To me, one issue seems to be that ICANN dares to demand of the registrar that they must verify the contact information that is REQUIRED to be present in a registration... that's not really a sane stance to have when you sell a subscription to what is basically an identity, so lets put that aside.
One other complains is that this verification procedure is really weak: "just send a mail with a link to the address provided"
Imagine if ICANN changed their rules so that a more substantial verification process of the MANDATORY fields was required? Like if they didn't make it optional to verify the telephone number, what would easyDNS do then? From their post, I presume they would go insane, declare Holy war on the ICANN, and then start assaulting ICANN officers with the sharp edges of their ibook 12"
They also complain that its a huge phishing opportunity because they must send mails with a link for people to click, but according to the ICANN spec they link to the actual requirement is[1]:
"""
[...] sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar
"""
So the mails looking very phish-y is entirely their their own choice, the spec does not mandate that the title is "Look at these funny pictures, friend" or anything.
Finally, they complain this will lead to a lot of big sites going down because they are forced to suspend domains if people don't take certain action within a certain time (although they don't clearly argue that the time is too short or something like that). But big sites already go down because the dns owner has been negligent with their interactions with their registrar, like failing to pay their fees for instance.
So the phisher registers a new domain, gets the real authentication e-mail, alters it to insert a malicious payload of some sort, then mails the altered copies to the marks. The validation e-mail notices may be triggered by events that are not verifiable by the customer, so if one shows up out of the blue, you have no way of knowing whether the registrar got a bounce from temporary network congestion or whether some phisher got your unredacted WHOIS record.
No matter what the registrar does, the phisher can obtain and alter a copy of it.
The only way to stop the phisher is to inconvenience the customer in a much more annoying way. The registrar could remove all hardpoints to which any phisher could attach his payload, such as by omitting phone numbers, clickable links, scripts, or customer-identifying information. That leaves, "Contact your registrar as soon as you are able, or your domain may be disabled within 15 days."
Anything that anyone does to make the validation process easier could be hijacked to put the customer in the phisher's false reality.
What would occur if ICANN, at the behest of law enforcement, changed their rules to require a phone conversation explaining what the domain is for, forms filed in triplicate, a cheek swab, a rectal exam, and 1% ownership in the company?
If ICANN turns into an unacceptably bad actor for whatever reason, where does that leave the Internet, what is its recourse?
I don't blame ICANN for this: this demand came from the law-enforcement agencies. I know that internally, ICANN would've been happy sticking with the existing WDRP process.
What is ICANN's motivation for complying with law-enforcement agency demands? Quite a number of them have proven themselves to be bad actors in the past, and there are provisions in civilized society that restrict them from actually demanding things, absent a specific court order. Which shouldn't really apply to an international regulatory body in a prescriptive manner by most standards - and if it gets such orders it needs to leave for another flag of convenience that doesn't cripple a global infrastructural standard.
"The Net interprets censorship as damage and routes around it" should be the ideal we aspire to. LEA and intelligence-agency intervention in the Internet system is typically damage to our liberty-printing machine, one way or another. Their incentive structure offers no benefits and poses a lot of difficulties in dealing with a free Internet. Pressure from them should be expected as an open adversary to the free Internet, and defended against.
They might've proven themselves to be bad actors, but they're backed by national governments, and that gives them a lot of sway when it comes to these things. LEAs do have a legitimate interest in this kind of thing because domain names can be used for fraudulent and otherwise illegal purposes, which is why they're involved in the process. However, it's up to the other parties to moderate this influence where possible, which is what the registrar constituency fought for in the negotiations.
Actually has value for law enforcement despite what some commenters seem to be saying here. For example if the contact info is not valid then it would be a quick and easy process to take the site offline for a cooperative registrar.
Law enforcement were still the ones who demanded it. ICANN and the registrars didn't particularly want this. In fact, what the LEAs were originally demanding was full verification and validation of all contact details supplied to the registrar.
I know this, because I work for a registrar and was privy to the 2013 RAA negotiations.
I also work for a registrar. Keep in mind that the policy is also an opportunity for registrars to charge for taking a domain back off of hold the same way that they can charge for bringing a domain out of redemption over and above what the cost is for doing so.
Yup, they can, but monetising that kind of thing would be pretty scummy. After all, section five of the spec states that all we need to do is put it on client hold and prevent outgoing transfers, though we can potentially terminate it by putting it in redemption. Unlike redemption, which is pretty costly, there's no real need to charge people to unsuspend the domain.
No doubt, some assholes out there will try it, but I know we won't.
Why do you feel (honest question here) that charging something or anything would be scummy?
"there's no real need to charge people to unsuspend the domain"
By that token there is no need to charge people for many things that businesses charge for that don't cost them any money at all (or a nominal amount) and are pure profit. Or even to charge for bringing a domain out of redemption over and above the actual reimbursed cost for doing so. The fact also that some registrars charge typically or don't charge shouldn't really enter into the picture of "scummy" or "not scummy" by any company that chooses to have a different process.
Not that by what I am saying it should matter but the mere fact that you are putting a name on hold means that your support or customer service costs should in theory increase. If a name is on hold then that means a customer could call or write an email which has to be addressed by a person possibly. And there is a cost to providing that service. It is not zero obviously.
No, I don't feel that charging for something is scummy. I do feel that charging for unsuspending a domain due to WAP is scummy. If some other registrar wasn't to do it, fair enough, but given the cost of unsuspending them approaches zero, unless we need to contact them on the phone, by post, or something else that requires human interaction, I feel the unsuspension fee should be nominal at most.
One other complains is that this verification procedure is really weak: "just send a mail with a link to the address provided"
Imagine if ICANN changed their rules so that a more substantial verification process of the MANDATORY fields was required? Like if they didn't make it optional to verify the telephone number, what would easyDNS do then? From their post, I presume they would go insane, declare Holy war on the ICANN, and then start assaulting ICANN officers with the sharp edges of their ibook 12"
They also complain that its a huge phishing opportunity because they must send mails with a link for people to click, but according to the ICANN spec they link to the actual requirement is[1]: """ [...] sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar """ So the mails looking very phish-y is entirely their their own choice, the spec does not mandate that the title is "Look at these funny pictures, friend" or anything.
Finally, they complain this will lead to a lot of big sites going down because they are forced to suspend domains if people don't take certain action within a certain time (although they don't clearly argue that the time is too short or something like that). But big sites already go down because the dns owner has been negligent with their interactions with their registrar, like failing to pay their fees for instance.
So this is not a new type of problem really, you actually already have good reason to read the mail from your registrar, who knew? (Not Sony online: http://www.pcworld.com/article/2454820/sony-gaming-websites-...)
[1]: https://www.icann.org/resources/pages/approved-with-specs-20...