

Unfortunately, we have renewed our ICANN Accreditation - StuntPope
http://blog.easydns.org/2015/05/20/unfortunately-we-have-renewed-our-icann-accreditation/

======
astrodust
Like "Verified by Visa", these emails look like they were written by a
scammer.

~~~
StuntPope
Yep. It's an attack vector served up on a silver platter. When WDRP came out
(Whois Data Accuracy Program) I said right away it was a phishing vector.

Even the guy who invented WDRP has since come out and said it should die
([http://www.circleid.com/posts/20120719_a_confession_about_ic...](http://www.circleid.com/posts/20120719_a_confession_about_icann_whois_data_reminder_policy/))

WAP is WDRP with the added bonus that you have a gun to your head to comply.
It's just nuts. I was really hoping this would have been overturned by the
time our renewal came around.

------
robalfonso
Fellow domain registrar here. While this does create more effort for us. Its
important to note a couple of things

1) ICANN does have a system in place for development of their policies, being
a registrar you have a voice and even the public gets a say during their
policy comment periods.

2) The intention of the policy was to curb fake information being provided for
domain contacts. This was partially a response to the legal community saying
basically why have the contact info if its not even legitimate

While the process is more work, its also hard to argue with the concept that
if you have to provide information about the registrant of a domain, that
information should be accurate. The policy also helps ensure that the
information stays as up to date as possible.

~~~
StuntPope
Rob, as I understand it, the RRSG was pretty vehemently against this every
step of the way. The RRSG has since repeatedly asked ICANN and LEA for some
data regarding the efficacy of WAP and none has been forthcoming (although
there is now, finally a review of WAP in progress).

To date there has not been one single documented instance of the WAP
fulfilling one objective of LEA or preventing a single instance of cybercrime
since it's inception.

It is patently ridiculous in implementation given that it does nothing to
prevent blatantly fake whois data (see the screen grab from my example where I
successfully verified "Some Guy" as the domain registrant).

It's just a half-assed flawed implementation of a horribly flawed policy that
only accomplishes two things:

1) throwing registrants under a bus, especially since the ones most likely to
burned by this are technically less sophisticated rule followers and

2) utterly screwing registrars, since we end up holding the bag when these
domains go offline.

~~~
robalfonso
Totally agree, it's pretty useless right now especially since the option of
what to verify is pretty loose, though the 2013 raa does specify there can be
some new fields introduced. Now on the customer side we did a implementation
like yours and almost launched it, BUT we thought better and came up with a
less onerous system that still complied with the raa, there has been very
little heart burn on our end with regards to customers or implementation, if
you want to talk about it message me. For us this has been a big deal and we
are a top 50 registrar

