- Joined
- Nov 4, 2005
- Posts
- 199
- Reaction score
- 8
I’ve been giving some thought to how an owner verification process could be integrated into the .uk name space. This is to address what I believe to be the single most significant, and beneficial, security concern that both Nominet and the UK government currently share.
My thinking is that it isn’t Nominet that’s key to the success of this, rather it’s our friends at the HMRC. My knowledge of internet systems and security can be written on the edge of a postage stamp, so I may be way-off here (be gentle
, but I’m keen to start this thread to get opinions from those with more insight. I came up with the following proposal; does it have any merit?
1) Any .uk site that wants to offer owner verification displays a button called “owner.uk” which opens a popup or similar. The button is linked via https to owner.uk (and/or owner.co.uk) and passes a unique encrypted ID, along with the referrer domain. The owner.uk domain is controlled by Nominet.
2) owner.uk displays a “verification in progress” page and the first prompt is to ask the visitor to confirm that owner.uk is visible in the address bar above; if not, get the hell out of there and let us know. [can the address bar be easily hi-jacked?]
3) owner.uk then makes a request of hmrc.gov.uk and passes the unique ID along with the referrer domain. If there’s a match at hmrc.gov.uk for both entities then company owner details are returned to owner.uk. [How secure is domain referrer data within https?]
4) owner.uk also goes to the Nominet WHOIS and then compares registrant data to tax data for relevant matches. [I’m not convinced that this stage actually adds anything to the process, but it “feels” like it does]
5) Results are displayed to the visitor, ie. “The website where you are now is xyz.uk and is owned by ****, registered office in..”.
The ID’s for each business are accessed via their online HMRC account, which I assume to be secure. These codes could be re-issued for each new tax year, if necessary. You would also need to register any referrer domains within this account.
This proposal would be a bit harsh on the current registrant of owner.co.uk, but it currently returns a 404 so I don’t see any existing rights in place, and therefore compensation or compulsory purchase could put that one right.
My thinking here is simply, if you don’t have a UK tax presence then you aint a legitimate UK business. What I also like is the data returned on the business owner could include not only business name and address, but also type of business, number of years trading, directors names and, oh yes, how much tax have they paid in the last 5 years – how topical is that!!
Consumers could not only shop with greater confidence, but also be much more informed about where they may, or may not, want to spend their money.
My thinking is that it isn’t Nominet that’s key to the success of this, rather it’s our friends at the HMRC. My knowledge of internet systems and security can be written on the edge of a postage stamp, so I may be way-off here (be gentle
, but I’m keen to start this thread to get opinions from those with more insight. I came up with the following proposal; does it have any merit? 1) Any .uk site that wants to offer owner verification displays a button called “owner.uk” which opens a popup or similar. The button is linked via https to owner.uk (and/or owner.co.uk) and passes a unique encrypted ID, along with the referrer domain. The owner.uk domain is controlled by Nominet.
2) owner.uk displays a “verification in progress” page and the first prompt is to ask the visitor to confirm that owner.uk is visible in the address bar above; if not, get the hell out of there and let us know. [can the address bar be easily hi-jacked?]
3) owner.uk then makes a request of hmrc.gov.uk and passes the unique ID along with the referrer domain. If there’s a match at hmrc.gov.uk for both entities then company owner details are returned to owner.uk. [How secure is domain referrer data within https?]
4) owner.uk also goes to the Nominet WHOIS and then compares registrant data to tax data for relevant matches. [I’m not convinced that this stage actually adds anything to the process, but it “feels” like it does]
5) Results are displayed to the visitor, ie. “The website where you are now is xyz.uk and is owned by ****, registered office in..”.
The ID’s for each business are accessed via their online HMRC account, which I assume to be secure. These codes could be re-issued for each new tax year, if necessary. You would also need to register any referrer domains within this account.
This proposal would be a bit harsh on the current registrant of owner.co.uk, but it currently returns a 404 so I don’t see any existing rights in place, and therefore compensation or compulsory purchase could put that one right.
My thinking here is simply, if you don’t have a UK tax presence then you aint a legitimate UK business. What I also like is the data returned on the business owner could include not only business name and address, but also type of business, number of years trading, directors names and, oh yes, how much tax have they paid in the last 5 years – how topical is that!!
Consumers could not only shop with greater confidence, but also be much more informed about where they may, or may not, want to spend their money.
