ICANN Set To Review Accreditation Policy

tinkertim writes "ICANN is re-evaluating the scope and purpose of its accreditations, apparently sparked by the recent collapse of garage domain name registrar Registerfly. In a press release dated March 21, 2007, President and CEO of ICANN, Dr Paul Twomey is quoted as saying : 'What has happened to registrants with RegisterFly.com has made it clear there must be comprehensive review of the registrar accreditation process and the content of the RAA.' Dr. Twomey is blaming (in part) 'weaknesses in the RAA' for severe and undue hardships that many registrants encountered when trying to transfer names away from the failing registrar, Registerfly. Many new points to be discussed include allowing registrants to view the performance of registrars in an 'independent comparative way', as well as new language to allow ICANN to forcibly intercede in the face of wide spread, persistent and consistent complaints. 10 good points for discussion are listed by Dr. Twomey in the release, who invites all ICANN stakeholders to participate in re-evaluating the RAA. Registerfly, the catalyst for this re-write does not officially lose their accredited status until March 31, 2007, and continues to display the ICANN seal on their web site."

70Gs

[mastershake_phd]

You already need $70,000 just to become a registrar, is making the requirements any higher going to help?

Harumph.

[Creepy Crawler]

The more and more I hear about Registrars and ICANT, the more I hate them.

I wonder what it'd take to develop a new registry for domain names. Just something to get us away from the current set of registrars and their ilk. .edu and .gov can handle things rather well. Why not .com? That's right... That commerical aspect.

Re:

[cswiger]

The more and more I hear about Registrars and ICANT, the more I hate them.

I hear that, although my reaction is more one of contempt: if you're going to claim responsibility the way ICANN has, then do the job you agreed to do.

I wonder what it'd take to develop a new registry for domain names.

Not too much, from the technical side: ISC's BIND is fully capable of operating as a root nameserver...the issue of being a registrar involves convincing people to use you, to accept the domains you provide NS records for as "legit", and to provide WHOIS services. Most people like to have some web-based tool to manage their domains.

Re:

[stry_cat]

I wonder what it'd take to develop a new registry for domain names. Just something to get us away from the current set of registrars and their ilk.

Check out OpenNIC [unrated.net]. They've got a whole scheme of new TLD's and a system to register names within their TLD's.

They're not perfect. Instead of fighting when ICANN usurped their .biz TLD, the basically rolled over. However the fact that they're still around means there is support for a non-ICANN system. They just need to learn to stand up to ICANN and we'

Proxy registrations

[Baricom]

Personally, my biggest concern about the proposed agenda is discussions about proxy registrations. I hold proxy registrations on three domains, and I feel it's important to me -- important enough that I would seriously consider dropping my domains if they were done away with.

Proxy registrations are necessary because of what I consider a flaw with domain name registration as it exists today. You should NOT require personal domain owners to broadcast their street address, home phone number, and e-mail address to the world via WHOIS. It's an extreme privacy breach.

Instead, I would suggest that individuals (not businesses) be permitted to hide their registrations but remain the legal owners. This would be analogous to the way PO boxes are rented - businesses must consent to the release of their street address when renting, while individuals need not.

Re:Proxy registrations

[mandelbr0t]

Except that hosting an Internet domain could be construed as having broadcast equipment. Personally, I can't see how you have any honest intentions in hiding the fact that you are domain owner. Where do abuse reports get sent when someone starts sending spam using your domain name? What about take-down notices when someone posts copyrighted material on a website with your domain name? An Internet domain isn't a passive entity: it can be the source of a broadcast as well as the end-point. If you want to have an anonymous webspace, then use one of the many options that are available to you. The Internet is already too anonymous without domain owners being willing to take responsibility for their own domain.

Strong need for confidentiality

[davidwr]

While you should be required to publish an email address and an address where you can receive legal documents, you shouldn't have to publish your own. The whole "proxy" system needs to be formalized and standardized, so if someone needs to reach you for technical or legal reasons or they need your real address so they can subpoena you, they can get it.

There are many reasons for privacy. Some of the more obvious ones are:

• your site hosts content that upsets people, and you want to avoid physical confrontat

Privacy

[HomelessInLaJolla]

The primary opposing argument to privacy is when people begin registering domain names as "George Ballcup" and then using those domains to host trojans [slashdot.org].

If people think they're secure enough to be able to maintain a domain name then they should provide some reliable contact information.

Some of the more obvious ones are

While I agree, in principle, I still feel that people with such problems obviously have much larger concerns than registering a domain name. It's a matter of priorities.

confidentiality vs anonymity

[davidwr]

I'm not advocating total anonymity, only confidentiality.

Confidentiality can be broken with good cause, such as when legal action is required.

I'm also not advocating hiding behind a pseudonym to avoid answering technical queries. Anyone registering a domain name should register a valid administrative and technical contact email. In many cases, this will be a forwarding address provided by a registration-proxy service.

