> ... by 2018, ISOC was sitting on a pretty large ongoing revenue stream in the form of .org registration fees. However, ISOC management felt that having essentially all of their funding dependent on one revenue source was unwise and that actually running .org was a mismatch with ISOC’s main mission. Instead, they entered into a deal to sell PIR (and hence the .org contract) to a private equity firm called Ethos Capital, which is where things get interesting.
This sounds like a rather shortsighted decision, to give up a very reliable source of recurring revenue because you'd rather only have multiple smaller sources of revenue... why not both?
The current situation results in money ending up in the pockets of ISOC. By doing the deal, the future revenue would go into the pockets of a private equity firm instead, a much better deal for the people running the private equity firm - who incidentally happened to be the same people making the decision!
But also the contract ends in 2029. Trying to sell it now while it's still worth something and user the money to establish multiple streams of income which don't have the risk of abruptly ending in 2029 it's on itself not a bad idea.
Just that the moment you do so in a way which might privatelty profit you massively people stop trusting you anyway.
Its nonsensical. They get almost all of their funding from one source, which they say is a bad idea even though the income stream is very reliable for the foreseeable future.
So their plan is to get rid of it and replace it with...what exactly? Donations? Some other kind of industry that they have not mentioned yet? The plan seemed to start and end with selling off their primary revenue stream.
Assuming it was sold for what it was worth, the selling price could have been used as an endowment to purchase investments with a similar cashflow/risk profile but greater diversification so lesser risk overall. This is pretty basic economics: the value of an investment is the NPV of its future cashflows.
What possible investment could ever match the risk:return of .org and where do I sign up? That is about the most risk free/cash positive investment in the history of mankind. Short of cornering the worldwide market on oxygen you aren't going to find a better investment.
"One interesting fact about these contracts is that they are effectively perpetual: the contracts themselves are for quite long terms and registry agreements typically provide for automatic renewal except under cases of significant misbehavior by the registry. In other words, this is a more or less permanent claim on the revenues for a given TLD."
Or they could have invested a portion of their income for the past 20 years and built an endowment while still having a nice revenue stream. Nobody has explained where all their cash disappeared to.
I don't think anyone cares about ISOC beyond them having control of .org. Really, what do they do? By selling to Ethos, they'd get out of the public's purview. Then they could take the billion dollars and give contracts "to better the internet" to friends, family, and relatives. Free money!
The Handshake project [1] attempts to decentralize the DNS root zone (using a blockchain what else).
If, like me, you're suspicious about anything blockchain, a fun fact about Handshake: the developers took $10 million of VC money and donated it to Free and Open Source foundations [2]. That was actual cash donated, not magical internet money (though magical internet money was also donated).
Some coins were premined. 80% of those were airdropped to GitHub users. If you had more than 15 followers in February 2019, you can still claim your airdrop [3]! (Disclaimer: this is what got me interested in Handshake)
I have the same visceral reaction. Is it possible the "scam mode" label is incorrect in this case? I guess you could say they scammed the VCs to donate their money to various nonprofits...
While I can't vouch for the financial incentive regarding the VC funding. From a pure technical perspective, wouldn't it be better to have a blockchain style of recording keeping instead of having the record to be in one central location?
There are some major practical problems with blockchain based domain management. Mainly because of all kind of local country specific regulations. Like e.g. with regard to trademarks. You know this kind of thinks people like to not bother with when making a technical solution to a not purly technical problem.
While I believe that a good decentralized technical solution is possible and can be a massive improvement I am extremely sceptical about any solution involving any form of coins.
I haven't looked into this particular implementation, but most blockchains have the fundamental problem of being immutable. Storing domain names in an immutable registry seems like a legal disaster waiting to happen.
What if someone registers a domain whose name contains sensitive personally identifiable information? Like www.elon-musks-SSN-is-0123456789.com? Everyone who distributes the DNS records might be in violation of the GDPR and similar laws.
And similarly if the name of a domain is found to be libel.
> tl;dr: Censorship resistance is a feature, not a bug. Names are registered for a year at a time. Existing TLDs and the top 100,000 Alexa websites are reserved for existing DNS registrants.
This doesn't make it any less incompatible with many countries law system.
And yes sadly this means that systems compatible with most countries law are also prone to corruption by secret service/government order. Even if you are limiting it to "democratic western" countries.
