CircleID

Esther, your .safe proposal seems to be functionally the same as the .Mail proposal in this most recent sTLD round. Presuming ICANN approval in the next year, perhaps it may accomplish many of your goals?

Obviously reputation systems need to exist on the Internet. The question at hand is whether those reputations systems ought to be tied into the domain name system. This article does a good job of defending the former point but not the later.

Why can't reputation systems exist independently of the domain name system? Of course they can, and they already do. Its not at all clear that tying them into the DNS would make them more effective. Phishers are already quite good at appearing to be associated with legitimate businesses that people trust.

What tying reputation systems into the DNS would do is provide a central point of control over which reputation systems are recognized as legitimate. This is as opposed to a more open process in which the general public decides collectively which organizations they choose to trust. It would only be useful to the degree that it made choices which diverged from the ones the general public would have made in an open architecture, and in that respect I regard this proposal with some suspicion.

The way to handle phishing schemes is to provide a way for consumers to be better aware that the website they are dealing with is, in fact, the website that they think they are dealing with. Every reputable request for personal information is going to be SSL encrypted and certified. My present browser (Safari) merely puts a little lock in the corner when running SSL, and I can't even click on it for more details. Most browsers alert to unencrypted information transfers with annoying pop-ups that most users disable.

I'd say we need more fundamental research into the usability of SSL rather then a new DNS architecture. Whats more, I'd say that SSL is the appropriate place to plug in new reputation systems, rather then the DNS. The organization that certifies my encryption key could easily say certain things about me in doing so. 

Also, with respect to Anonymity, its not possible for a new proposal to remove something which has already been removed. If I have to provide a valid address for legal service when registering a domain which is available at anything less then a court order, I'm not anonymous. 

thanks for the feedback.  Chris, I don't know enough about .mail to comment, but I would assume the answer is partly yes .... It wouldn't be fully yes until there's also TLD competition for .mail - perhaps .post??? and .courier or .fedex.

Tom - more complicated.  perhaps someone should start a TLD that offers only SSL-only-access sites… The challenge is that you can use SSL and get connected to a real, certified site securely...and be securely connected to some sleazeball outfit.  (probably less easy than it is now, but still very possible.)

Does it have a third-party seal?  well, it's pretty easy to copy most seals - well enough to deceive an unwary consumer.  (So this protects famous sites, but not the rest...)

yes, the certifying agent could have its own reputation service; I just think it's easier and simpler for the consumer to connect it to a TLD that would be consistent and embedded in the site's name.  (Blah blah about client-side protection tools, which would also be helpful.) note that the idea is for ICANN to allow almost anyone to set up a TLD; ICANN itself should not be running a reputation service. so it would provide a central (or virtually central, technically distributed) point of registration information, but not centralized control.

IS the DNS the best possible place to do this? I'm not sure, but it seems a good place to start...and if it's not, then the TLDs that use this approach won't be successful and the idea will die a deserved death.  But it would be great to see it tried…

That's what I'm really calling for - a more open approach to new TLDs.  I'm sure .safe/.bank/.secure would not be the only ones. There would also be .mobi, and I hope a profusion of other new TLDs with their own characters. 

Otherwise, let's get rid of all the TLDs, so that companies don't need to register all their trademarks in so many different, and meaninglessly different, TLDs.  (note: this last suggestion is mostly rhetorical.)

re anonymity: I personally have no problem with proxu services and other devices to provide some level of anonymity - which is never absolute anyway. 

Esther,

Thank you for that clarification. I agree that we ought to have more TLDs, and not just for policy based communities like .safe, but also for identity communities like .geek…

With respect to third party seals, I agree that they are not secure. Cryptography is required to do this right. Of course, anyone can use SSL, and so the use of SSL is not in and of itself an indicator of reputability. Browsers must do a better job of indicating to you who the cryptography says you are submitting information to.

TLDs would suffer from the same user education problems that other solutions suffer from. Phishers typically claim to represent companies the victims know and trust. They simply provide convincing graphics and an IP based URL rather then a domain name. If users don't know that nnn.nnn.nnn.nnn is not the same as paypal.com they may not know that paypal.to is not the same as paypal.safe…

In either case, what it boils down to is how does the user interface indicate to the user who they are dealing with and how well does the user understand those indications. Domain names do offer the advantage that they are directly visible to the user in the current interface, and TLD operators would be responsible for educating users about them.

The care that must be taken here is that certain domain names, like .safe, imply a meaning. ICANN will have to decide who is best to define what that meaning is, to the exclusion of all others. ICANN may not be running a reputation system, but they'll be deciding who gets to decide who is allowed to run a .safe domain, or a .dentist domain, or a .geek domain. It is inevitable that there will be disagreements about these things.

However, I must admit that these problems also exist in the realm of SSL certificates, and are not as well managed. Presently, browser manufacturers get to decide who is allowed to be a certificate authority. I could propose an alternative in which a large icon appears in a browser toolbar which indicates something about the cryptographic certificate on the website, (green for safe, red for uncertified...) but the same problem exists with this proposal. We need a process for determining who gets to certify people.

So I'll concede that I haven't really provided you with a clearly better alternative. The devil is in the details… What UI considerations are most effective, and what processes work best for fairly determining who the gatekeepers get to be…

Esther,

To answer the question in the title of you article here, ICANN should take responsibility with the oversight of DOC/NTIA and the stakeholers/users of the internet.  Of course you have as the first COB of ICANN slighted or denied taking responsibility of the DNS, IP Address policy, and Protocols, and abrogated those responsibilities without the consent of the stakeholders/users in the MoU and White paper along with the ICANN BoD and subsequent ICANN BoD's to special interest groups.  As such, the mess that the internet has become and most especially the DNS and related Email systems, have been to a very great degree a mess created by ICANN and especially during your tenure as CoB. 

Your .SAFE proposal is yet again another example of a hopefully to be created SIG internal to the ICANN skewed structure that does not now, nor has ever had the interests of the stakeholders/users. Yet your .SAFE proposal may indeed be a Good thing in many ways, but is not justified by the means as those means and/or largely unsupported policies that created the means by stakeholders/users, as they had no vote or even a voice in their determination.  Ergo, such means skew the ends such as your .SAFE proposal.. 

Esther, I noticed that the ICANN NomCom is open for recommendations for a bunch of posts*.  Are there any folks here that you'd recommend for the posts?  That you'd like to see in the posts (an interestingly different question!) ICANN's actions are very opaque, so I wonder what it's like taking one of the positions.  I also was surprised that being on ICANN's board is listed as an hour a month position.
*see icann's home page.