Re: what registrars need to do with no incentive [was: Re: On-going ..]

[Robert Bonomi <bonomi () mail r-bonomi com>]

> Date: Mon, 2 Apr 2007 21:09:24 -0500 (CDT)
> From: Gadi Evron <ge () linuxbox org>
> Subject: what registrars need to do with no incentive [was: Re: On-going ..]
>
> On Mon, 2 Apr 2007, Robert Bonomi wrote:
> > > From: David Conrad <drc () virtualized org>
> > > Subject: Re: On-going Internet Emergency and Domain Names
> > > Date: Mon, 2 Apr 2007 17:33:08 -0700
> > >
> > >
> > > On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote:
> > > > The recommendation was for registries to provide a preview of the  
> > > > next day's zone.
> > >
> > > I think this might be a bit in conflict with efforts registries have  
> > > to reduce the turnaround in zone modification to the order of tens of  
> > > minutes.
> >
> > This is getting far afield from 'network operations', but the underlying
> > issue is really quite simple:  There are *NO*PENALTIES* for registering
> > 'bogus' domains.  The registry operator has -no- (financial) incentive
> > to investigate, nor remove, a 'falsified' entry.  Once a name is in the 
> > database, _anything_ affecting it is an 'un-necessary expense' to the
> > registry operator.  
> >
> > Similarly, there is no dis-incentive to a registrar wih regard to _filing_
> > a bogus registration with a registry.
>
> Or policy.

Yes, there _is_ policy against it.  In the case of ICANN-controlled domains, 
it is a breach of the registrar's contract with the registry operator.  It 
is also a breach of the registrant's contract with the operator.

Those things provide a 'cause' for which the registrar can cancel the 
registration of the domain. *IF*THEY*CHOOSE*TO*.   But, they, -currently- have
little-to-no incentive _to_ do so.  Handling complaints, and cancelling domains
is, unfortunately, and 'added expense' to a registrar.  If that expense can be
avoided, the "bottom line" looks better.

The registry operator has no financial incentive to penalize those from whom
it derives its revenues (i.e. the registrars).  The truth of -that- statement
should be self-evident.  Nor, at the current price-point, the resources to
verify the data presented.

The registrar suffers no penalties for the 'occasional' breach.  And has
no compelling financial reason to 'throw good time/effort after bad' by 
taking punitive action 'after the fact' --  by doing nothing, it is an
'avoidable expense' that improves bottom-line results.

Change the 'environment' -- so that it *IS* in the financial interest of
the registrars and registry operators to run a 'clean house', and the 
issues of 'dirty operations' will disappear.  One doesn't _have_ to worry
about 'how' to make it happen -- the 'interested parties' *will* figure that
out for themselves.

Registrars, and registry operators, are *NOT* 'altruistic' entities, however
much we might 'wish' that is the case.  They are commercial entities, and,
as such, their own 'self-interest' is their _primary_ interest.

The current 'problem' is that what is 'best for those operators' is _not_
what is 'best for the community'.

The fix *IS* to 'change the rules' so that the 'self-interest' of those
'core players' _is_  aligned with what is 'best for the community'. The
simplest way to accomplish that is to make it 'more expensive' to "do it
wrong", than it is to "do it right".

This is stuff that one _should_ be able to 'sell' to ICANN, and get 
incorporated (at the very worst) in the next round of registry-operator 
renewal contracts, with 'pass through' to registrar contracts taking
effect in an additional 30 days, or so.

Structured right, making 'cleaning house' a _revenue_source_ for the
registry operator, and they will _very_likely_ "agree" to modification
of the existing contracts to spport the additional revenues.  Meaning
that one would -not- have to wait for contract renewals to implement.

Not to belabor the obvious, but the Internet is a _co-operative_ venture. 
There is *no* 'strong central authority' that can 'dictate' terms that
everyone must follow.  What 'control' there is exists _only_ because 
almost all the players _voluntarily_ agree to play by the same rules.
If enough players become 'dis-satisfied' with what the 'control' does,
then that authority will disappear, and be replaced by 'something else'.
"Comes the Revolution, things will be different -- not necessarily better,
but different" will apply.  And there will be -no- going back, even if
people decide they -don't- like te revolutionary world better.

Reconize that what you are dealing with is a 'political' problem -- it's
roots are in the way _people_ behave. 'Technical' fixes to 'people' problems
are doomed -- the world will invent a more efficient fool.

> > Address _these_ issues, and the domain names "problem" will effectively 
> > disappear.
> >
> > One _possible_ approach to dealing with the problem:
> >    1) registry includes in it's contract with registrars a (non-trivial) $$ 
> >       penalty for any registration filed that is found to contain invalid 
> >       information.
>
> And work a bit harder to make sure the information is valid. This can mean
> higher costs, of course.

You cannot mandate how hard somebody must work. It doesn't work.  Make it 
'expensive enough' to be wrong, and *then*  they will make the necessary effort
to be 'right'.