Re:

[HomelessInLaJolla]

such as when legal action is required

Legal action is required [slashdot.org] but no attorney has responded to my inquiry.

I still think that the internet medium is anonymous enough for legitimate use. The valid information for registration rules should be preserved.

"need for confidentiality" irrelevant

[lamber45]

You actually can register a domain with a PO box and an e-mail address at the same domain. If you have a good relationship with your hosting-company, you can list their phone number as the tech-contact phone. What really annoyed me when I used to try finding the sources of fraudulent spam on a regular basis was the domains that had been registered with an unrelated third party's address--- possibly just randomly pulled off the 'net. You don't even need a valid postal address to register a domain; you c

Re:

[BlueCollarCamel]

Where do abuse reports get sent when someone starts sending spam using your domain name? What about take-down notices when someone posts copyrighted material on a website with your domain name?

Yeah!
Where do police go to hunt down political dissidents?
Where do people who disagree with your political beliefs go to threaten you and your family?
Granted, there are alternatives such as free hosting and what not.

Re:

[wytcld]

Where do abuse reports get sent when someone starts sending spam using your domain name?

Even the most obscure domain names get used for forged from addresses on spam. And, guess what, there's nothing the domain owner can do about that (well, SPF records may help a little - but I can tell you not much). So those abuse reports do nobody, nowhere, any good at all.

As for takedown notices, it's easy to see, if I can't see who the domain owner is, who the service provider is. So if you haven't been good enough to

Re:

[tinkertim]

Except that hosting an Internet domain could be construed as having broadcast equipment.

You are correct, and much like any other broadcast equipment, yours should not interfere with the functionality of anyone elses.

Where do abuse reports get sent when someone starts sending spam using your domain name?

People usually just circumvent the middle man and send these types of things directly to the abuse desk of whoever owns your web site's IP address (typically the data center that hosts your host). From there

Re:

[Tim C]

Where do abuse reports get sent when someone starts sending spam using your domain name?

What precisely do you expect me to do about that? My domain name is in use in forged From: headers in spam, and has been for a year or two now. There is nothing that I can do about it. Believe me, I'd love to shut the low life scum down, I'm sick to death of the 2000+ spams, errors, bounces and abusive replies I get every single day because of it. Send me all the abuse complaints you want, but the emails aren't from me o

Re:

[stonecypher]

Personally, I can't see how you have any honest intentions in hiding the fact that you are domain owner.

Almost half of all domains are registered privately. All but one of mine are; I don't want people to be able to look up my home address or phone number just because they know one of my domains.

Where do abuse reports get sent when someone starts sending spam using your domain name?

Uh, abuse@domain, just like before.

What about take-down notices when someone posts copyrighted material on a website with

Re:Proxy registrations

[packeteer]

Could you perhaps just get a personal PO box? Wouldn't that shield you from giving away your home address while still letting you receive official mail about your domain?

Re:

[Dan541]

I use a POBox for all my domain registrations and a skypein phone number. The advantage of this is that if my email goes down (its hosted at one of my domains) I can still verify myself as the owner by phone call or snailmail.

The UK already do this

[a16]

The UK already have a similar system, registrants who declare themselves to be "individuals" can opt-out of the whois database, and just have their name shown on lookups. .eu domains have something similar, except you still need a valid technical contact I believe.

Re:

[cswiger]

Personally, my biggest concern about the proposed agenda is discussions about proxy registrations. I hold proxy registrations on three domains, and I feel it's important to me -- important enough that I would seriously consider dropping my domains if they were done away with.

You've got a point, but note that you can set up as many private domains for yourself and your company or clients as you like, without ever publicizing anything to anyone else. However, if you want your domains to be part of the world-wide consensus view of the DNS namespace, these domains have to be publicly available in order to function. If a domain is publically available, then there has to be some way to contact the domain's owner in order to deal with spam and other forms of network abuse.

Important issues to consider

[davidwr]

• Will there be "provisional accreditation" for registrars who are either very new or who have failed to meet all the requirements for full accreditation but are improving? Will these registrars be required to identify themselves as less-than-fully-accredited?
• Will every registrar have an "involuntary end-of-life" plan, and is funding backed by a bond or insurance policy?
• Will every registrar have a disaster-recovery plan if its data center or a substantial number of employees become unavailable, say, due to

accredited registrars in unstable countries

[davidwr]

Actually, I was thinking of accredited registrars that set up shop in countries at risk of war or revolution.

Speaking of LA, remember the LA riots in the '80s or '90s? If my registrar's data center got burned down due to a street protest, I'd hope he had a contingency plan.

prohibiting registrar to...

[wikes82]

suspend domain name because myspace ask them to do so.... http://seclists.org/nmap-hackers/2007/0000.html [seclists.org]