[PC-NCSG] DRAFT: Referral to SSAC on WHOIS impacts on domainsecurity and stability

William Drake william.drake
Thu Jun 28 16:51:22 EEST 2012 

+1


On Jun 28, 2012, at 3:34 PM, <Mary.Wong at law.unh.edu> <Mary.Wong at law.unh.edu> wrote:

> I agree. If Wendy is amenable and the PC agrees, we can even send it as a formal NCSG request. Either way, I support it.
> 
> Thanks, Wendy.
> 
> Cheers
> Mary
> 
> Sent from a mobile device; please excuse brevity and any grammatical or typographical errors.
> 
> "Avri Doria <avri at acm.org>" <avri at acm.org> wrote:
> 
> 
> Good statement
> I recommend NCSG endorsement of this statement.
> 
> avri
> 
> 
> Wendy Seltzer <wendy at seltzer.com> wrote:
> 
>> Here's a proposed referral to SSAC requesting an analysis of security
>> problems in WHOIS validation and data reminders.  I raised the question
>> informally with Patrik and a few other members of SSAC.
>> 
>> Let me know if you have thoughts or questions.
>> --Wendy
>> 
>> Dear Patrik:
>> 
>> On behalf of the Non-Commercial Stakeholder Group, representing
>> non-commercial Internet registrants and users in the GNSO, I write with
>> some security questions about recent WHOIS proposals in the WHOIS
>> Review
>> Team Final Report and Recommendations and the draft Registrar
>> Accreditation Agreement. Specifically, I am concerned that email or
>> phone validation, whether pre- or post-resolution of a domain name,
>> introduces new risks to the stability of that name. As SSAC is charged
>> with advising the ICANN Community and Board on "matters relating to the
>> security and integrity of the Internet's naming and address allocation
>> systems," [0] I believe its analysis would be valuable here. (I
>> acknowledge that most of the concerns relate to the security and
>> stability of individual domain names, but as they stem from a systemic
>> weakness in the proposed domain registration system.)
>> 
>> For example, if validation by returning an email were required before a
>> newly-registered domain name is permitted to resolve, as requested by
>> Law Enforcement [1], the potential registrant must find an alternate
>> provider of secure email by which to receive the validation, or risk
>> losing the name because he cannot do so.
>> 
>> At any point when such validation is required -- annually, upon
>> registration or renewal, or in response to a third-party complaint of
>> "inaccuracy" -- that could provide an opportunity for an attacker to
>> target a man-in-the-middle or phishing attack on the user's server or
>> client, or a denial of service at the user's mailserver (known, from
>> the
>> email published in WHOIS). If a name is to be put on hold or suspended
>> because of a registrant's failure to respond, these attacks provide a
>> way to destabilize registrant's control of the domain and any further
>> systems that depend upon it.
>> 
>> Second, these communications train users in poor security practices. I
>> note that current WHOIS reminder reports (WDPRS) are rarely, if ever,
>> signed, so users are not currently primed or able to verify the
>> authenticity of these communications. Encouraging them to provide
>> sensitive personal and/or systems information in response to such
>> emails
>> harms them.
>> 
>> Similar concerns apply to the "accuracy" recommendations of the WHOIS
>> Review Team report [2]. I believe that a full threat analysis would be
>> valuable and likely to identify additional risks to domain registrants
>> and the registration system.
>> 
>> Please feel free to get in touch if I can provide further information.
>> We would be happy to work with you to refine the questions and
>> analysis.
>> 
>> --Wendy
>> 
>> [0] http://www.icann.org/en/groups/ssac/charter
>> [1]
>> https://community.icann.org/download/attachments/30344497/LE_Rec_Validation2012+%282%29.pdf
>> [2]
>> http://www.icann.org/en/about/aoc-review/whois/final-report-11may12-en.pdf
>> 
>> _______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
> 
> 
> _______________________________________________
> PC-NCSG mailing list
> PC-NCSG at ipjustice.org
> http://mailman.ipjustice.org/listinfo/pc-ncsg
> 
> 
> _______________________________________________
> PC-NCSG mailing list
> PC-NCSG at ipjustice.org
> http://mailman.ipjustice.org/listinfo/pc-ncsg

More information about the NCSG-PC mailing list