Nominet consultation


Consultation on a new .uk domain name service

In October 2012 Nominet opened a consultation on proposals for a new domain service, including proposals to offer features designed to offer reassurance for end users:

verification to check a registrant has a UK address, daily monitoring for malicious software and viruses, and a digital signature which minimises the risks of a domain name being hijacked. These measures would be supported by a trustmark to give consumers a clear sign that it was a verified domain name.

Our full response is available below, however in summary: we consider that Nominet fails to demonstrate understanding of risk, is over confident in its claims for consumer protection and that the proposal has the potential to undermine the market for services based on open source software.

This proposal seems to be based on the assumption it is possible to reduce risk (aka “predict the future”) rather than simply move it around.

Dilution of caveat emptor is not necessarily a good thing. There is always a need to think about what one is doing before doing it particularly with something as important as security.

A new belief in levels of security by consumers/users of these websites prevents differentiation by signalling of reputation and intent – I take care of this website = I take care of you (a version of “never knowingly undersold”).

If the service is universally offered by Nominet then it removes the obligation/ability to signal and potentially moves the risk of “bad things happening” to somewhere else but does nothing diminish it – perversely it could create a new opportunity for bad things to happen until consumers/users wise-up.

Such a measure also provides a level of obscuration and causes differentiation reduction between proprietary/closed source and open source software.

While badly configured software is rubbish whatever its provenance open source software remains the option for offering best levels of security as suggested by e.g., the examples cited in these articles:

If there has to be a provision that the domain is suspended on Nominet’s assessment of the existence of malware then the website owner needs as much opportunity as possible to recover from any errors that Nominet has made.

Nominet’s plan to offer a trust mark is a shibboleth. A trust mark is only as good as the person offering it and is only as good as the protection it offers at the point at which the problem occurs not at the time the badge is being offered – it is not a infinite shield of invincibility.

Registration of the website owners details is not authentication of the website owner. This replicated the original claims of the “government gateway” that used to claim that it offered authentication whereas it only offered a registration service – ask any bank what authentication actually means.

Nominet ask about the frequency with which registrants should be required to validate their contact details by going through the process described in the consultation. Nominet erroneously describe the registration process as authentication – it is only registration – between registrations there is no information about the authenticity of the website owner. To describe this as authentication would over-egg whatever value the trust mark does or doesn’t have.

At an epistemological level it unclear why with a “black box” PC (proprietary software/OS) vulnerable to bad things but inaccessible to fundamental improvement (because of licensing or other restrictions) then if I put another “black box” in front of it (proprietary firewall or virus protection) which is equally inaccessible, then how this doesn’t increase risk rather than reduce it – two links in the chain over which the user has no control rather than one increases systemic risk.

This proposal represents yet another black box in the signal line.

The proposal to restrict sub-domain licensing is internally inconsistent – either the top domain is authenticated and secure “with a trust mark” and “added DNSSEC” or it isn’t – if it is why should it not sub-license – if it isn’t why is Nominet wasting all this time and effort?

The question on restrictions on domain names exposes the nature of the authentication problem that Nominet skate over elsewhere in this consultation. If one were unwise enough to use the term Champagne out of context then retribution would be swift and certain as the owners of the word Champagne are hawkish in preserving the authenticity of its meaning and value.

What would Nominet propose to ensure authenticity?

The whole discussion of the problem of release mechanisms for new domain names exposes the underlying authentication problem that Nominet skate over in other parts of the consultation exercise.

Nominet ask whether that the sale of a new service should be made only through registrars who can meet a certain level of service and verification of data quality. However they do not define what these criteria are. It seems strange that they cannot offer a template since they will subsequently be claiming competence. Since we don’t know what these criteria are we would need to know what governance scheme would be in place before we could answer – including whether it included meaningful sanctions for all offenders c.f., data protection sanctions and the public sector.

It is not for us to suggest that Nominet should or should not provide this service. We have expressed our reservations as to its usefulness and effectiveness.

A market assessment should be undertaken to avoid anti-competitive effects. For example, the service should be offered proportionately and you should not use your position as holder-of-the-ring to market it as a panacea potentially disrupting other markets including the market for services based on open source software.

However it is clear that the costs of this service should be ring fenced and apportioned appropriately rather than being amortised across the entire domain so creating potential cross-subsidies.

7 January 2013

Leave a Reply