Hi, I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it? A -- Please excuse my clumbsy thums
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it. Other thoughts on this? Richard Merdinger VP, Domains rmerdinger@godaddy.com -----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness Hi, I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it? A -- Please excuse my clumbsy thums
Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD. -- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
We see the anti-abuse community as part of our target audience 1) They should be aware of all the TLDs, the dynamic nature of the root zone population, and shouldn't be blocking an entire TLD because their systems are not aware of them. 2) If they block an entire TLD because it is a 'shady' TLD, that's NOT a UA Issue. 3) The bulk mail operators in the Anti-Abuse community should be aware of EAI Addresses. Based on a M3WAAG meeting earlier this year, I'm not convinced that's the case. To start addressing this, John Levine will be running a session at the M3WAAG meeting in Munich in June. WE've had discussion about this during our face-to-face meeting in Seattle last year and again on a subsequent conference call. Our role is not to advocate for TLDs to not be blocked at the top level, but to ensure that those blocking entire TLDs are doing so consciously. D -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Andrew Sullivan Sent: Friday, 27 April 2018 6:09 AM To: Richard Merdinger <rmerdinger@godaddy.com>; ua-discuss@icann.org Subject: Re: [UA-discuss] UA and phishiness Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD. -- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
Thanks Don; was about to reply similarly (but without all the detail). --Rich Richard Merdinger VP, Domains rmerdinger@godaddy.com On 4/26/18, 1:22 PM, "Don Hollander" <don.hollander@icann.org> wrote: We see the anti-abuse community as part of our target audience 1) They should be aware of all the TLDs, the dynamic nature of the root zone population, and shouldn't be blocking an entire TLD because their systems are not aware of them. 2) If they block an entire TLD because it is a 'shady' TLD, that's NOT a UA Issue. 3) The bulk mail operators in the Anti-Abuse community should be aware of EAI Addresses. Based on a M3WAAG meeting earlier this year, I'm not convinced that's the case. To start addressing this, John Levine will be running a session at the M3WAAG meeting in Munich in June. WE've had discussion about this during our face-to-face meeting in Seattle last year and again on a subsequent conference call. Our role is not to advocate for TLDs to not be blocked at the top level, but to ensure that those blocking entire TLDs are doing so consciously. D -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Andrew Sullivan Sent: Friday, 27 April 2018 6:09 AM To: Richard Merdinger <rmerdinger@godaddy.com>; ua-discuss@icann.org Subject: Re: [UA-discuss] UA and phishiness Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD. -- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote: > Andrew, > I get the connection, but I think that this is adjacent to our remit > as opposed to part of it. > > Other thoughts on this? > > Richard Merdinger > VP, Domains > rmerdinger@godaddy.com > > -----Original Message----- > From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of > Andrew Sullivan > Sent: April 26, 2018 12:34 PM > To: ua-discuss@icann.org > Subject: [UA-discuss] UA and phishiness > > Hi, > > I'm in a meeting about the web PKI and there's a discussion about how > poor the anti-abuse stance is of some new TLDs. Does UASG have a view > about this? Should it? > > A > > -- > Please excuse my clumbsy thums
+1 -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Richard Merdinger Sent: Thursday, April 26, 2018 11:23 AM To: Don Hollander <don.hollander@icann.org>; Andrew Sullivan <ajs@anvilwalrusden.com>; ua-discuss@icann.org Subject: Re: [UA-discuss] UA and phishiness Thanks Don; was about to reply similarly (but without all the detail). --Rich Richard Merdinger VP, Domains rmerdinger@godaddy.com On 4/26/18, 1:22 PM, "Don Hollander" <don.hollander@icann.org> wrote: We see the anti-abuse community as part of our target audience 1) They should be aware of all the TLDs, the dynamic nature of the root zone population, and shouldn't be blocking an entire TLD because their systems are not aware of them. 2) If they block an entire TLD because it is a 'shady' TLD, that's NOT a UA Issue. 3) The bulk mail operators in the Anti-Abuse community should be aware of EAI Addresses. Based on a M3WAAG meeting earlier this year, I'm not convinced that's the case. To start addressing this, John Levine will be running a session at the M3WAAG meeting in Munich in June. WE've had discussion about this during our face-to-face meeting in Seattle last year and again on a subsequent conference call. Our role is not to advocate for TLDs to not be blocked at the top level, but to ensure that those blocking entire TLDs are doing so consciously. D -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Andrew Sullivan Sent: Friday, 27 April 2018 6:09 AM To: Richard Merdinger <rmerdinger@godaddy.com>; ua-discuss@icann.org Subject: Re: [UA-discuss] UA and phishiness Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD. -- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote: > Andrew, > I get the connection, but I think that this is adjacent to our remit > as opposed to part of it. > > Other thoughts on this? > > Richard Merdinger > VP, Domains > rmerdinger@godaddy.com > > -----Original Message----- > From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of > Andrew Sullivan > Sent: April 26, 2018 12:34 PM > To: ua-discuss@icann.org > Subject: [UA-discuss] UA and phishiness > > Hi, > > I'm in a meeting about the web PKI and there's a discussion about how > poor the anti-abuse stance is of some new TLDs. Does UASG have a view > about this? Should it? > > A > > -- > Please excuse my clumbsy thums
Hi Don, My CSA Colleagues – who also attend every M3AAWG Meeting – expressed interest in contributing to a paper like this. I will bring them together with John in Munich. Lars -----Ursprüngliche Nachricht----- Von: UA-discuss <ua-discuss-bounces@icann.org> Im Auftrag von Don Hollander Gesendet: Donnerstag, 26. April 2018 20:22 An: Andrew Sullivan <ajs@anvilwalrusden.com>; Richard Merdinger <rmerdinger@godaddy.com>; ua-discuss@icann.org Betreff: Re: [UA-discuss] UA and phishiness We see the anti-abuse community as part of our target audience 1) They should be aware of all the TLDs, the dynamic nature of the root zone population, and shouldn't be blocking an entire TLD because their systems are not aware of them. 2) If they block an entire TLD because it is a 'shady' TLD, that's NOT a UA Issue. 3) The bulk mail operators in the Anti-Abuse community should be aware of EAI Addresses. Based on a M3WAAG meeting earlier this year, I'm not convinced that's the case. To start addressing this, John Levine will be running a session at the M3WAAG meeting in Munich in June. WE've had discussion about this during our face-to-face meeting in Seattle last year and again on a subsequent conference call. Our role is not to advocate for TLDs to not be blocked at the top level, but to ensure that those blocking entire TLDs are doing so consciously. D -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Andrew Sullivan Sent: Friday, 27 April 2018 6:09 AM To: Richard Merdinger <rmerdinger@godaddy.com>; ua-discuss@icann.org Subject: Re: [UA-discuss] UA and phishiness Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD. -- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
On 4/26/2018 11:08 AM, Andrew Sullivan wrote:
Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD.
Draconian, but effectively the only incentive for a shady TLD to clean up its act. A./
-- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
I am not sure I understand the issue. Is this about: a. .yellow is blocked by decision of a government that is run by the Blue party, while the Yellow party is banned b. .orange is blocked because of the high level of spam, scam, or whatever other “illegal” activities (with all the caveats that “illegal” means) c. .pink is not recognised as a valid TLD (whatever the algorithm is for deciding what a “valid” TLD is IMHO, only the latter case is relevant for us - although it would be useful to keep an eye on the other two, just to see what the impact is on user experience. After all, the user who cannot access a site or send an email does not necessarily know whether this is due to a. b. c. or other. Cheers, Roberto
On 26.04.2018, at 20:08, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD.
-- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-) -- Please excuse my clumbsy thums ---------- On April 26, 2018 13:08:22 Roberto Gaetano <roberto_gaetano@hotmail.com> wrote:
I am not sure I understand the issue. Is this about: a. .yellow is blocked by decision of a government that is run by the Blue party, while the Yellow party is banned b. .orange is blocked because of the high level of spam, scam, or whatever other “illegal” activities (with all the caveats that “illegal” means) c. .pink is not recognised as a valid TLD (whatever the algorithm is for deciding what a “valid” TLD is IMHO, only the latter case is relevant for us - although it would be useful to keep an eye on the other two, just to see what the impact is on user experience. After all, the user who cannot access a site or send an email does not necessarily know whether this is due to a. b. c. or other. Cheers, Roberto
On 26.04.2018, at 20:08, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
Well, to be clear, the point of the discussion I'm in is around automatic blacklisting of everything in a "shady" TLD.
-- Please excuse my clumbsy thums ---------- On April 26, 2018 11:36:44 Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-)
I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy
This seems reasonable, are there any objections? we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Vittorio Bertola Sent: Friday, April 27, 2018 01:21 To: Andrew Sullivan <ajs@anvilwalrusden.com>; Roberto Gaetano <roberto_gaetano@hotmail.com> Cc: Universal Acceptance <ua-discuss@icann.org> Subject: Re: [UA-discuss] UA and phishiness
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com<mailto:ajs@anvilwalrusden.com>> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but
c is a bad idea. It sounds like the SG _does_ think that, but I can't
find it on the site yet :-)
I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com<mailto:vittorio.bertola@open-xchange.com> Office @ Via Treviso 12, 10144 Torino, Italy
folks should not block entire TLDs, only subdomains which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc my suggestion: make sure you accept any TLD by default, but feel free to blacklist any domain name that you consider harmful
On Apr 30, 2018, at 9:54 AM, Mark Svancarek via UA-discuss <ua-discuss@icann.org> wrote:
This seems reasonable, are there any objections?
we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful
-----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Vittorio Bertola Sent: Friday, April 27, 2018 01:21 To: Andrew Sullivan <ajs@anvilwalrusden.com>; Roberto Gaetano <roberto_gaetano@hotmail.com> Cc: Universal Acceptance <ua-discuss@icann.org> Subject: Re: [UA-discuss] UA and phishiness
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com <mailto:ajs@anvilwalrusden.com>> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-)
I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, --
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com <mailto:vittorio.bertola@open-xchange.com> Office @ Via Treviso 12, 10144 Torino, Italy
+1 exactly, the domain name, not the gTLD/ccTLD as is we don't need another reincarnation of the similar SpamHouse approach YK, .укр IDN ccTLD Monday, April 30, 2018, 8:28:15 PM, you wrote:
folks should not block entire TLDs, only subdomains which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc my suggestion:
make sure you accept any TLD by default, but feel free to blacklist any domain name that you consider harmful
On Apr 30, 2018, at 9:54 AM, Mark Svancarek via UA-discuss <ua-discuss@icann.org> wrote:
This seems reasonable, are there any objections?
we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful
-----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Vittorio Bertola Sent: Friday, April 27, 2018 01:21 To: Andrew Sullivan <ajs@anvilwalrusden.com>; Roberto Gaetano <roberto_gaetano@hotmail.com> Cc: Universal Acceptance <ua-discuss@icann.org> Subject: Re: [UA-discuss] UA and phishiness
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com <mailto:ajs@anvilwalrusden.com>> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-)
I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, --
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com <mailto:vittorio.bertola@open-xchange.com> Office @ Via Treviso 12, 10144 Torino, Italy
+1 Paul I am sure that there might be cases in which whole TLDs are blocked (one could guess that .xxx might be a case) but that should not mean that we “endorse” this radical choice. Cheers, R On 30.04.2018, at 19:28, Paul Stahura <paul@donuts.email<mailto:paul@donuts.email>> wrote: folks should not block entire TLDs, only subdomains which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc my suggestion: make sure you accept any TLD by default, but feel free to blacklist any domain name that you consider harmful On Apr 30, 2018, at 9:54 AM, Mark Svancarek via UA-discuss <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> wrote: This seems reasonable, are there any objections? we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org<mailto:ua-discuss-bounces@icann.org>> On Behalf Of Vittorio Bertola Sent: Friday, April 27, 2018 01:21 To: Andrew Sullivan <ajs@anvilwalrusden.com<mailto:ajs@anvilwalrusden.com>>; Roberto Gaetano <roberto_gaetano@hotmail.com<mailto:roberto_gaetano@hotmail.com>> Cc: Universal Acceptance <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UA and phishiness
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com<mailto:ajs@anvilwalrusden.com>> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-)
I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com<mailto:vittorio.bertola@open-xchange.com> Office @ Via Treviso 12, 10144 Torino, Italy
On 4/30/2018 10:28 AM, Paul Stahura wrote:
folks should not block entire TLDs, only subdomains
Well, that assumes a public TLD, otherwise the distinction is meaningless. But there are TLDs with badness quotients of well over 50%. I'm all in favor of blacklisting the whole TLD as an "incentive" to come clean. https://www.spamhaus.org/statistics/tlds/ A./
which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc my suggestion: / make sure you accept any TLD by default, but feel free to blacklist any domain name that you consider harmful/
On Apr 30, 2018, at 9:54 AM, Mark Svancarek via UA-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> wrote:
This seems reasonable, are there any objections? /we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful/ -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>> On Behalf Of Vittorio Bertola Sent: Friday, April 27, 2018 01:21 To: Andrew Sullivan <ajs@anvilwalrusden.com <mailto:ajs@anvilwalrusden.com>>; Roberto Gaetano <roberto_gaetano@hotmail.com <mailto:roberto_gaetano@hotmail.com>> Cc: Universal Acceptance <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UA and phishiness
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com <mailto:ajs@anvilwalrusden.com>> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-) I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchangevittorio.bertola@open-xchange.com <mailto:vittorio.bertola@open-xchange.com>Office @ Via Treviso 12, 10144 Torino, Italy
+1 Paul. I can understand the need to protect one's clients from incoming spam by blocking an entire TLD. I do get that. However, i would like to point out that NO external report can conclude the exact percentage of abuse activity originating from within a TLD namespace. Rather than blocking, I would encourage engagement with TLD operators to fix the problem. I beleive no operator applied for an nTLD to promote spam/abuse. Final thought, despite having a great registration to abuse ratio, .com is still on top of the most abused TLD list - http://www.surbl.org/tld. It has always been there. *Aman Masjide*Program Manager Anti-Abuse Department T: +91 (22) 6196 6300 Extn: 8653 Skype: amasjide *Google Buys Business.Site for Google My Business <http://bit.ly/2xsTmrn>* On Tue, May 1, 2018 at 12:16 AM, Asmus Freytag <asmusf@ix.netcom.com> wrote:
On 4/30/2018 10:28 AM, Paul Stahura wrote:
folks should not block entire TLDs, only subdomains
Well, that assumes a public TLD, otherwise the distinction is meaningless.
But there are TLDs with badness quotients of well over 50%. I'm all in favor of blacklisting the whole TLD as an "incentive" to come clean.
https://www.spamhaus.org/statistics/tlds/
A./
which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc my suggestion:
* make sure you accept any TLD by default, but feel free to blacklist any domain name that you consider harmful*
On Apr 30, 2018, at 9:54 AM, Mark Svancarek via UA-discuss < ua-discuss@icann.org> wrote:
This seems reasonable, are there any objections?
*we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful*
-----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of Vittorio Bertola Sent: Friday, April 27, 2018 01:21 To: Andrew Sullivan <ajs@anvilwalrusden.com>; Roberto Gaetano < roberto_gaetano@hotmail.com> Cc: Universal Acceptance <ua-discuss@icann.org> Subject: Re: [UA-discuss] UA and phishiness
Il 26 aprile 2018 alle 22.27 Andrew Sullivan <ajs@anvilwalrusden.com> ha scritto:
I guess I was wondering whether the SG wants to say that b is fine but c is a bad idea. It sounds like the SG _does_ think that, but I can't find it on the site yet :-)
I think that system administrators should be aware that many more TLDs than the best known ones exist, including TLDs in non-ASCII characters, and even more will be introduced, and should support and accept all of them except if they think they have reasons to blacklist specific TLDs due to non-technical issues. So, what we could advocate is: make sure you accept any TLD (and any domain name) by default, but feel free to blacklist those that you consider harmful. This would IMHO be an acceptable stance that does not enter into thorny content-related issues (because it does not tell anyone what to blacklist and when) but still promotes universal acceptance. Regards, --
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy <https://maps.google.com/?q=Via+Treviso+12,+10144+Torino,+Italy&entry=gmail&s...>
--
On Mon, Apr 30, 2018 at 10:28:15AM -0700, Paul Stahura wrote:
folks should not block entire TLDs, only subdomains which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc
I think you are quite incorrect that people are not blocking all of .biz (or all of .info) today. There definitely are people who do that. This is the Internet, of course, so if they want to do that it's their choice. If they're doing it because they think a given TLD is insufficiently aggressive about stepping on sources of abuse, then perhaps that will encourage TLD operators to enforce the T&C. A -- Andrew Sullivan ajs@anvilwalrusden.com
Andrew, I think that there is a major difference between the individual decision of an operator to block a whole TLD (as you rightfully point out, this is the internet so it is their choice) and the endorsement of this approach by bodies as the UASG. If I remember correctly, your initial question was: “Does UASG have a view about this?”. The fact that some operators do block whole TLDs is what it is, a fact. That we endorse is as a policy, is a completely different matter. Or am I missing something? Cheers, R
On 02.05.2018, at 15:56, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
On Mon, Apr 30, 2018 at 10:28:15AM -0700, Paul Stahura wrote:
folks should not block entire TLDs, only subdomains which is what happens in all legacy TLDs. I doubt any admin is blocking ALL of .com, .biz, .uk etc
I think you are quite incorrect that people are not blocking all of .biz (or all of .info) today. There definitely are people who do that. This is the Internet, of course, so if they want to do that it's their choice. If they're doing it because they think a given TLD is insufficiently aggressive about stepping on sources of abuse, then perhaps that will encourage TLD operators to enforce the T&C.
