Hacker News new | comments | show | ask | jobs | submit login
Unfortunately, we have renewed our ICANN Accreditation (easydns.org)
24 points by StuntPope on May 20, 2015 | hide | past | web | favorite | 7 comments



Like "Verified by Visa", these emails look like they were written by a scammer.


Yep. It's an attack vector served up on a silver platter. When WDRP came out (Whois Data Accuracy Program) I said right away it was a phishing vector.

Even the guy who invented WDRP has since come out and said it should die (http://www.circleid.com/posts/20120719_a_confession_about_ic...)

WAP is WDRP with the added bonus that you have a gun to your head to comply. It's just nuts. I was really hoping this would have been overturned by the time our renewal came around.


Fellow domain registrar here. While this does create more effort for us. Its important to note a couple of things

1) ICANN does have a system in place for development of their policies, being a registrar you have a voice and even the public gets a say during their policy comment periods.

2) The intention of the policy was to curb fake information being provided for domain contacts. This was partially a response to the legal community saying basically why have the contact info if its not even legitimate

While the process is more work, its also hard to argue with the concept that if you have to provide information about the registrant of a domain, that information should be accurate. The policy also helps ensure that the information stays as up to date as possible.


Rob, as I understand it, the RRSG was pretty vehemently against this every step of the way. The RRSG has since repeatedly asked ICANN and LEA for some data regarding the efficacy of WAP and none has been forthcoming (although there is now, finally a review of WAP in progress).

To date there has not been one single documented instance of the WAP fulfilling one objective of LEA or preventing a single instance of cybercrime since it's inception.

It is patently ridiculous in implementation given that it does nothing to prevent blatantly fake whois data (see the screen grab from my example where I successfully verified "Some Guy" as the domain registrant).

It's just a half-assed flawed implementation of a horribly flawed policy that only accomplishes two things:

1) throwing registrants under a bus, especially since the ones most likely to burned by this are technically less sophisticated rule followers and

2) utterly screwing registrars, since we end up holding the bag when these domains go offline.


Totally agree, it's pretty useless right now especially since the option of what to verify is pretty loose, though the 2013 raa does specify there can be some new fields introduced. Now on the customer side we did a implementation like yours and almost launched it, BUT we thought better and came up with a less onerous system that still complied with the raa, there has been very little heart burn on our end with regards to customers or implementation, if you want to talk about it message me. For us this has been a big deal and we are a top 50 registrar


> 2) The intention of the policy was to curb fake information being provided for domain contacts. This was partially a response to the legal community saying basically why have the contact info if its not even legitimate

How will asking the provider of deliberately fake details to confirm the deliberately fake details magically make the details less fake?


It was to stop information that didn't go anywhere...I'm not saying it was the best idea ever, it stopped the really stupid stuff like made up emails. Since before this contact information wasn't verified they could literally make up gibberish emails.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: