ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Registrant identity, was Using DNS system as a Global Root Certificate Authority - possible ?

2015-12-27 14:21:49
from [John Levine] [Permanent Link] 
It seems like you're talking past each other here.


The registry do keep track of which ones of the registrars can make changes, 
so not every registrar
(i.e. intermediary) can become "trusted".


That's certainly true, and auth codes make it fairly hard to move a
domain from one registrar to another without inside help from whoever
reads the registrant's e-mail.  On the other hand, there are over 2100
registars in ICANN's list, and even after accounting for 300 that are
Namebright and another 300 that are Netsol, and so forth, there's
probably close to a thousand of them, some of which take security more
seriously than others.

There are certainly registrars who will accept names that are obvious
phishes, there are registrars that can be socially engineered to reset
accounts (I did that once, but it was for a virtuous reason), and so
forth.

Making life even more confusing, while most registries and registrars
strictly limit registrations to anyone whose credit card isn't
rejected, there are a few that make more or less credible attempts to
validate that registrants are who they claim to be.  The sTLDs like
.aero, .travel, .coop and .jobs make some effort to verify that
registrants are members of the relevant community, although the checks
have gotten pretty perfunctory as the money failed to roll in.  (I can
tell you about .aero and .travel.)  The .pro domain was supposed to be
for licensed professional doctors, lawyers, accountants, and
engineers, but a combination of financial problems and registrar
gimmickry made the checks ever feebler until last month they gave up
and now it's purely generic.  The .coop domain checks that you're a
co-op when you register, but never checks again.  One time I noticed
that the registrant for chicken.coop had sold out and wasn't a co-op
any more.  I told the .coop registry, and its head personally thanked
me and asked me to tell her about any other misregistrations I
noticed.  Uh, OK.

In the latest round, .ngo/.ong is making a reasonable attempt to
verify that applicants really are NGOs and that the domain name is
related to the organization name.  I have talked to someone from
Encirca who is working with .bank to do something similar.  It's too
early to find out whether they'll stick with it as their business
models fail, but even if they do persist, there's no DANE version of a
green bar certificate so it's not clear how much good it will really
do.

R's,
John
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, Patrik Fältström
Next by Date:  Gen-ART LC review of draft-ietf-imapapnd-appendlimit-extension-07, Peter Yee
Previous by Thread:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, Patrik Fältström
Next by Thread:  Re: Using DNS system as a Global Root Certificate Authority - possible ?, John C Klensin
Indexes:  [Date] [Thread] [Top] [All Lists]