> >    2) 'formal complaints' to registrar about invalid information must 
> >       include a 'filing fee' forthe complaint.  If the complaint is 
> >       in-accurate, the filer loses their filing fee. HOWEVER, if the 
> >       complaint _is_ valid, the _original_ filer gets back _more_ than 
> >       their fee (paid out of the 'fine', see item 1, above, assessed 
> >       against the registrar) while any additional complainants get all 
> >       their original money returned.  Possible variation: the size of 
> >       the fine assessed against the registrar for a 'confirmed' complaint
> >       depends on the number of complaints recieved within some 
> >       'reasonable' time of the first complaint -- and all complaints 
> >       within that 'window' get the 'bounty' for a valid compliant.
> >    3) Registrars are charged a _sliding-scale_ of fees, with higher fees 
>         based on the numbers and/or percentages of 'bogus' registrations 
> >       submitted recently. (This is similar to the way 'unemployment 
> >       taxes' are assessed in the U.S.  If there are more claims against 
> >       your company, you pay a higher rate than similar firms with lower 
> >       claims.)
> >    4) Registrars with higher rates of 'invalid' submissions are _rate-
> >       limited_ as to how fast they can submit registrations.


> Bulk registration should be limited, or at the very least regulated.

Impossible to make effective.  Too many big operations have legitimate basis 
for registrering large numbers of domains.  Usually on behalf of clients. You 
cannot differentiate, _at_the_registry_operator_level_ between a submission of 
10,000 names on behalf of 10,000 legitimate clients, and a submission of 
10,000 names on behalf of 10,000 forged client-names, all controlled by the 
same criminal entity.

You cannot rely on the 'good intentions' of registrars -- it is well known
that several registrars are controlled by 'bad guys'.

> Suspending domains registered with a stolen CC (as mentioned) seems
> natural, doesn't it?

Honest answer, "no".  Does it accomplish anything?  If a credit card has 
-already- been reported stolen, and the registrar is doing real-time charge 
authorization (and I don't know of any incompetent enough -not- to be so 
doing), the domain registration fails.

OTOH, If the card has *not* been reported stolen, it is *weeks* before 
the fact of the stolen card is _discovered_.  With the 'professional bad 
guys' only expecting to get a few days, to maybe one week, before  the name 
is widely blocked,  cancelling the name weeks -later- will have no 
significant effect.

So, just what 'benefit' does this "natural" idea buy?

The registry operator doesn't know (and doesn't care) how the registrant
paide the registrar.  They don't have the information to investigate, or
act.  And, they "don't care" -- they _have_ been paid, by the registrar, 
whether or not the registrar got 'stiffed' by the registrant.

The registrar is _already_ out the registry fee for the domain, with no 
possible further revenues from that customer account.  _WHY_  should they 
go to the 'extra expense' of spending the time/effort to cancel the domain 
that is probably not even being used any more?

Something as 'trivial' as closed-loop e-mail confirmation (a la 'best
practice' for mailing-list sign-up) would likely have a much bigger impact
on fraudulent registrations.  Especially if 'freemail', and 'anonymous'
accounts are not allowed to be used for 'confirmation'.  An additional
requirement that the IP address from which the registration submission
originates have rDNS that is in the same domain as the confirmation address.
would go a *LONG* way towards providing some 'accoutability' in the domain
registration process.

One other alternative is to require a 'certificate' of identity (a la X.509) 
to register a domain name.  With a certificate "revocation" resulting in 
automatic cancellation of all domains registered under it.  This provides
a degree of tracability/accountability to the registration process, _and_ 
'raises the bar' for fraudulent operators, by tieing their operations 
together, _or_ greatly increasing the lead-time _and_ cost of setting up
false-front domains.


> > Underlying assumptions:
> >    A) The 'filing fee' approximates the registry operator cost of 
> >       performing a  basic investigation.
> >    B) The 'fine' assessed against a registrar is signficantly higher than 
> >       the actual 'cost' of the investigation.
> >    C) A registrar that has higher per-registration costs is at a 
> >       competitive disadvantage to those who can provide equivalent service 
> >       at a lower price.
> >    D) A registrar who has to say "We'll take your application now, but we 
> >       can't tell you for xx hours (or days) if your application for that 
> >       name was successful" is  at a competitive disadvantage to one who 
> >       can tell you _now_ 'your application was successful'.
> >
> > *THIS* gives the registry operator an incentive to 'clean house' -- finding
> > and eliminating 'problem listings' is a REVENUE SOURCE.
> >
> > Similarly, registrars have an incentive to ensure that their _own_ house is
> > clean.  Lack of diligence costs them extra money, -and- places them at a
> > disadvantage relative to their competition.
> >
> >
> > 'White-hat' registrars can do something similar with regard to registrants.
> > Registrants fall into three broad categories;  (a) those who have never
> > filed before, (b) those who _do_ have a history of problem-free filings,
> > and (c) those who have a history of filings where there have been some 
> > problems.  
> >
> > Those with a 'no problems' history are processed in an expedited manner,
> > suject to checks for 'abnormal' behavior -- e.g. a radical increase in
> > the number/rate of submissions.
> >
> > Those with no histories are subjected to additional cross-checking/
> > verification, and, possibly, higher 'new user' charges.
> >
> > Those with 'problematic' histories get deferred, surcharged, and/or rate-
> > limited processing.
> >
> > One can 'tune' the rate schedules for 'new users', and 'problematic' 
> > filers, to reflect the "risk level" that the registrar is willing to 
> > incur, -with- the recogition that registrar-level penalties imposed by a 
> > registry operator will affect _all_ registrations through that registrar,
> > not just 'problematic' ones.