ICANN has announced that they are expanding the scope of contractual waivers for security issues to include registrars. That’s a bit of a mouthful, so I’ll try to unpack it a bit.
Under normal circumstances both registrars and registries are bound by ICANN policies and contractual obligations. In simple terms this means that they only register and manage domain names when they’re requested to do so by registrants. But in order to deal with issues impacting the security of the internet registrars and registries sometimes need to go outside the normal boundaries. With some security threats the most effective method of blocking them could be to register thousands of names based on an algorithm, for example. It’s happened in the past.
So ICANN cooked up a policy that lets both registrars and registries have their actions “blessed” by ICANN. The process is meant to be fairly nimble by ICANN standards with the organisation committing to responding to waiver requests within 15 calendar days.
It all sounds a little odd, as the waivers will often end up being granted after the fact and the policy also references court orders that would naturally trump any ICANN contract or policy:
A registrar may request this service when one or more of the following incidents occur:
A malicious activity involving the DNS of such scale and severity that it threatens systematic security, stability, and resiliency of a gTLD or the DNS;
An occurrence with the potential to cause a temporary or long-term threat impacting the registration of domain names at an ICANN-accredited registrar;
A court order from a law enforcement agency with jurisdiction over the registrar which requires the registrar to take action due to a specific security threat.
There’s also a provision for a degree of transparency around these kind of incidents, though with some security issues it’s unlikely that there will be full public disclosure until a long time after the event.
It’s very ICANNesque in that it’s been drafted by lawyers for lawyers, so it’ll be interesting to see “real world” examples of the waiver in use.