A
-- Andrew Sullivan ajs@anvilwalrusden.com
On Wed, May 02, 2018 at 02:38:43PM +0000, Roberto Gaetano wrote:
Andrew, I think that there is a major difference between the individual decision of an operator to block a whole TLD (as you rightfully point out, this is the internet so it is their choice) and the endorsement of this approach by bodies as the UASG.
Yep.
If I remember correctly, your initial question was: “Does UASG have a view about this?”. The fact that some operators do block whole TLDs is what it is, a fact. That we endorse is as a policy, is a completely different matter. Or am I missing something?
No, and it sounds like UASG does in fact have a view about it, from a meeting where I was not :) But I haven't found it written down anywhere so I can point people at it. A -- Andrew Sullivan ajs@anvilwalrusden.com
+1 Roberto My opinion is that we should proactively endorse not blocking entire TLDs, and not be silent about it. Blocking an entire TLD does not get the TLD operator to change behavior (which is having extremely low pricing for new registrations) and harms the good registrants in that TLD. Blocking specific names works because it effects the bad guys no matter what the TLD pricing is. Abuse is extremely correlated in TLDs with very low (near zero) prices who therefore have to spend more on abuse/enforcement that their icann contracts require, but that tradeoff makes economic sense for them. Those (low price and hence high % bad zone file TLDs) are then highlighted in the press as bad actors. When a large zone file TLD has low new registration pricing the bad registrations are less of a percent of the zone so they are not highlighted in the press. This is their (typically not new tld operators) competitive advantage which they totally utilize. It lets them sometimes go to very low prices (such as what .com did in china a year+ ago) without the backlash in the press. And they have another use for that advantage... What happens is competitive/economic forces (among TLD operators) kicks in and some TLD operators create and amplify FUD and negative perception which spills over to get IDN and other new TLDs indiscriminately blocked. That harms the internet and is why i agree with Roberto - our policy should not be to endorse blocking entire tlds. Nor should we remain silent about it either because it effects UA. Sent from my iPhone
On May 2, 2018, at 8:00 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
On Wed, May 02, 2018 at 02:38:43PM +0000, Roberto Gaetano wrote: Andrew, I think that there is a major difference between the individual decision of an operator to block a whole TLD (as you rightfully point out, this is the internet so it is their choice) and the endorsement of this approach by bodies as the UASG.
Yep.
If I remember correctly, your initial question was: “Does UASG have a view about this?”. The fact that some operators do block whole TLDs is what it is, a fact. That we endorse is as a policy, is a completely different matter. Or am I missing something?
No, and it sounds like UASG does in fact have a view about it, from a meeting where I was not :) But I haven't found it written down anywhere so I can point people at it.
