High-security .bank spec published
BITS, the technology arm of the Financial Services Roundtable, has published a set of specifications for new “high-security” generic top-level domains such as .bank and .pay.
The wide-ranging spec covers 31 items such as registration and acceptable use policies, abusive conduct, law enforcement compliance, registrar relations and data security.
It would also ban Whois proxy/privacy services from financial gTLDs and oblige those registries to verify that all Whois records were fully accurate at least once every six months.
The measures could be voluntarily adopted by any new gTLD applicant, but BITS wants them made mandatory for gTLDs related to financial services, which it calls “fTLDs”.
A letter sent by BITS and the American Bankers Association to ICANN management in late December (pdf) is even a bit threatening on this point:
We strongly urge that ICANN accept the [Security Standards Working Group’s] proposed standards and require their use in the evaluation process. We request notification by 31 January 2012 that ICANN commits to use these fTLD standards in the evaluation of the appropriate gTLD applications. BITS, the American Bankers Association (ABA), and the organizations involved in this effort are firmly committed to ensuring fTLDs are operated in a responsible and secure manner and will take all necessary steps to ensure that occurs.
BITS, it should be pointed out, is preparing its own .bank bid (possibly also .invest and .insure) so the new specs give a pretty good indication of what its own gTLD applications will look like.
ICANN’s Applicant Guidebook does not currently mandate any security standard, but it does say that security practices should be commensurate with the level of trust expected from the gTLD string.
Efforts within ICANN to create a formal High Security Zone Top Level Domain (HSTLD) standard basically fizzled out in late 2010 after ICANN’s board said it would not endorse its results.
That said, any applicant that chooses to adopt the new spec and can demonstrate it has the wherewithal to live up to its very strict requirements stands a pretty good chance of scoring maximum points in the security section of the gTLD application.
Declining to implement these new standards, or something very similar, is likely to be a deal-breaker for any company currently thinking about applying for a financial services gTLD.
Even if ICANN does not formally endorse the BITS-led effort, it is virtually guaranteed that the Governmental Advisory Committee will be going through every financial gTLD with a fine-toothed comb when the applications are published May 1.
The US government, via NTIA chief Larry Strickling, said this week that the GAC plans to reopen the new gTLD trademark protection debate after the applications are published.
It’s very likely that any dodgy-looking gTLDs purporting to represent regulated industries will find themselves under the microscope at that time.
The new spec was published by BITS December 20. It is endorsed by 17 companies, mostly banks. Read it in PDF format here.
BITS may apply for six financial gTLDs
BITS, the technology policy wing of the Financial Services Roundtable, may apply to ICANN for as many as six financially-focused new top-level domains.
The organization is pondering bids for .bank, .banking, .insure, .insurance, .invest and .investment, according to Craig Schwartz, who’s heading the project as general manager for registry programs.
(UPDATE: To clarify, these are the six strings BITS is considering. It does not expect to apply for all six. Three is a more likely number.)
Schwartz, until recently ICANN’s chief gTLD registry liaison, told DI that the application(s) will be filed by a yet-to-be-formed LLC, which will have the FSR and the American Bankers Association as its founding members.
It will be a community-designated bid, which means the company may be able to avoid an ICANN auction in the event that its chosen gTLD strings are contested by other applicants.
“We’ve looked at the scoring, and while it may not come into play at all we do believe we can meet the requisite score [for a successful Community Priority Evaluation],” Schwartz said. “But we’re certainly mindful of what’s happening in the space, there’s always the possibility of contention.”
There’s no relationship between BITS and CORE, the Council of European Registrars, which is apparently looking into applying for its own set of financially-oriented gTLDs, Schwartz said.
It’s not a big-money commercial play, but the new venture would be structured as a for-profit entity, he said.
“It’s relatively analogous to what’s happened in the .coop space, where after 10 years they have only about 7,000 registrations,” Schwartz said.
It sounds like pricing might be in the $100+ range. Smaller financial institutions lacking the resources to apply for their own .brand gTLDs would be a likely target customer base.
