ICANN chair says new TLD guidebook could be final by December

Peter Dengate Thrush, chairman of the ICANN board, thinks there’s a chance that the Applicant Guidebook for new top-level domains could be ready by ICANN’s next meeting, set for Cartagena in early December.
The board resolved in Brussels on Friday to turn its September two-day retreat into a special meeting focussed on knocking the DAG into shape.
Shortly after the vote, Peter Dengate Thrush spoke at a press conference (emphasis mine).

Soon after the closing of the [DAG v4] public comment period was a regularly scheduled retreat for the board to go and do what boards do at retreats, and what we’ve decided today to do is to use that two-day retreat to see if we can’t make decisions on all the outstanding issues in relation to the new TLD program.
That’s probably reasonably ambitious, there may still be a couple left, but we want to get as many of them out of the way as we can. That means that when we come to the next ICANN meeting in Cartagena in December we hope to be very close if not actually able to hand out the Applicant Guidebook for that new process.

I asked him what outstanding issues needed to be resolved before the DAG can be finalized. Instead of a comprehensive list, he named two: IP protection and the Governmental Advisory Committee’s “morality and public order” concerns.
The IP issue is “close” to being resolved, he said, but “there may still be issues”.
On MOPO, he said there is “a potential conflict emerging” between GAC members who value free speech and those who are more concerned with their own religious and cultural sensitivities.
When I followed up to ask whether it was possible to reconcile these two positions, this is what he said:

What we’ve done is ask the GAC is how they would reconcile it… now they are saying that they can’t see how it can be done. We see that very much as a problem either for the GAC to change its advice, or to provide us with a mechanism whereby that can be reconciled.

The Brussels GAC Communique (pdf), has little to say on MOPO, delaying its advice until its official DAG v4 public comment filing.
MOPO has already created tensions between the GAC and the board. The conversation at their joint meeting on Tuesday went a little like this:

GAC: We don’t like this MOPO stuff. Please get rid of it.
BOARD: Okay. What shall we replace it with?
GAC: Erm…
BOARD: Well?
GAC: It’s not our problem. You think of something.
BOARD: Can you give us a hint?
GAC: No.
BOARD: Please? A little one?
GAC: We’ll think about it.

So can we expect the GAC to get its act together in time for Cartagena? That, too, seems ambitious.

ICANN Brussels – some of my coverage

As you may have noticed from my relatively light posting week, it really is a lot easier to cover ICANN meetings remotely.
The only drawback is, of course, that you don’t get to meet, greet, debate, argue and inevitably get into drunken fist-fights with any of the lovely people who show up to these things.
So, on balance, I think I prefer to be on-site rather than off.
I was not entirely lazy in Brussels this week, however. Here are links to a few pieces I filed with The Register.
Cyber cops want stronger domain rules

International police have called for stricter rules on domain name registration, to help them track down online crooks, warning the industry that if it does not self-regulate, governments could legislate.

.XXX to get ICANN nod

ICANN plans to give conditional approval to .xxx, the controversial top-level internet domain just for porn, 10 years after it was first proposed.

Governments mull net censorship grab

Governments working within ICANN are pondering asking for a right of veto on new internet top-level domains, a move that would almost certainly spell doom for politically or sexually controversial TLDs.

Employ Media asks ICANN for a .jobs landrush

The company behind the .jobs sponsored top-level domain wants to loosen the shackles of sponsorship by vastly liberalizing its namespace.
Employ Media has applied (pdf) to ICANN to get rid of the current restrictions on .jobs domain ownership and open hundreds of thousands of strings to the highest bidder.
The registry wants to amend its contract with ICANN to cut the text that limits .jobs domains to the exact match or abbreviation of a company name, and add:

Domain registrations are permitted for other types of names (e.g., occupational and certain geographic identifiers) in addition to the “company name” designation.