A
-- Andrew Sullivan ajs@anvilwalrusden.com
UASG-007 says: " The following are considered to be poor practice.....Setting spam blockers to automatically block entire TLDs." This may be the only explicit statement of UASG position on this issue. -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org> On Behalf Of paul@donuts.email Sent: Wednesday, May 2, 2018 09:59 To: Andrew Sullivan <ajs@anvilwalrusden.com> Cc: ua-discuss@icann.org Subject: Re: [UA-discuss] UA and phishiness +1 Roberto My opinion is that we should proactively endorse not blocking entire TLDs, and not be silent about it. Blocking an entire TLD does not get the TLD operator to change behavior (which is having extremely low pricing for new registrations) and harms the good registrants in that TLD. Blocking specific names works because it effects the bad guys no matter what the TLD pricing is. Abuse is extremely correlated in TLDs with very low (near zero) prices who therefore have to spend more on abuse/enforcement that their icann contracts require, but that tradeoff makes economic sense for them. Those (low price and hence high % bad zone file TLDs) are then highlighted in the press as bad actors. When a large zone file TLD has low new registration pricing the bad registrations are less of a percent of the zone so they are not highlighted in the press. This is their (typically not new tld operators) competitive advantage which they totally utilize. It lets them sometimes go to very low prices (such as what .com did in china a year+ ago) without the backlash in the press. And they have another use for that advantage... What happens is competitive/economic forces (among TLD operators) kicks in and some TLD operators create and amplify FUD and negative perception which spills over to get IDN and other new TLDs indiscriminately blocked. That harms the internet and is why i agree with Roberto - our policy should not be to endorse blocking entire tlds. Nor should we remain silent about it either because it effects UA. Sent from my iPhone
On May 2, 2018, at 8:00 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
On Wed, May 02, 2018 at 02:38:43PM +0000, Roberto Gaetano wrote: Andrew, I think that there is a major difference between the individual decision of an operator to block a whole TLD (as you rightfully point out, this is the internet so it is their choice) and the endorsement of this approach by bodies as the UASG.
Yep.
If I remember correctly, your initial question was: “Does UASG have a view about this?”. The fact that some operators do block whole TLDs is what it is, a fact. That we endorse is as a policy, is a completely different matter. Or am I missing something?
No, and it sounds like UASG does in fact have a view about it, from a meeting where I was not :) But I haven't found it written down anywhere so I can point people at it.
A
-- Andrew Sullivan ajs@anvilwalrusden.com
On Wed, May 02, 2018 at 07:24:33PM +0000, Mark Svancarek wrote:
UASG-007 says: " The following are considered to be poor practice.....Setting spam blockers to automatically block entire TLDs."
This may be the only explicit statement of UASG position on this issue.
Thanks, that helps. FWIW, this was actually a meeting about the PKI, and some people were talking about (1) refusing certificates or (2) refusing OV or EV certificates to people in known-to-be-troublesome TLDs unless the TLD had a clear and working anti-abuse and takedown mechanism in place. Given the ICANN contractual environment, that is difficult. But as whois/RDS gets harder to use for outside parties, I predict that more and more anti-abuse measures will be taken at the entire TLD level. A -- Andrew Sullivan ajs@anvilwalrusden.com
My thoughts on this issue includes:- There may well be events which do warrant blocking TLD(s): ① a declaration of (cyber) war ② an exceptionally severe cyber attack that threatens to break the internet infrastructure I am ok with the blocking being done automatically by some monitoring software but the monitoring software should have limited authority and should only be able to block TLD(s) for a limited time, say 10 minutes. Any decision to continue the blocking should be made by people. Spam is not a good enough reason to block a TLD. André Schappo On 2 May 2018, at 20:24, Mark Svancarek via UA-discuss <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> wrote: UASG-007 says: " The following are considered to be poor practice.....Setting spam blockers to automatically block entire TLDs." This may be the only explicit statement of UASG position on this issue. -----Original Message----- From: UA-discuss <ua-discuss-bounces@icann.org<mailto:ua-discuss-bounces@icann.org>> On Behalf Of paul@donuts.email<mailto:paul@donuts.email> Sent: Wednesday, May 2, 2018 09:59 To: Andrew Sullivan <ajs@anvilwalrusden.com<mailto:ajs@anvilwalrusden.com>> Cc: ua-discuss@icann.org<mailto:ua-discuss@icann.org> Subject: