Monday, 7 January 2013

Response to nominet .uk namespace consultation

Now I have the proposal in front of me this is my response to Nominet which I am emailing today.

F. About You: Nominet know exactly who I am and that I represent Andrews & Arnold Ltd in my reply as a nominet member, ISP and small business.

The proposals appear to deliberately confuse several aspects :-

1. Better quality of registrant details to make domain owners more accountable
2. Requirement for a UK service address for registrants
3. Use of DNSSEC
4. Malware scanning websites

I think that lumping these issues together in one consultation and making them all an aspect of a new area of domain space is misleading. These are mostly orthogonal issues which may want to be applied to .uk domains in various ways if they are sensible. As such I think the consultation itself is flawed.

The objectives are to make a more trusted domain space - this sounds good, but means you are making all existing .uk domain space less trusted! That is bad, very bad.

As the registrant of .net.uk, .co.uk, and .ltd.uk domains I am opposed to Nominet telling the general public that my domains are no longer to be trusted and forcing me to pay to register a .uk domains to regain that confidence.

G. Security: Offering a web site owner a malware scanning service is indeed a useful thing for many web site owners. I am sure many such services exist and will have their own "trust" mark of some sort shown on the sites in question. However, linking this to the working operation of the domain is very bad.

1. It confuses the remit of a domain registrar and virus scanning companies.
2. It makes the rather odd assumption that domains have to even have a web site and seems to ignore the many ways a domain can be used in connection with malware (e.g. as an email target).
3. It is unworkable as the website may have malware on secure areas of the site which cannot be "scanned"
4. It is unworkable as the website may host end user content for which the domain owner is not responsible, and result in a usable vector for taking a domain down but posting malware
5. It does not help user confidence as a website could easily contain links to external malware, which consumers would not realise are not part of the scanning process. Making them part of the scanning process makes things even more unworkable.

G. Security. DNSSEC. I think making DNSSEC mandatory is a good idea. This is, however, a separate issue and could be consulted on. One idea is that any new domain space under .uk should have DNSSEC mandatory, that a deadline be set for all new domain registrations in all .uk space to have DNSSEC mandatory, and a deadline for mandatory DNSSEC on existing domains with chasing of domain owners. One idea would be to make some of the existing space more trusted, e.g. mandate a deadline for all net.uk domains to have DNSSEC sooner.

H. Verification: This looks a long winded and costly and confusing process which will not actually add any extra security.

1. I am not entirely sure myself if I prefer to ensure a UK presence. This seems like a good idea though, and perhaps should be something considered for direct .uk registrations. Again, this is a separate issue, and making one part of .uk space more trusted than other parts is bad. Requiring a UK address could easily be something phased in for existing .uk domains.

2. A postal process of verification seems excessive. For a start, as you expect this to be companies, why not make it so the company registered office is always a "trusted" address and allow immediate registration to any company. Link in to Companies House to check company name and address. That is simple, automated, and passes the buck on address checking to someone else (Companies House). Indeed, why not make the company registered address part of whois for all domains registered to a company, not just the new direct .uk space?

3. Verification of an email contact would be useful and again, can be automated.

4. However, all of this is pretty academic. There are many "service address" services already and they will simply start offering service address services for UK domains for non UK domain owners, and for people not wishing to publish usable addresses. So is there really a point?

I. Third level sub-domains. Restricting sub domains is totally wrong and unworkable.

1. The whole idea of "owning" a domain is that it belongs to the person that bought it. If they then have restrictions on what they do with the domain then that means they don't really own it. None of the existing domains have restrictions on what can be done, either at a DNS level, or at the level of content on web sites or use of email addresses. This is a fundamental change to the way domains are used and inconsistent with the whole worldwide domain system.

2. I cannot see how the restrictions would work in practice. The idea is preventing "sale" of sub-domains. But what is "sale". I could sell web space on a sub-domain, which is not selling the sub-domain. I could sell DNS services on a sub-domain - not selling the sub-domain as such, and not even delegating by NS record, but to all practical purposes the same and clearly the same from a consumer point of view. I could "rent" a sub domain not "sell" it (which is what happens anyway). I could simple sell paths under the domain on a web site, which to a consumer would carry the same trust as the main domain but be someone else's web site.

3. Basically, if the "rules" allow any use of the domain by third parties which are not directly under registrant control, then you have the scope to have the uk.com type scenario and lack of consumer understanding. If you restrict so all use has to be under registrant control you stop a variety of "legitimate" use of a domain and make it a lemon.

J. Reserved and protected names: I do not quite understand what the hell you are saying here.

1. This seems to be suggesting restrictions on third level names within the new second level domains. This makes no sense. Again, owning a domain means doing what I like with it. How exactly will Nominet stop me putting "co" in my DNS? And why would they. There is nothing stopping me have com.aa.net.uk now as a fourth level domain, so why would there be a restriction on com.aa.uk ?

2. If this is in fact talking about the restrictions on second level domains, e.g. not allowing com.uk, then that is consistent with existing policies in top level domains, and not actually needed as most restricted domains of relevance already exist under .uk. This almost does not need to be a rule - nominet could simply register these restricted domains themselves first.

