.UK Announced

[Hazel Pegg]

SSL certificates have this. It does not circumvent wrong doing.

Nothing is going to entirely circumvent wrongdoing. Edwin could probably write a paper on how to circumvent the proposed 'security' features for .uk (and quite possibly already has!).

I am not an expert on internet security but as a 'layperson' feel that a Trustmark with some avenues to verify it is real is better than a blanket assurance that all .uk domains can be trusted. With the associated implication that all third level .uk extensions can't.

 

[monaghan]

Another thought, if we release everything under .uk, where do we go once the "good names" have gone? Opening a few more 2nd levels would allow sharing of the conflicting domains, a few well chosen generics like sport.uk, food.uk and so on would give a good selection of new spaces that are obvious to consumers and would give the potential to open further classifications as the UK internet grows.

Yes there would be some casualties in portfolios, but if the objective is to simplify and add trust there will have to be some losses, however, with wider scope you can then sell competing names many times in different categories, business are happy as they will have less competition from people in other sectors.

 

[crazihos]

I am not an expert on internet security but as a 'layperson' feel that a Trustmark with some avenues to verify it is real is better than a blanket assurance that all .uk domains can be trusted. With the associated implication that all third level .uk extensions can't.

This is what worries me the most. The implication for finance company owners who run their business on .co.uk domains is huge.

It's also a nightmare in the real world.

If I was a shop buying 100 bikes and a rep from both bikes.co.uk and bikes.uk visited me to pitch.

Both have the same price and service but the the sales rep from bikes.uk tells me this:

Bikes.uk Rep: "bikes.co.uk aren't a very secure company. That's why the government had to form .uk companies, because .co.uk have loads of hacking and security problems."

Meeting ends. I go to google and a quick search reveals that .uk really has been set up for security reasons.

Bikes.uk get my business and I tell my business friends about this dodgy company called bikes.co.uk.

Nightmare.

 

[websaway]

If those multiple online businesses are PPC sites then you are a domainer.

If those multiple domain names are parked with SEDO (or similar) then you are a domainer.

If those multiple online businesses are listed as For Sale with SEDO (or similar) then you are a domainer.

If you sell domain names with no associated website at more than cost price plus a bit extra for your time then you are a domainer.

If you registered a fairly good.tv domain because it was available and may fit in with your plans at some time in the future and found only days later after being approached by a tv company that your name was exactly what they were after for a new media show,you would just hand it over to them at reg fee.
Is that what you are saying, and so in the event you sought to profit from your good fortune, you would then label yourself a domainer.

 

[Hazel Pegg]

If you registered a fairly good.tv domain because it was available and may fit in with your plans at some time in the future and found only days later after being approached by a tv company that your name was exactly what they were after for a new media show,you would just hand it over to them at reg fee.
Is that what you are saying, and so in the event you sought to profit from your good fortune, you would then label yourself a domainer.

If I only had only one .tv domain I'd call myself lucky to get the offer. If I had 100+ .tv domain names I'd call myself a domainer. There are only so many plans I can have for some time in the future!

PS - I have received several offers for glastonbury.co.uk and turned them all down

 

[Edwin]

Nothing is going to entirely circumvent wrongdoing. Edwin could probably write a paper on how to circumvent the proposed 'security' features for .uk (and quite possibly already has!).

I could, but I won't. Laying out an A) B) C) list of how to get around security features is probably a no-no, liability wise.

I've already explained the gaping flaws to Nominet's security team face to face at the Open House. Spent nearly an hour and a half doing so. At the end I got the same "That's interesting. We'll note your OPINION for consideration" as I did with any other comments I made during the 3 days of meetings.

Having said the above, in the broadest strokes I think the following is "safe" to say since none of the points will be "new" to any criminal:
- Real criminals will go to all sorts of measures to have their scams succeed
- There are MANY different ways to get something posted to "an address" either actioned or forwarded (possibly via several intermediate remailing services). It doesn't take a genius to think of half a dozen ways to accomplish this
- The major scams are done and dusted in hours. Any solution that works to a daily schedule or slower will do nothing to stop the DETERMINED criminal
- Criminals will be using stolen CC numbers and registering thousands of "burner" domains that they know will last minutes or hours. They don't care. Costs them literally NOTHING to register more.
- It is beyond trivial to validate something sent to an email address. It is also beyond trivial to chain together a string of email remailers completely free-of-charge (thanks to the thousands of free email providers out there) or to use one of the many one-time shot email addresses (dozens of companies offer "disposable email accounts")
- Nominet's "security" only proves that [x email address] and [y physical address] are capable of receiving at least a one-time communication from Nominet. NOTHING else is learned from the process.