Interestingly, .bank may begin life as a business-to-business play, used primarily for secure inter-bank transactions, before it becomes a consumer-facing proposition, Schwartz said.
He added that it would likely partner with a small number of ICANN-accredited registrars – those that are able to meet its security requirements – to get the domains into the hands of banks.
VeriSign has already signed up to provide the secure back-end registry services for the bid.
Senior ICANN staffer hired by .bank project
Craig Schwartz, ICANN’s chief gTLD registry liaison, has been headhunted by BITS, the tech arm of the Financial Services Roundtable, to head up its .bank top-level domain application.
Schwartz will become BITS’ general manager of registry programs in early July, following the conclusion of the next ICANN meeting in Singapore.
BITS has yet to reveal the TLDs it plans to apply for, but .bank is the no-brainer. I understand it is also considering complementary strings, such as .finance and .insurance
The organization has already said that it plans to use VeriSign as its back-end registry services provider.
Schwartz is a five-year ICANN veteran, and his experience dealing with registries will no doubt be missed, particularly at a time when the number of gTLDs is set to expand dramatically.
His replacement will have plenty of time to settle into the role, however. The first new gTLDs approved under the program are not likely to go live until late 2012 at the earliest.
VeriSign now front-runner for .bank
VeriSign has signed a deal with two major banking industry organizations to become their exclusive provider of registry services for any new top-level domains designed for financial services companies.
The deal is with the American Bankers Association and BITS, the technology policy arm of the Financial Services Roundtable. Together, they represent the majority of US banks.
While the announcement conspicuously avoids mentioning any specific TLD strings, .bank is the no-brainer. I suspect other announced .bank initiatives will now be reevaluating their plans.
The way ICANN’s new gTLD Applicant Guidebook is constructed, any TLD application claiming to represent the interests of a specific community requires support from that community.
There are also community challenge procedures that would almost certainly kill off any .bank application that did not have the backing of major banking institutions.
BITS has already warned ICANN that it would not tolerate a .bank falling into the wrong hands, a position also held by ICANN’s Governmental Advisory Committee.
In an era of widespread phishing and online fraud, the financial services industry is understandably eager that domains purporting to represent banks are seen to be trustworthy.
Because we all trust bankers, right?
VeriSign is of course the perfect pick for a registry services provider. As well as running the high-volume .com and .net domains, it also carries the prestige .gov and .edu accounts.
“We’re honored to have been chosen by BITS and ABA as their registry operator for any new gTLDs deployed to serve the financial services industry and their customers,” said Pat Kane, VeriSign’s senior VP of Naming Services, in a statement.
Apart from the multilingual versions of .com and .net, I think this may be the first new TLD application VeriSign has publicly associated itself with.
Start-up plans .bank and .secure TLDs
The first applicant for “.bank” and “.secure” top-level domains has revealed itself.
Domain Security Company, a start-up based in Wisconsin, is behind the proposals. It’s currently seeking funding for the applications, according to its web site.
The firm says it will offer security via a mix of “technical innovations, process improvements, and enhanced requirements”.
Its intention to obtain .secure and .bank seems to have first emerged when it filed for a US trademark registration on both TLDs last September.
The company’s domain name – interestingly, it’s a .co – is registered to entrepreneur Mary Iqbal of Asif LLC, a frequent participant in ICANN policy-making.
I think I’m on record as saying I think .secure is an incredibly risky proposition, the equivalent of painting a giant target on your back. Nothing on the internet is truly secure, and a TLD that says otherwise is a bold statement that invites trouble.
I think it’s also fair to say that unless Domain Security Company manages to secure the support of the world’s leading financial institutions, it will face an extremely tough fight to win .bank.
The Financial Services Roundtable’s technology arm, BITS, has taken a strong view on .bank, and is drafting security guidelines it hopes will be used by applicants.
And ICANN’s Governmental Advisory Committee still wants TLDs including .bank to be subject to a higher level of community support before they are approved.
It’s possible that .secure will be contested. Another site seems to have a similar idea.
Banks to write security rules for “.bank”
Financial services firms unhappy with ICANN’s new top-level domains program are to take matters into their own hands by writing security guidelines for TLDs like “.bank”.
