160 times per second. Donuts’ numbers are even larger.
I would guess, based on the huge volumes of queries being reported by other registries, that this is common (but not universal) practice.
SSAC said that it approves of the practice of monitoring port 43 responses, but it does not think that registries should aggregate their own internal queries with those that come from real Whois consumers when reporting traffic to ICANN.
Either way, it thinks that all registries should calculate their totals in the same way, to make apples-to-apples comparisons possible.
Afilias’ spokesperson said: “Afilias agrees that everyone should report the data the same way.”
As far as ICANN goes, its standard registry contract is open to interpretation. It doesn’t really say why registries are expected to collect and supply this data, merely that they are obliged to do so.
The contracts do not specify whether registries are supposed to report these numbers to show off the load their servers are bearing, or to quantify demand for Whois services.
SSAC thinks it should be the latter.
You may be thinking that the fact that it’s taken a decade or more for anyone to notice that the data is basically useless means that it’s probably not all that important.
But SSAC thinks the poor data quality interferes with research on important policy and practical issues.
It’s rendered SSAC’s attempt to figure out whether GDPR and ICANN’s Temp Spec have had an effect on Whois queries pretty much futile, for example.
The meaningful research in question also includes work leading to the replacement of Whois with RDAP, the Registration Data Access Protocol.
Finally, there’s the looming possibility that ICANN may before long start acting as a clearinghouse for access to unredacted Whois records. If it has no idea how often Whois is actually used, that’s going to make planning its infrastructure very difficult, which in turn could lead to downtime.
Rasmussen told DI: “Our impression is that all involved want to get the numbers right, but there are inconsistent approaches to reporting between registry operators that lead to data that cannot be utilized for meaningful research.”

Court rules domain name list should stay secret

Publishing a list of every domain name in their zone is something that most TLD registries do automatically on a daily basis, but a court in Chile has ruled that doing so is a cybersecurity risk.
NIC Chile, which runs .cl, said last week that it has won an appeal against a Transparency Council ruling that would have forced it to publish a list of the domains it manages.
The Court of Appeals ruled that the registry was within its rights to refuse to hand over an Excel spreadsheet listing the 575,430 domains in .cl to the person who requested it.
The request was just for the list of domains, with none of the other data you’d find in a zone file and no Whois information about the registrants.
Nevertheless, the court unanimously ruled that to hand over the list would present “cybersecurity risks”, according to NIC Chile attorney Margarita Valdés Cortés.
NIC Chile said in a statement:

In this particular case, it was considered that the bulk delivery of domain names to a private individual could generate risks of cybersecurity of various kinds, both in access to information as a result of those domain names as well as the possibility that, by having such a list, attacks on servers, phishing, spam or others could be made easier. Similarly, the ruling of the Court of Appeals understood that the delivery of the data affects commercial and economic rights of the holders of these .CL domains, and considered that there is a legal cause that justifies NIC Chile´s refusal to turn over the list of all registered names.

Cortés said that the case will now go to the nation’s Supreme Court for a final decision, after the Transparency Council appealed.
Access to zone files is considered by many security researchers to be an invaluable tool in the fight against cybercrime.
NIC Chile has published the ruling, in Spanish, here (pdf).

WordPress-linked .blog dumps Nominet for CentralNic

Knock Knock Whois There, the .blog registry, has announced its decision to switch back-end registry providers.
The company, which is owned by WordPress.com owner Automattic, said that it has dropped Nominet in favor of fellow British rival CentralNic.
It announced the news in a blog post tonight.
The migration is expected to happen in late August or early September, pending ICANN approval (which is likely just a formality).
KKWT said in a blog post:

Deciding to change backend providers was a difficult decision and not one that we take lightly. We understand the time and effort it takes during the migration process, both on behalf of registrars, as well as everyone else involved. We strongly believe that this new partnership will enhance the .blog experience for our registrar, reseller partners, and registrants. We’re fortunate to have Nominet’s continued support to make this transition as smooth as possible.

It’s bad news for Nominet, because .blog is a quite high-profile TLD, at least in terms of new gTLDs.
.blog had just shy of 200,000 domains under management at the last count. Not much on the grand scheme of things, but enough to put it in the top 25 gTLDs from the 2012 round.
Nominet recently got some good news when Amazon switched the large majority of its largely unused gTLDs from Neustar.

Five more gTLD deadbeats fingered by ICANN

The company that tried unsuccessfully to get the .islam new gTLD has been slammed by ICANN for failing to pay its dues on five different gTLDs.
Asia Green IT System, based in Turkey, has been considered “past due” on its registry fees since at least January, according to an ICANN breach notice sent yesterday.
The company runs .nowruz (Iranian New Year), .pars (refers to Persia/Iran), .shia (a branch of Islam), .tci (a closed dot-brand) and .همراه (.xn--mgbt3dhd, appears to mean something like “comrade” in Persian).
The only one of these to actually launch is .nowruz. It came to market March last year — bizarrely, it didn’t leave sunrise until a week after Nowruz was over — and has scraped just over 40 registrations. It does not appear to have any active web sites.
With little to no revenue, one can imagine why it might have difficulty paying ICANN’s $25,000 annual per-TLD registry fee, which it will have been paying for almost four years before lapsing.
None of its mandatory “nic.example” sites resolve for me today, though its “whois.nic.example” sites can be reached once you click through an SSL security warning.
The primary registry web site for AGIT, agitsys.com, also does not resolve for me.
ICANN’s breach notice claims that it has been unable to contact anyone at the registry, despite many outreach attempts, since January. It believes it has outdated contact data for the company.
AGIT is perhaps best-known to DI readers for its unsuccessful attempts to apply for .islam and .halal.
ICANN rejected these applications last October after an outcry from governments of Muslim-majority nations and the Organization for Islamic Cooperation.
Given AGIT’s apparent difficulties, perhaps that was a good call.
If the registry doesn’t cough up by June 13, ICANN may start termination proceedings.
It’s the 19th published breach notice ICANN has sent to a gTLD registry. In most cases, even the handful of cases that have escalated to termination, the registry has managed to resolve the issue before losing their contracts.
The only gTLD to actually get terminated to date I believe is .wed, which is currently being wound down by Nominet in its role as Emergency Back-End Registry Operator.
The most-recent registry breach notice, filed against .whoswho in January, is still “under review” by ICANN.