At the same time, launching .uk WILL create more phishing opportunities, increase the probability of a phish succeeding, and lead to more misdirected emails (with privacy, security and business secrecy implications). This is implicit in the CONCEPT of .uk and its confusing similarity to .co.uk, and has nothing whatsoever to do with Nominet's specific proposal. Nor can anything Nominet suggests in an amended proposal mitigate these new risks - so long as .uk launches, they WILL occur.

 

[Edwin]

It is strongly worth taking the time to read and digest Paul Keating's comment to the article at the following link:
http://www.computerweekly.com/blogs...cs/2012/11/i-have-seen-the-online-future.html

 

[Stephen]

Securing uk namespace

That's what I proposed in both round tables I was in: decouple the security "package" from .uk and offer it as an extra to ANY business under ANY domain extension that Nominet manages.
Those who applied for it (and passed the criteria for verification, etc.) would receive a trustmark.
I also made some suggestions about how Nominet could proactively promote that trustmark through partners in a win-win relationship, but I won't repeat them here since AFAIK nobody's doing what I proposed to them yet and I don't want to take that opportunity off the table for Nominet. If you happened to be in the room at the time I'd be grateful if you could do likewise. Thanks.

Agree totally, Security should be decoupled.

Nominet really did take note of your comments in this area during the 3 days of meetings and I believe they are seriously considering it.

When they tried to defend their position, it was very weak and the answer about why it was not done for .co.uk, .org.uk etc. was that it was too difficult due the terms and conditions of those registrants.

They offered no defence or alternative solutions to the problem that .co.uk; .org.uk would be seen as inferior and unsecure.

It was also revealed in answers to questions that DNSSEC is available now for .co.uk but only 2,500 registrants have taken it up despite an awareness campaign by Nominet to get it adopted, so their solution was to make it compulsory.

……
Benefits:
- Genuinely helps improve security across the entire UK web space (If it takes off and becomes popular, more and more businesses will need to get it to maintain parity with their competitors. If not, well that's very telling...)
- Keeps the .uk price on parity with other extensions
- Greatly simplifies the rollout of .uk and its implementation for registrars (just a case of "who gets what" but no extra hurdles to jump through)
- Doesn't penalise smaller registrars, who will still be able to sell .uk (to date, Nominet has treated registrars of all sizes as equals)
- Trustmark would be more meaningful (because businesses requested it, it shows which ones are taking security considerations most seriously)
- Doesn't give consumers a false sense of security about .uk
- Lends itself to being improved over time (more restrictions, more types of scan, more features etc.) whereas changes to a compulsory system would just annoy the 99% of businesses that don't care about it.
- Can be priced higher than £20 (Symantec Safe Site for instance costs US$29/month or US$299/year)
- Registrars have a new, premium product to sell to ALL their client base

I would like to see a real debate here on what should behind this Trustmark?.

As I have heard so many arguments against Malware protection at the registrar level and the ineffectiveness and undue cost of Address verification all having so many problems. Plus on their other area security solution area there are alternative DNSSEC solutions that are available that could implemented easier and cheaper.

Although it would be radical, I would like to see if the UK can introduce a better, cheaper solution than SSL certificates that would cover the whole site and give website users real confidence in the uk namespace with genuine financial protection.

What level of security do you think the uk namespace should have?

Downside:
- Less of a windfall for Nominet from .uk
- Registrars no longer have a "premium" domain extension to mark up
- May not see much if any take-up

There may be a case for a super secure, encrypted, guaranteed, all bells and whistles extension used and needed by only a few thousand websites such as Banks etc. This could be a real premium tld costing £1,000 pa.

But wait, if Nominet sell all the 2nd level tld’s they will not be able to launch such a new tld as .secure.uk? (as pointed out by Invincible and others)

 

[Stephen]

..... At the same time, launching .uk WILL create more phishing opportunities, increase the probability of a phish succeeding, and lead to more misdirected emails (with privacy, security and business secrecy implications). This is implicit in the CONCEPT of .uk and its confusing similarity to .co.uk, and has nothing whatsoever to do with Nominet's specific proposal. Nor can anything Nominet suggests in an amended proposal mitigate these new risks - so long as .uk launches, they WILL occur.

