[NA-Discuss] Board Resolutions Special Meeting of the ICANN Board, 25 August 2011

ebw at abenaki.wabanaki.net ebw at abenaki.wabanaki.net
Tue Aug 30 12:35:35 UTC 2011


Colleague, and observers,

A link to the corporation board meeting minutes:

http://www.icann.org/en/minutes/resolutions-25aug11-en.htm

Of some personal relevance is item 1.2, Approval of Recommendation of
GNSO Council on IRTP Part B.

This policy, which I first encountered advocted by Mike Rodenbaugh in
the Fast Flux Hosting PDP, imposes a 240 minute respons duty, at any
date or time, on all registrars, to arbitrary third-parties.

A significant motivational rational offered by its advocates was the
2003 panix.com transfer. I was involved, having learned of the xfr
from Steve Bellovin, a panix (oldest still operating dialup ISP in
NYC) subscriber, hours after the xfr, and then calling Marty Hannigan,
then a Verisign employee, to brief him on the problem, hours before it
was discovered by Melbourne IT, at the start of their business day.

No similar event involving the compromise of critical network infrastructure
through an unauthorized transfer of registrar is known to me. Therefore
this rational is not sufficient for this, or any, policy development.

I wrote a draft recommendation advising that this policy not be adopted
as it would not be effective in preventing a non-recurring problem.

I was also critical of the assumption that all registrants share the
vulnerability of targeted loss to third-party actors, and observed the
proposed policy could only benefit registrants with "valuable" domains,
which is less than 2/3rds of all registrations, when the minimum return
for ad word motivated registrations (domain tasting epoch) is assumed
as a useful maximal definition of "valuable", or some small multiple of
re-registration costs. The actual pool of third-party targeted domains
could be much smaller than 30m of the roughly 90m legacy domains, and
very few of those in post-ICANN registry registered inventories.

I also observed that the 240 minute required response time could become
an attack vector on registrars, and on ICANN's compliance function,
through the creation of a well-defined breach condition, for which no
associated well-defined harm to registrants necessarily exists.

The coordination body which solicited the draft declined to use it, a
comment, one of few I'm aware of, was that it used the word "stupid"
to describe the 240 minute universal obligation and the obvious net
effect of driving small, and not necessarily transfer abusive, actors
out of the registrar market, that is, more likely to affect registrars
who's primary revenue is from hosting and other stable customer-facing
relations, than registrars who's primary revenue is from registrations,
and for whom transfers, by any means not barred by contract or law, is
"good business".

Where one assumes that consolidation of the registrar market -- shell
registrars ignored as managed properties of large registrars with 24x7x365
staffing -- is in the public interest, or causes no harm -- harm to those
fee paying and contract-to-date conformant businesses necessarily ignored
-- then the 240 minuted universal obligation is not <insert polite word
choice alternative to "stupid" here>.

A personal observation:

I don't like doing the BC's dirty work. I don't think the issue of using
the correct policy tools to adress the actual policy problem should be
abandoned to using any tool in all situations because "it might work in
some".

Eric



More information about the NA-Discuss mailing list