BITS, the technology policy arm of the Financial Services Roundtable, said it plans to develop “elevated security standards for financial gTLDs” and wants ICANN to make them mandatory.
The organization, which counts many major world banks as members, is concerned that a “.bank” in the hands of a registry with lax security could increase fraud and reduce confidence in banking online.
BITS said its guidelines would be drafted by a globally diverse working group and submitted to an international standards-setting organization for ratification.
It wants ICANN to include a single sentence in its new TLDs Applicant Guidebook, apparently incorporating the guidelines by reference:
Evaluators will use standards published by the financial services industry to determine if the applicant’s proposed security approach is commensurate with the level of trust necessary for financial services gTLDs.
An ICANN working group is working on the concept of a High Security Zone TLD for precisely this kind of application, but in September the ICANN board abruptly decided that it “will not be certifying or enforcing” the idea, apparently in order to mitigate its own corporate risk.
The BITS project appears to be in direct response to that move.
It certainly seems to be a more productive avenue of engagement than hinting at a lawsuit, which it did in a November letter to ICANN.
I’m attempting to confirm whether the BITS plan, submitted as a response to the Applicant Guidebook public comment period, is being proposed with ICANN’s backing. (UPDATE: it isn’t.)
ICANN told to ban .bank or get sued
A major financial services lobby group has threatened to sue ICANN unless it puts strict limitations on “.bank” top-level domains.
BITS, the technology policy arm of the Financial Services Roundtable, said financial domains should be banned from the first round of new TLDs, until rules governing security are developed.
In a November 4 letter to ICANN chief executive Rod Beckstrom, BITS said:
If these critical issues are not fully resolved and ICANN chooses not to defer financial TLD delegation, BITS, its members and its partners are prepared to employ all available legislative, regulatory, administrative and judicial mechanisms.
BITS counts all the major US banks among its membership, as well as many large insurance companies and share-trading services.
The organization is concerned that TLDs such as .bank could lead to consumer confusion and an increase in fraud online if delegated into the wrong hands.
While BITS said that it “prefer[s] a prudent solution”, it has threatened to file “legal complaints in one or more jurisdictions” and to lobby the US Congress for legislation.
It noted that ICANN’s IANA contract, which gives it the power to create new TLDs, expires next August, and said that it may lobby Congress for legislation mandating better security as a condition of the renewal.
BITS and other financial groups have already written to members of Congress, in September, expressing disappointment with the absence of a high-security TLD policy from ICANN and adding:
In recognition of the need for higher levels of security and stability in financial services gTLDs than in gTLDs generally, we urge you to support inclusion of language in cyber security legislation language that prevents ICANN from adding financial services gTLDs to the root zone unless the IANA contract specifies higher levels of security for such gTLDs.
The Federal Deposit Insurance Corporation, the US government body responsible for insuring banks, has also written to the Department of Commerce, expressing its concerns about the possible introduction of a .bank TLD.
Currently, I’m not aware of any public initiative to apply for .bank, but it’s possible that restrictions on financial services TLDs could capture the recently launched German “.insurance” project.
The BITS correspondence was published (pdf) as an attachment to an ongoing Reconsideration Request lodged by Michael Palage, chair of the High Security Top Level Domain Verification Program Advisory Group.
The HSTLD group has been working on a set of technological policy specifications for registries managing high-security TLDs.
Palage is annoyed that ICANN’s board seems to have distanced itself from the HSTLD concept before the group has even finished its work, by resolving in September that:
ICANN will not endorse or govern the program, and does not wish to be liable for issues arising from the use or non-use of the standard.
The HSTLD group, by contrast, has a “clear majority in support of ICANN retaining a continued oversight role”, according to Palage. He wrote:
The ICANN Board’s unilateral actions also have a chilling effect on future bottom up consensus efforts because participants have no basis to know when the ICANN Board will take such unilateral actions in the future.
He’s not alone in worrying about recent top-level ICANN decisions that appear to put corporate legal liability ahead of the wishes of the community. I reported on the issue last week.
Recent Comments