Through it's at least worth a try as law can be changed and as long as it doesn't come closer to replacing the current system as main solution it likely to be tolerated giving it time to convince people to allow the change.
tl;dr: Censorship resistance is a feature, not a bug. Names are registered for a year at a time. Existing TLDs and the top 100,000 Alexa websites are reserved for existing DNS registrants.
It very much is a bug to design your system incapable of complying with existing laws. Calling it "censorship resistance" doesn't make that noble, just dishonest.
It's also funny how the FAQ explicitly claims better protection of registrants' personal information as a feature, yet according to you a complete inability to protect anyone's personal information that some puts out there is also a feature...
If something is leaked once it is leaked forever. Anyway, would you say the same about projects like tor or freenet? They have censorship resistance too.
That maybe "censorship resistance" isn't the universal good some people make it out as. Maybe the people who benefit the most from it, and who make up the majority of those who actually benefit, are criminals. Maybe it's not a great idea to make tools that make it easier for criminals to commit crimes.
> That maybe "censorship resistance" isn't the universal good some people make it out as
How is it not? Not having it means that certain organisations and governments will be able to remove your ability to see certain things.
> Maybe the people who benefit the most from it, and who make up the majority of those who actually benefit, are criminals
Again, debatable. See all kinds of videos that are removed from youtube because either youtube thinks that they violate their tos or because someone makes a copyright claim on them for example.
But even if the majority of these who did benefit from it were criminals, I will ask again, and?
> Maybe it's not a great idea to make tools that make it easier for criminals to commit crimes.
How so? I would assume that most of these who make such tools have some form of ideology similar to anarchism and who do not think that every action that the government designates as a crime is morally evil. In addition a lot of these people believe that certain elites and government officials are the ones committing the biggest crimes and use such tools to enforce transparency and benefit from censorship resistance and anonimity.
Because it helps criminals commit crimes. Not crimes as in "oh the government doesn't like you doing this", crimes as in theft, fraud, blackmail and child rape.
> You can't steal physical objects via TCP due to censorship resistance.
You can steal money, and passwords. And you can steal things in the physical world and sell them over the internet.
> If anything censorship resistance helps prevent fraud
The entire Bitcoin economy gives a massive counterexample of this.
> I do not see how censorship resistance has anything to do with blackmail.
Censorship-resistant digital currencies like Bitcoin are massively used for ransomware and other forms blackmail.
> I do not see how censorship resistance can help a criminal rape children via TCP.
You are not so stupid that you would think anyone was ever making that argument. Do not feign stupidity, that never makes you look clever or convince anyone of your argument. I am ignoring this one and giving you a second chance to give a good-faith answer.
Censorship resistance somehow helps you steal money and passwords via TCP? How?
(Regardless, I am not buying this whole "stealing numbers" thing)
> And you can steal things in the physical world and sell them over the internet.
Sure, how is censorship resistance relevant to this?
> The entire Bitcoin economy gives a massive counterexample of this.
Do you know of a lot of people who put advertisements of their companies on the blockchain?
Regardless (and I am going on an off-topic tangent here), anyone dealing in bitcoin should be aware of the fraud issue. You are not going around asking people to ban stoves because you decided that it would be a good idea to put your hand on one despite being aware of the potential complications.
> Censorship-resistant digital currencies like Bitcoin are massively used for ransomware and other forms blackmail.
Censorship resistance has again nothing to do with this. There is nothing stopping someone from including some form of "chargeback" command in a censorship-resistant cryptocurrency. I can't say for sure why this has not been done but I presume that most cryptocurrency users would not like to give the ability to a centralised institution to take their money away from them (I know for sure that the freelancers that use paypal are not too happy with this).
In addition there are a lot of real life services that do not offer the ability to chargeback yet they do not offer censorship resistance - western union for example.
> You are not so stupid that you would think anyone was ever making that argument
Rather than insulting people because you think that they misunderstood your post why not try to elaborate instead?
Actually, I find that calling it censorship resistance is incredibly honest.
You're absolutely right that there's a complete inability to protect anyone's personal information that someone puts out there at the blockchain level - but that's clearly a different level of "protecting registrants' personal information" than keeping such information for all website names in centralized databases that governments can access with a piece of rubber stamped paper. The two aren't conflatable the way OP mentions it.