Governments demand Whois reopened within a year

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.
The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.
The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.
She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.
It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.
It strikes me as a ludicrously ambitious deadline.
Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.
The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.
IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).
Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.
Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.
The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.
Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.
Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.
The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.
For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.
With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.

ICA rallies the troops to defeat .org price hikes. It won’t work

Over 100 letters have been sent to ICANN opposing the proposed lifting of price caps in .org, after the Internet Commerce Association reached out to rally its supporters.
This is an atypically large response to an ICANN public comment period, and there are four days left on the clock for more submissions to be made, but I doubt it will change ICANN’s mind.
Almost all of the 131 comments filed so far this month were submitted in the 24 hours after ICA published its comment submission form earlier this week.
About a third of the comments comprise simply the unedited ICA text. Others appeared to have been inspired by the campaign to write their own complaints about the proposal, which would scrap the 10%-a-year .org price increase cap Public Interest Registry currently has in place.
Zak Muscovitch, ICA’s general counsel, told DI that as of this morning the form generates different template text dynamically. I’ve spotted at least four completely different versions of the letter just by refreshing the page. This may make some comments appear to be the original thoughts of their senders.
This is the original text, as it relates to price caps:

I believe that legacy gTLDs are fundamentally different from for-profit new gTLDs. Legacy TLDs are essentially a public trust, unlike new gTLDs which were created, bought and paid for by private interests. Registrants of legacy TLDs are entitled to price stability and predictability, and should not be subject to price increases with no maximums. Unlike new gTLDs, registrants of legacy TLDs registered their names and made their online presence on legacy TLDs on the basis that price caps would continue to exist.
Unrestrained price increases on the millions of .org registrants who are not-for-profits or non-profits would be unfair to them. Unchecked price increases have the potential to result in hundreds of millions of dollars being transferred from these organizations to one non-profit, the Internet Society, with .org registrants receiving no benefit in return. ICANN should not allow one non-profit nearly unlimited access to the funds of other non-profits.

The gist of the other texts is the same — it’s not fair to lift price caps on domains largely used by non-profits that may have budget struggles and which have built their online presences on the old, predictable pricing rules.
The issues raised are probably fair, to a point.
Should the true “legacy” gTLDs — .com, .net and .org — which date from the 1980s and pose very little commercial risk to their registries, be treated the same as the exceptionally risky gTLD businesses that have been launched since?
Does changing the pricing rules amount to unfairly moving the goal posts for millions of registrants who have built their business on the legacy rules?
These are good, valid questions.
But I think it’s unlikely that the ICA’s campaign will get ICANN to change its mind. The opposition would have to be broader than from a single interest group.
First, the message about non-profits rings a bit hollow coming from an explicitly commercial organization whose members’ business model entails flipping domain names for large multiples.
If a non-profit can’t afford an extra 10 bucks a year for a .org renewal, can it afford the hundreds or thousands of dollars a domainer would charge for a transfer?
Even if PIR goes nuts, abandons its “public interest” mantra, and immediately significantly increases its prices, the retail price of a .org (currently around $20 at GoDaddy, which has about a third of all .orgs) would be unlikely to rise to above the price of PIR-owned .ong and .ngo domains, which sell for $32 to $50 retail.
Such an increase might adversely affect a small number of very low-budget registrants, but the biggest impact will be felt by the big for-profit portfolio owners: domainers.
Second, letter-writing campaigns don’t have a strong track record of persuading ICANN to change course.
The largest such campaign to date was organized by registrars in 2015 in response to proposals, made by members of the Privacy and Proxy Services Accreditation Issues working group, that would have would have essentially banned Whois privacy for commercial web sites.
Over 20,000 people signed petitions or sent semi-automated comments opposing that recommendation, and ICANN ended up not approving that specific proposal.
But the commercial web site privacy ban was a minority position written by IP lawyers, included as an addendum to the group’s recommendations, and it did not receive the consensus of the PPSAI working group.
In other words, ICANN almost certainly would not have implemented it anyway, due to lack of consensus, even if the public comment period had been silent.
The second-largest public comment period concerned the possible approval of .xxx in 2010, which attracted almost 14,000 semi-automated comments from members of American Christian-right groups and pornographers.
.xxx was nevertheless approved less than a year later.
ICANN also has a track record of not acceding to ICA’s demands when it comes to changes in registry agreements for pre-2012 gTLDs.
ICA, under former GC Phil Corwin, has also strongly objected to similar changes in .mobi, .jobs, .cat, .xxx and .travel over the last few years, and had no impact.
ICANN seems hell-bent on normalizing its gTLD contracts to the greatest extent possible. It’s also currently proposing to lift the price caps on .biz and .info.
This, through force of precedent codified in the contracts, could lead to the price caps one day, many years from now, being lifted on .com.
Which, let’s face it, is what most people really care about.
Info on the .org contract renewal public comment period can be found here.