Employ Media is basically asking for the right to open the floodgates to a complete relaunch of the .jobs TLD with very few restrictions on who can register and what strings they can register.
Phase One of the relaunch would be an RFP “to invite interested parties to propose specific plans for registration, use and promotion of domains that are not their company name”.
It sounds a little like the current .co Founders Program, or the marketing initiatives Afilias and Neustar asked for to supplement the auction of their single-character domains.
In practice, I expect that this first phase is when the DirectEmployers Association would expect to grab hundreds of thousands of .jobs domains under its universe.jobs business plan, in which it intends to offer job listings tailored to “city, state, geographic region, country, occupation [and] skill”.
Phase Two would see your basic landrush auction of any premium domains left over.
Phase three would be “A first-come, first-served real-time release of any domains not registered through the RFP or auction processes.”
While I have no strong views on the merits of this particular proposal, I do think that the application and ICANN’s response to it could wind up setting the template for how to operate a bait-and-switch in ICANN’s forthcoming round of new TLD applications.
If you say you want to do one thing with your TLD, and later decide you could make more money doing another, how much will ground will ICANN give when it comes to renegotiating your contract? It will be interesting to find out.
Reactions so far from the HR community have not been positive.
Steven Rothberg of CollegeRecruiter.com wrote that the process by which Employ Media’s sponsor, the Society for Human Resource Management, approved the new proposal “stunk”.
“The only winner here is Employ Media,” he wrote.
Comments posted at ERE.net, which has been on top of this story from the beginning, express what could be easily described as outrage over Employ Media’s plans.
The comment posted by Ted Daywalt of VetJobs.com is especially worth a read.
The Employ Media proposal has been submitted under ICANN’s Registry Services Evaluation Process, which allows comments to be submitted.

ICANN’s Draft Applicant Guidebook v4 – first reactions

As you probably already know, ICANN late yesterday released version 4 of its Draft Applicant Guidebook, the bible for new top-level domain registry wannabes.
Having spent some time today skimming through the novel-length tome, I can’t say I’ve spotted anything especially surprising in there.
IP interests and governments get more of the protections they asked for, a placeholder banning registries and registrars from owning each other makes its first appearance, and ICANN beefs up the text detailing the influence of public comment periods.
There are also clarifications on the kinds of background checks ICANN will run on applicants, and a modified fee structure that gets prospective registries into the system for $5,000.
DNSSEC, security extensions for the DNS protocol, also gets a firmer mandate, with ICANN now making it clearer that new TLDs will be expected to implement DNSSEC from launch.
It’s still early days, but a number of commentators have already given their early reactions.
Perennial first-off-the-block ICANN watcher George Kirikos quickly took issue with the fact that DAG v4 still does not include “hard price caps” for registrations

[The DAG] demonstrates once again that ICANN has no interests in protecting consumers, but is merely in cahoots with registrars and registries, acting against the interests of the public… registry operators would be open to charge $1000/yr per domain or $1 million/yr per domain, for example, to maximize their profits.

Andrew Allemann of Domain Name Wire reckons ICANN should impose a filter on its newly emphasised comment periods in order to reduce the number of form letters, such as those seen during the recent .xxx consultation.
I can’t say I agree. ICANN could save itself a few headaches but it would immediately open itself up to accusations of avoiding its openness and transparency commitments.
The Internet Governance Project’s Milton Mueller noted that the “Draconian” text banning the cross-ownership of registries and registrars is basically a way to force the GNSO to hammer out a consensus policy on the matter.

Everyone knows this is a silly policy. The reason this is being put forward is that the VI Working Group has not succeeded in coming up with a policy toward cross-ownership and vertical integration that most of the parties can agree on.

I basically agree. It’s been clear since Nairobi that this was the case, but I doubt anybody expected the working group to come to any consensus before the new DAG was drafted, so I wouldn’t really count its work as a failure just yet.
That said, the way it’s looking at the moment, with participants still squabbling about basic definitions and terms of reference, I doubt that a fully comprehensive consensus on vertical integration will emerge before Brussels.
Mueller lays the blame squarely with Afilias and Go Daddy for stalling these talks, so I’m guessing he’s basing his views on more information than is available on the public record.
Antony Van Couvering of prospective registry Minds + Machines has the most comprehensive commentary so far, touching on several issues raised by the new DAG.
He’s not happy about the VI issue either, but his review concludes with a generally ambivalent comment:

Overall, this version of the Draft Applicant Guidebook differs from the previous version by adding some incremental changes and extra back doors for fidgety governments and the IP interests who lobby them. None of the changes are unexpected or especially egregious.

