The ICANN community is developing guidelines for introducing new top level domains (TLDs). New TLDs create opportunities for innovation and greater choice for Internet users. Regrettably, they also expand the name space for criminal use. Sensitive to concerns expressed by anti-abuse communities, ICANN has introduced a concept paper for a voluntary high security zone program. The concept paper describes a verification program that distinguishes a TLD registry operator who demonstrates an enhanced level of trust and security over the baseline that gTLD registries are expected to provide when standard contractual provisions are met. The program measures both business and operational criteria and includes verification of Registry operations as well as Registrar operations. Registries will contractually oblige Registrars to implement controls required by the Program to assure that trust and security measures extend from the registry through the registrar to the registrant.
The concept paper identifies controls to reduce the potential for malicious conduct, including fraud and other criminal activities, at the Registry and Registrar levels. While such measures cannot ensure that no domain name registered in the TLD would be exploited for criminal use, the measures assure that the service providers meet best industry business and operational practices to reduce the incidence of malicious or compromised domains and to quickly respond when malicious conduct is reported.
The concept paper identifies an initial set of objectives of the verification program. For example, Registry and Registrar organizations would be vetted to substantiate the identity of the legal entities that operate the Registry and registration services. A 3rd party security audit would be conducted to determine whether the registry’s IT infrastructure satisfies physical access, logical access and availability security criteria. Checks would be performed to confirm that data integrity, availability, consistency and completeness criteria are satisfied. Registry and registrars would be expected to demonstrate effective controls to reduce malicious conduct, consistent with the recommendations in the Malicious Conduct Explanatory Memorandum for new TLDs.
The concept paper explains that certain registries will voluntarily submit to initial and periodic audits to obtain and remain certified because they see a business value from “being more secure”. Other registries may seek certification because their target market, e.g., a TLD for financial or medical services, are regulated and demand it.
For some, the concept paper is a radical departure from the way GTLD registries operate today. Others have already asked why the program is voluntary rather than mandatory. Some current GTLD registries, however, have asked whether they would be able to volunteer for the program. Diverse opinions will no doubt exist, and that’s not a bad thing. I believe the concept paper provides an excellent point of focus for the community and I encourage you to review it and make your opinions known through the public comment forum which remains open until 22 November 2009.