3. Restricting other second level domains - not sure why this is needed.

K. Phased Release: The way sunrise has been handled in other areas of .uk space worked reasonably well and I don't see a reason not to do the same. What I would say is that only UK registered trade marks should be considered, or considered with higher preference to non UK trademarks as this is, after all, .uk namespace. This also makes the process of validating a trademark simpler and ideally cheaper as the UK patent office has a web site that can be easily checked.

1. There is also a consideration that maybe existing .co.uk, .net.uk, .ltd.uk, .plc.uk holders should have some preference in a sunrise period. Obviously only on long standing domains predating the consultation. This would seem sensible if Nominet are forcing existing domain owners to get new domains in order to maintain any trust in the domain.

L. Channel to Market. Nominet seem to be saying that as a Nominet registrar, you don't already trust me to correctly register domains and you want me to jump through new hoops to somehow prove I am worthy. That is silly.

M. Existing domains. Obviously don't take away any existing sub domains. Some of them already have (or should have) higher trust such as .ltd.uk, .plc.uk and .net.uk.

N. General views.

1. The consultation is a confusing mix of different ideas which should be considered independently including considering how they apply to existing domains. Some of the ideas are good (DNSSEC). Direct .uk domain registration itself does not seem like a bad idea. Mixing it with other ideas, and making it have restrictions on DNS records allowed within the domain is crazy, and virus scanning web sites is not Nominet's job at all.

2. The objectives of the proposal appear to be to devalue trust in existing domains, which seems like a stunningly bad idea.


5 comments:

  1. Agreed, completely. Also, don't forget that SSL certificates already go to mental lengths to perform validation of companies trading with a particular domain name. There is no good reason for Nominet to try and duplicate that and it could even lead to the assumption by viewers that a website is "trustworthy" without the use of an SSL cert.

    ReplyDelete
  2. I'm glad there are people like you putting a careful eye onto these proposals.

    ReplyDelete
    Replies
    1. I'd be willing to wager that the proposal has had pointless things (verification, malware scanning etc.) added deliberately so they can be stripped of as a concession so the originally intended plan goes through. But then I'm just a cynic.

      Delete
  3. Nominet Delay .UK Decision until 2015

    The strongest argument against is CO.UK in the medium term is likely to become a legacy product because both Scotland and Wales now aim for separate TLDs. Under ICANN's new gTLD applications in 2012 Dot Scot Registry Limited (http://www.dot-scot.org) applied for .SCOT & Nominet.UK itself applied for .CYMRU . If awarded, .SCOT rejects Nominet's authority outright.

    It is not Nominet's task to hold together the United Kingdom. But neither should it be to stick the boot in. The bets are on that Scotland votes for independency in a 2014 referendum. That will leave CO.UK in the long term as a legacy product, especially since .CYMRU could also quickly become the de facto TLD in Wales because of their language politics. It would only be a matter of time before Nominet would be forced by popular opinion to create .ENG or some other TLD to appease English sentiments.

    None of the above is a problem for CO.UK holders, provided .UK never exists (beyond the odd police.UK!) Significant number of Welsh, and especially Scottish companies, could choose to stick with CO.UK to exploit consumer brand awareness internationally or simply to show their dislike of independency arguments. The same could apply even should .ENG or the like be created. However all such bets are off should .UK be created & if successfully adopted.

    I say "if". Nominet is reacting to external events to exploit a very small window of opportunity for financial gain. It will fail. The Scots referendum of 2014 & ICANN's new gTLD applications of 2012 are calling the shots. Unless the 2014 referendum is rejected, which seems unlikely, there is not enough for .UK to be established before it becomes outdated & irrelevant. Should Nominet pursue this course of action proposed, it is unlikely Nominet itself would survive the fallout.

    In addition there is a strong argument eventual global economic recovery will depend on part on TLD reformation. For instance there is a potential role in the Greek currency reversion idea, as outlined on http://www.eurodrachma.de/domain-name-reform.html . More importantly, opponents to ICANN's global monopoly question their lack of thought over classification & taxation etc. Domain name reform is only just beginning to be understood as the primary vehicle for future economic prosperity rather than a cash cow to be milked willy-nilly by legislative tinkers.

    Nominet must hold steadfast with CO.UK against a background of political & economic uncertainty at home & abroad. As a legacy product, post 2014, CO.UK will serve communities as a unifying force to be trusted as a choice to stick with as .SCOT & other future TLDs are bandied about. Create .UK and you destroy all that, both the long term legacy value of CO.UK & eventually Nominet itself. Now is the time for Nominet to declare that it has properly consulted on this issue and forever consigned it to the dustbin, at least until 2015!

    ReplyDelete
  4. In our response to the proposal, I actually forgot to mention the ease with which someone could register lloydstsbco.uk, aaispco.uk, hmrcgov.uk, etc, etc.

    This could be a phishers' paradise if it goes through!

    ReplyDelete