CoCCA have published a set of proposals under the title of “Best Practice Recommendations for Minimising Harm ( and increasing trust ) in small ccTLDs”.
While the spirit of the proposals is admirable I find the proposals themselves to be more than a little disturbing from both a registrant and registrar viewpoint.
Since I’m not sure if the comments on the proposal will be published I’m taking the liberty to publish mine below (I submitted them via email):
While I can appreciate the spirit of the proposals I cannot agree with most of its actual content.
While smaller registries may wish to tighten up their policies, the proposals outlined would have the detrimental effect of severely limiting the growth of the namespaces and would render them wholly unattractive for registrars to offer to their clients.
I will deal with each proposal separately.
Recommendation One
Registrants and end users primary point of contact will be their registrar or service provider. They are not going to be conscious of, or particularly interested in either the registry or CoCCA. Sending emails directly to registrants will lead to end user confusion. It will also lead to higher customer service costs for registrars and other service providers, as you are proposing not to allow domains resolve until the registrant is validated.
This proposal from a registrar perspective is unacceptable.
If the registry operator has legitimate concerns about registrants then this should be addressed via the registrars and based on actual evidence.The rationale is flawed. Many ccTLDs and even some gTLDs retain contractual and AUP related obligations etc., with registrants.
Sending emails from an unknown 3rd party will most likely result in the mails being marked as spam by the recipients.
Recommendation Two
This proposal is so flawed it’s hard to construct a reasoned response to it.
If as a registrant I want to setup hundreds of sub-domains either for my own use or that of 3rd parties who I may or may not have a contractual relationship with then that is a matter between me and my users. It is of no concern of the registry.
If a domain (or its subdomains) are used fraudulently then the registry should rely on its abuse policies to suspend the domain or take other actions.Again, from a registrar perspective, this proposal is unacceptable.
Recommendation Three
While I can understand and appreciate the aims of this recommendation I cannot support it.
This recommendation makes the assumption that a registrant switching their DNS more than X times over a period of Y is up to no good. This is a dangerous assumption to make and is far too rigid.
Recommendation Four
This recommendation is prime for gaming. What exact terms are going to trigger this?
In any case most phishing attacks are done via subdirectories not via the domain itself in most cases, so while this might appear to strengthen the policies all it does is weaken them.Recommendation Five.
This is not clear. “Act” how exactly? It also assumes that phishing occurs under sub-domains, which it often doesn’t.Recommendation Six
This makes senseRecommendation Seven
This is quite flawed. I’d recommend you look at the proposals published by Nominet recently, which are not perfect either, but are more complete.
The idea that “critical” domains be excluded makes a very dangerous false assumption as well. It would be helpful to clarify exactly how a domain could be labelled in this manner.Recommendation Eight
Scanning by itself seems pointless. What exactly would happen based on the results of the scans?
It also could lead to a false sense of security.
Related articles
- Minds and Machines vs COCCA – Registry Software Still Open Source (internetnews.me)