Re: [UA-discuss] UA and phishiness +1 Roberto My opinion is that we should proactively endorse not blocking entire TLDs, and not be silent about it. Blocking an entire TLD does not get the TLD operator to change behavior (which is having extremely low pricing for new registrations) and harms the good registrants in that TLD. Blocking specific names works because it effects the bad guys no matter what the TLD pricing is. Abuse is extremely correlated in TLDs with very low (near zero) prices who therefore have to spend more on abuse/enforcement that their icann contracts require, but that tradeoff makes economic sense for them. Those (low price and hence high % bad zone file TLDs) are then highlighted in the press as bad actors. When a large zone file TLD has low new registration pricing the bad registrations are less of a percent of the zone so they are not highlighted in the press. This is their (typically not new tld operators) competitive advantage which they totally utilize. It lets them sometimes go to very low prices (such as what .com did in china a year+ ago) without the backlash in the press. And they have another use for that advantage... What happens is competitive/economic forces (among TLD operators) kicks in and some TLD operators create and amplify FUD and negative perception which spills over to get IDN and other new TLDs indiscriminately blocked. That harms the internet and is why i agree with Roberto - our policy should not be to endorse blocking entire tlds. Nor should we remain silent about it either because it effects UA. Sent from my iPhone On May 2, 2018, at 8:00 AM, Andrew Sullivan <ajs@anvilwalrusden.com<mailto:ajs@anvilwalrusden.com>> wrote: On Wed, May 02, 2018 at 02:38:43PM +0000, Roberto Gaetano wrote: Andrew, I think that there is a major difference between the individual decision of an operator to block a whole TLD (as you rightfully point out, this is the internet so it is their choice) and the endorsement of this approach by bodies as the UASG. Yep. If I remember correctly, your initial question was: “Does UASG have a view about this?”. The fact that some operators do block whole TLDs is what it is, a fact. That we endorse is as a policy, is a completely different matter. Or am I missing something? No, and it sounds like UASG does in fact have a view about it, from a meeting where I was not :) But I haven't found it written down anywhere so I can point people at it. A -- Andrew Sullivan ajs@anvilwalrusden.com<mailto:ajs@anvilwalrusden.com> 🌏 🌍 🌎 André Schappo 小山@电邮.在线?Subject=你好小山😜<mailto:%E5%B0%8F%E5%B1%B1@%E7%94%B5%E9%82%AE.%E5%9C%A8%E7%BA%BF?Subject=%E4%BD%A0%E5%A5%BD%E5%B0%8F%E5%B1%B1%F0%9F%98%9C> schappo.blogspot.co.uk<https://schappo.blogspot.co.uk> twitter.com/andreschappo<https://twitter.com/andreschappo> weibo.com/andreschappo?is_all=1<https://weibo.com/andreschappo?is_all=1> groups.google.com/forum/#!forum/computer-science-curriculum-internationalization<https://groups.google.com/forum/#!forum/computer-science-curriculum-internat...>
While in principle this may sound like a sensible argument, I stop buying it for TLDs that are reported to have bad domains in the (mid to high) double-digit percentage level. Also, wearing my hat as a site admin, I don't care whether a TLD exceeds the contractual obligations with ICANN... A./ On 5/2/2018 9:59 AM, paul@donuts.email wrote:
+1 Roberto My opinion is that we should proactively endorse not blocking entire TLDs, and not be silent about it.
Blocking an entire TLD does not get the TLD operator to change behavior (which is having extremely low pricing for new registrations) and harms the good registrants in that TLD. Blocking specific names works because it effects the bad guys no matter what the TLD pricing is. Abuse is extremely correlated in TLDs with very low (near zero) prices who therefore have to spend more on abuse/enforcement that their icann contracts require, but that tradeoff makes economic sense for them. Those (low price and hence high % bad zone file TLDs) are then highlighted in the press as bad actors. When a large zone file TLD has low new registration pricing the bad registrations are less of a percent of the zone so they are not highlighted in the press. This is their (typically not new tld operators) competitive advantage which they totally utilize. It lets them sometimes go to very low prices (such as what .com did in china a year+ ago) without the backlash in the press. And they have another use for that advantage... What happens is competitive/economic forces (among TLD operators) kicks in and some TLD operators create and amplify FUD and negative perception which spills over to get IDN and other new TLDs indiscriminately blocked. That harms the internet and is why i agree with Roberto - our policy should not be to endorse blocking entire tlds. Nor should we remain silent about it either because it effects UA.
