-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Patrik: On behalf of the Non-Commercial Stakeholder Group, representing non-commercial Internet registrants and users in the GNSO, I write with some security questions about recent WHOIS proposals in the WHOIS Review Team Final Report and Recommendations [0] and the draft Registrar Accreditation Agreement [1]. Specifically, we are concerned that email or phone validation, whether pre- or post-resolution of a domain name, introduces new risks to the stability of that name and systems that depend upon it. As SSAC is charged with advising the ICANN Community and Board on "matters relating to the security and integrity of the Internet's naming and address allocation systems," [2] we believe its analysis would be valuable here. (We acknowledge that most of the concerns relate to the security and stability of individual domain names, but those stem from a systemic weakness in the proposed domain registration system.) For example, if validation by returning an email were required before a newly-registered domain name were permitted to resolve, as requested by Law Enforcement [3], the potential registrant must find an alternate provider of secure email by which to receive the validation, or risk losing the name because he cannot do so. At any point when such validation is required -- annually, upon registration or renewal, or in response to a third-party complaint of "inaccuracy" -- that could provide an opportunity for an attacker to target a man-in-the-middle or phishing attack on the user's server or client, or a denial of service at the user's mailserver (known, from the email published in WHOIS). If a name is to be put on hold or suspended because of a registrant's failure to respond, these attacks provide a way to destabilize registrant's control of the domain and any further systems that depend upon it. Second, these communications train users in poor security practices. I note that current WHOIS reminder reports (WDPRS) are rarely, if ever, signed, so users are not currently primed or able to verify the authenticity of these communications. Encouraging them to provide sensitive personal and/or systems information in response to such emails harms them. Similar concerns apply to the "accuracy" validation recommendations of the WHOIS Review Team report. I believe that a full threat analysis would be valuable and likely to identify additional risks to domain registrants and the registration system. Please feel free to get in touch if I can provide further information. We at NCSG would be happy to work with you to refine the questions for analysis. Best, - --Wendy [0] http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf [1] http://prague44.icann.org/meetings/prague2012/presentation-draft-2012-raa-03jun12-en.pdf [2] http://www.icann.org/en/groups/ssac/charter [3] https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf - -- Wendy Seltzer -- [log in to unmask] +1 617.863.0613 Fellow, Yale Law School Information Society Project Fellow, Berkman Center for Internet & Society at Harvard University http://wendy.seltzer.org/ https://www.chillingeffects.org/ https://www.torproject.org/ http://www.freedom-to-tinker.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/yln0ACgkQuuui10VsrVHy9ACfdsuZZASRBTgk8eseHVECJn4q T/sAn15payEjuZu6mVuuKkH3r35J05Af =tawD -----END PGP SIGNATURE-----