The only 2 solutions available to stop this real problem are;
1. Don't launch .uk EVER
2. Or pair .co.uk and .uk ownership fully

 

[websaway]

If I only had only one .tv domain I'd call myself lucky to get the offer. If I had 100+ .tv domain names I'd call myself a domainer. There are only so many plans I can have for some time in the future!

PS - I have received several offers for glastonbury.co.uk and turned them all down

But the tv company that wanted your .tv domain were so anxious to get this domain which suited their purpose and they had been searching for something similar for some time so they payed you a no quibble £25000. The fact that you may just be able to do the same thing again would not tempt you to try.

Don't forget this is not robbing a bank, this is perfectly legal, you have used your imagination to produce something and somebody else is prepared to pay you for the use of your product, it was not a domain name until you invented it.
Once invented, if successful, demand will ensue for it's use.

I think a more accurate name for a person that done this in 1996 should be a visionary, I personally don't envy them I applaud them for their ingenuity.
And remember for every name that is successful there have been hundreds or maybe thousands that have bombed out.

Looking back I could have written white christmas or jingle bells or happy birthday, after all they are all so obviously simplistic.

 

[foz]

It is strongly worth taking the time to read and digest Paul Keating's comment to the article at the following link:
http://www.computerweekly.com/blogs...cs/2012/11/i-have-seen-the-online-future.html

Interesting read. Surprised Philip Virgo allowed the comment(s).

This same proposal was rejected 11-0 by the board in 2005

 

[Hazel Pegg]

But the tv company that wanted your .tv domain were so anxious to get this domain which suited their purpose and they had been searching for something similar for some time so they payed you a no quibble £25000. The fact that you may just be able to do the same thing again would not tempt you to try.

Possibly. At which point I would become a domainer. We were asked to give a definition of a domainer, not to make a value judgement.

 

[Hazel Pegg]

Quote:
This same proposal was rejected 11-0 by the board in 2005

I know. I was one of the 11. It was the Policy Advisory Board BTW and not the Nominet Board.

 

[foz]

I know. I was one of the 11. It was the Policy Advisory Board BTW and not the Nominet Board.

Was it just discussed in the PAB environment or was outside feedback requested?

 

[Hazel Pegg]

Was it just discussed in the PAB environment or was outside feedback requested?

A paper was presented to the PAB and was discussed on nom-steer (the membership mail-list) prior to the meeting. But there was no consultation outside of the PAB and the membership that I can recall. The PAB at the time consisted of a couple of Nominet Execs, four elected bods (of which I was one) and various reps from Govt and Industry. I have no idea how much consultation the outside bodies conducted with their stakeholders.

 

[foz]

A paper was presented to the PAB and was discussed on nom-steer (the membership mail-list) prior to the meeting. But there was no consultation outside of the PAB and the membership that I can recall. The PAB at the time consisted of a couple of Nominet Execs, four elected bods (of which I was one) and various reps from Govt and Industry. I have no idea how much consultation the outside bodies conducted with their stakeholders.

Thanks. I assume the PAB is no more?

Would it have been the Policy Stakeholder Committee (PSC) sole decision to put direct.uk out to consultation or would it have needed the green light from the board?

 

[Hazel Pegg]

Thanks. I assume the PAB is no more?

Would it have been the Policy Stakeholder Committee (PSC) sole decision to put direct.uk out to consultation or would it have needed the green light from the board?

The PAB is no more and I can't remember when it was disbanded. I also have no idea who makes decisions now as I've been ignoring Nominet for years as things just seemed to be working so I had no need to get involved. The direct.uk announcement took me by surprise and woke me up. Andrew Bennett can probably answer your question.

 

[Edwin]

The PAB was disbanded after its meeting on May 12, 2010.

Here's the last PAB meeting report. It's worth a read, as there's some very interesting info about the ".uk brand". You can also see the final signoff of the PAB under "AOB".
http://www.mydomainnames.co.uk/43242_PABmeetingreport-may2010.pdf

(NOTE: I wish I didn't have to host that sort of document, but Nominet took them all off their site on... 1 October 2012)

 

[grantw]

This new process was intended as a replacement to the PAB I believe:

http://www.nominet.org.uk/how-participate/policy-development/how-uk-policy-process-works

Grant

 

[websaway]

It is strongly worth taking the time to read and digest Paul Keating's comment to the article at the following link:
http://www.computerweekly.com/blogs...cs/2012/11/i-have-seen-the-online-future.html

WOW! He's certainly put it all together in an easy to read easy to understand format.
Thanks for the heads up, as they say.