Sent from my iPhone
On May 2, 2018, at 8:00 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
On Wed, May 02, 2018 at 02:38:43PM +0000, Roberto Gaetano wrote: Andrew, I think that there is a major difference between the individual decision of an operator to block a whole TLD (as you rightfully point out, this is the internet so it is their choice) and the endorsement of this approach by bodies as the UASG. Yep.
If I remember correctly, your initial question was: “Does UASG have a view about this?”. The fact that some operators do block whole TLDs is what it is, a fact. That we endorse is as a policy, is a completely different matter. Or am I missing something? No, and it sounds like UASG does in fact have a view about it, from a meeting where I was not :) But I haven't found it written down anywhere so I can point people at it.
A
-- Andrew Sullivan ajs@anvilwalrusden.com
Personally I have always believed these two areas to be deeply connected - and many new TLDs like Club and others have pretty strong anti-abuse standards. Asking system administrators to bake in acceptance for new TLDs but then not being able to address the abuse issue - rings hollow for a lot of admins. I would certainly be in favour of expanding the mandate to include a view on abuse etc. -- Dirk Bhagat CoFounder, CTO .CLUB DOMAINS LLC. 100 SE 3rd Ave, Suite 1310 Fort Lauderdale, Fl, 33394 o: 954.530.2580 m: 416.839.4945 Get.club <http://www.get.club> On Thu, Apr 26, 2018 at 1:36 PM, Richard Merdinger <rmerdinger@godaddy.com> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
On 4/26/2018 11:29 AM, Dirk Bhagat wrote:
Personally I have always believed these two areas to be deeply connected - and many new TLDs like Club and others have pretty strong anti-abuse standards. Asking system administrators to bake in acceptance for new TLDs but then not being able to address the abuse issue - rings hollow for a lot of admins.
^^That.
I would certainly be in favour of expanding the mandate to include a view on abuse etc.
-- Dirk Bhagat
CoFounder, CTO .CLUB DOMAINS LLC. 100 SE 3rd Ave, Suite 1310 Fort Lauderdale, Fl, 33394 o: 954.530.2580 m: 416.839.4945 Get.club <http://www.get.club>
On Thu, Apr 26, 2018 at 1:36 PM, Richard Merdinger <rmerdinger@godaddy.com <mailto:rmerdinger@godaddy.com>> wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
Richard Merdinger VP, Domains rmerdinger@godaddy.com <mailto:rmerdinger@godaddy.com>
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org <mailto:ua-discuss@icann.org> Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
On 4/26/2018 10:36 AM, Richard Merdinger wrote:
Andrew, I get the connection, but I think that this is adjacent to our remit as opposed to part of it.
Other thoughts on this?
My take is that you cannot separate a charter to get everyone to support all domains equally from getting all domains to be equally worthy of support. At some point, you'll just replace "structural" barriers to acceptance by black and gray lists. In my personal life, I run a small forum, and there I cheerfully ban access from any TLDs and IP addresses not based in the US and a small number of selected countries. Spam magically goes to zero and my (local) audience is not affected. Pretty draconian black list (or white list, actually), but I don't have the time to waste on accepting and cleaning up after garbage. Extreme, perhaps, but I think this group ignores the potential costs/risks of universal acceptance at its peril. "Poor anti-abuse stance" should not be rewarded with acceptance. A./
Richard Merdinger VP, Domains rmerdinger@godaddy.com
-----Original Message----- From: UA-discuss [mailto:ua-discuss-bounces@icann.org] On Behalf Of Andrew Sullivan Sent: April 26, 2018 12:34 PM To: ua-discuss@icann.org Subject: [UA-discuss] UA and phishiness
Hi,
I'm in a meeting about the web PKI and there's a discussion about how poor the anti-abuse stance is of some new TLDs. Does UASG have a view about this? Should it?
A
-- Please excuse my clumbsy thums
participants (14)
-
Aman Masjide -
Andre Schappo -
Andrew Sullivan -
Asmus Freytag -
Dirk Bhagat -
Don Hollander -
Lars Steffen -
Mark Svancarek -
Paul Stahura -
paul@donuts.email
-
Richard Merdinger -
Roberto Gaetano -
Vittorio Bertola -
Yuriy Kargapolov