DAG v4 is 312 pages long, 367 pages if you’re reading the redlined version. I expect it will take a few days before we see any more substantial critiques.
One thing is certain: Brussels is going to be fun.

ICANN’s Sword algorithm fails Bulgarian IDN test

ICANN has released version 4 of its new TLD Draft Applicant Guidebook (more on that later) and it still contains references to the controversial “Sword” algorithm.
As I’ve previously reported, this algorithm is designed to compare two strings for visual similarity to help prevent potentially confusing new TLDs being added to the root.
The DAG v4 contains the new text:

The algorithm supports the common characters in Arabic, Chinese, Cyrillic, Devanagari, Greek, Japanese, Korean, and Latin scripts. It can also compare strings in different scripts to each other.

So I thought I’d check how highly the internationalized domain name .бг, the Cyrillic version of Bulgaria’s .bg ccTLD, scores.
As you may recall, .бг was rejected by ICANN two weeks ago due to its visual similarity to .br, Brazil’s ccTLD. As far as I know, it’s the only TLD to date that has been rejected on these grounds.
Plugging “бг” into Sword returns 24 strings that score over 30 out of 100 for similarity. Some, such as “bf” and “bt”, score over 70.
Brazil’s .br is not one of them.
Using the tool to compare “бг” directly to “br” returns a score of 26. That’s a lower score than strings such as “biz” and “org”.
I should note that the Sword web page is ambiguous about whether it is capable of comparing Cyrillic strings to Latin strings, but the new language in the DAG certainly suggests that it is.

Could litigation delay ICANN’s new TLDs?

Intellectual property lawyers are wondering aloud about the possibility of ICANN being sued in order to delay the launch of new top-level domains.
The idea was raised during a panel at the annual meeting of INTA, the International Trademark Association, in Boston yesterday, according to its daily newsletter (pdf).
Kristina Rosette of the law firm Covington & Burling reportedly “suggested litigation is a possibility to slow down the application launch. One source of litigation could be trademark owners, worried about mass cybersquatting”.
That’s reported speech, by the way, not a quote. The article does not make clear the context.
Rosette is Intellectual Property Constituency representative for North America on ICANN’s GNSO Council.
The IP community is worried that the launch of new TLDs will lead to companies splurging more money unnecessarily on defensive registrations.
The current best, arguably most optimistic guess on the new TLD timeline comes from registry hopeful Minds + Machines. M+M has applications opening next April.
A delay in the launch of new TLDs would hurt most the startup companies that intend to apply for them, and the service providers and consultants hoping to facilitate the launches.
Some of these companies make minimal revenue, are dependent on funding, and would prefer applications open sooner rather than later.

E.co up for charity auction at Sedo

Sedo is to host a charity auction for the domain name e.co, under a deal with .CO Internet, manager of the newly relaunched Colombian ccTLD.
The auction will run from June 7 to June 10, with the final hour hosted live at the Internet Week show in New York, simultaneously webcast to the Internet Retailer and TRAFFIC conferences.
The winner of the auction gets to choose which charity the sale price is donated to.
Juan Diego Calle, CEO of the registry, said e.co is “perhaps the shortest, most memorable digital brand in the world”, which is hard to argue with.
You’ve got to hand it to .CO Internet, and to its PR outfit BM, they’re doing a hell of a job keeping the pre-launch .co buzz going. New TLD applicants take note.
Could we see seven figures? It seems quite possible.
Let’s hope the winning bidder throws the money at a worthy cause and doesn’t blow it on a donkey sanctuary or something.

Four of the top 100 brands have insecure domain names

Some of the world’s most famous global brands have domain names that are still vulnerable to the Kaminsky exploit and could be hijacked by others.
Earlier today, I ran all of the brands on Deloitte’s list of the top 100 brands through a vulnerability testing tool provided by IANA.
The results show that four of these brands – all household names – have domains classed as “highly vulnerable” to the Kaminsky exploit.
If the IANA test is reliable, this means that false data could be injected into their name servers, potentially redirecting users to a web site belonging to the attacker.
Another eight brands had domains that the IANA tool reported might be “vulnerable” to attacks, but which had measures in place to mitigate the risk.
The Kaminsky bug has been public for almost two years. It’s a cache poisoning attack in which a recursive name server is tricked into providing false data about a domain.
It becomes particularly scary when a domain’s authoritative name servers also have their recursive functions turned on. A successful attack could redirect all traffic to a compromised domain to a server managed by the attacker.
The surest way to avoid vulnerability is to turn off recursion. IANA says: “Authoritative name servers should never be configured to provide recursive name service.”
Alternatively, a method known as source port randomization can make the risk of being compromised by the Kaminsky exploit so small it’s barely a threat at all.
The IANA tool reports that four of the top 100 brands have at least one “highly vulnerable” authoritative name server that has recursion enabled and no source port randomization.
The other eight “vulnerable” domains were identified as running on at least one authoritative server that had recursion turned on and source port randomization enabled.
I’m not an expert, but I don’t believe this second category of companies has a great deal to worry about in terms of Kaminsky.
I picked the Deloitte brand list for this experiment because it is the list of brands Deloitte believes require the most trademark protection under ICANN’s new TLD process.
.CO Internet is already using the list during its sunrise period for the .co domain.
Michele Neylon of Blacknight has found some more vulnerable servers over here.

dotSport complains to ICANN about other .sports

One of the companies that intends to apply for the .sport top-level domain has written to ICANN, begging that it does not approve any TLDs for individual sports.
dotSport’s Policy Advisory Committee, which appears to think it already has rights in the .sport string, said ICANN should respect “sport solidarity”.
In other words, please don’t allow .tennis or .golf to be approved.
The company wrote:

The PAC members reiterate our concern that ICANN may be prematurely entertaining a process that will allow proliferation of names in sub-categories or individual sports, which will lead to a number of detrimental effects

The detrimental effects, referenced in this letter last August, basically boil down to the potential for user confusion and the need for defensive registrations by sports teams and personalities.
You could apply the same arguments to pretty much any potential new TLD – what would .music mean for the .hiphop community?
The dotSport PAC is filled with high-level appointees from more than half a dozen sports federations, representing sports from basketball to rugby to archery, so its views are far from irrelevant.
Its position appears to be that the DNS hierarchy should be used for taxonomic purposes, at least when it comes to sports.
It’s an argument that was floated all the way back in the 2000 round of TLD applications, and probably before.
Purely from a marketing point of view, it seems like a self-defeating objective to mandate the use of www.example.hockey.sport when www.example.hockey is an option.
The main example of such a mandatory multi-level taxonomy, the old-style .us ccTLD, was a spectacular commercial failure.
Could it be that dotSport wants to be the registry for all .sports for the price of one? It certainly appears that way.

UrbanBrain proposes first properly generic new gTLD

Japanese registry wannabe UrbanBrain will apply for .site under ICANN’s first round of new top-level domain applications.
Of all the registries to so far show their hands for the new TLD round, .site is probably the first that could properly be described as both new and “generic”.
UrbanBrain said the namespace will be targeted at “Internet users, hobbyists, and business owners”. A pretty generic constituency.
Also, the dotSiTE launch page currently contains a bullet-pointed list of three reasons why .site will indeed be as generic as they come.

The dotSiTE internet extension is full of possibilities.
* Optimize your SiTE with great keywords
* Some other text
* Another reason

All the other 100-odd new TLD applications to have been publicly disclosed to date address specific geographical, cultural or niche interest markets.
There are also two (for now) applications for .web, which I’m not counting as “new” gTLD applications because they’ve been on the table for over a decade.
UrbanBrain is affiliated with Japanese ISP Interlink, and registry-in-a-box venture RegistryASP.