As an example - elonmusksssnis012345167 and other such names containing personal information could be blocked by the browsers or other legally liable, centralized points of access that people use to access Handshake names. My example isn't mutually exclusive with having a decentralized, distributed base layer (root zone) for names. If such (legally needed) censorship abilities were built in at the root zone, we'd see it abused as it is in the current system. That's the censorship resistance feature.
tldr; Legal censorship can and should happen at another layer.
It was the same in 2000 with anything internet, and then again some years later with Web 2.0. Simply switching to "scam mode" may sound good in a forum post, but you miss the interesting stuff too.
It's not that unjustifiable if almost every cryptocurrency-related project out there turns out to be a scam.
I'm not saying nothing will ever come out of this technology - just that, at this point in time, it's wise to approach every such project as fraudlent until proven otherwise.
If one believes that the Proof of Work algorithm/behavior itself is a scam at a technological level, then the onus is on you to prove which of the Top 200 coins has a valid business model with a valid sustainable growth model.
Building lots of git commits until you get a commit hash that starts with the right number of zeroes is a fascinating scam that is wasting so much computing power, energy, etc that it almost should be a crime, whether or not you believe that these git commits with lots of zeroes in the hash numbers are used for anything more than nearly criminal Ponzi Schemes beside that.
"Giving out money for free" isn't really something that make me think something is LESS of a scam. Giving out free money is literally what every every cryptocurrency scam does at first.
I'm not an expert on cryptocurrency scams, but if anything, I think they'd generally give away their magical internet tokens rather than US dollars. (Though I suppose magical internet tokens can be exchanged for US dollars so perhaps there isn't that much of a difference?)
In the short history of the Internet so far, domain names originally were free. Many of the early .com(mmercial) names, e.g., bbn.com, dec.com, etc., were registered for free. Some TLDs were non-commercial for a long time, e.g., Educase I think only began charging fees for .edu around 2006.
For me, the question remains why do user have to pay for domain names.
Users once had to pay for SSL certificates but it seems like Let's Encrypt found a way to work around that.
Why can't the same be done for domain names.
One could argue the "legitimacy" of LE certs is directly connected to, or even dependent upon, the "legitimacy" of the applicant's domain name registration. An ICANN-approved domain name registration is required to obtain a LE cert. Wonder why LE does not operate a domain name registry.
> For me, the question remains why do user have to pay for domain names.
Because they're scarce! Should you have `x3blah` or should I have it? If domain names are free, how do we decide who operates which domain?
If I understood it right, one of the goals of Handshake is for names to be almost free. With a near-infinite number of TLDs which you can buy for as little as $0.09 (and renew for $0.02 every two years), less desired names become essentially free.
Furthermore, you can become a registrar! With such a low cost (about $2 over our expected lifetime), you can charge extremely low fees for `domain.x3blah` or even give out the second level domains for free!
What if no one gets "x3blah" and we each get some random string, e.g., an ed25519 public key.
Handshake looks like it wants to create another "gold rush" for "vanity" names. We have already had that. We have already seen how it plays out. It has been a while since I read through the Handshake docs. Are there limits on how many names a single applicant/organisation could register.
I can enter x3blah from memory. I can print it on a poster when promoting my service.
I can't memorise AAAAC3NzaC1lZDI1NTE5AAAAIFwAU7Q9tccWIyPviJuzAatFIgQZVRr7mExznfbUR9Il. I can't print it on a poster when promoting my service. I can use a QR code, but that's ripe for exploitation. Someone can easily replace the QR code on my poster, and there's no way for anyone viewing the poster to know that it's not the correct QR code.
What's the point of the name at all if it's not memorable?
Or to put it another way, do you really want email address AAAAC3NzaC1lZDI1NTE5AAAAIFwAU7Q9tccWIyPviJuzAatFIgQZVRr7mExznfbUR9Il@gmail.com?
> I can't memorise AAAAC3NzaC1lZDI1NTE5AAAAIFwAU7Q9tccWIyPviJuzAatFIgQZVRr7mExznfbUR9Il. I can't print it on a poster when promoting my service. I can use a QR code, but that's ripe for exploitation. Someone can easily replace the QR code on my poster, and there's no way for anyone viewing the poster to know that it's not the correct QR code.
Which isn't a problem of the qr code, since you can't tell if someone replaced AAAAC3NzaC1lZDI1NTE5AAAAIFwAU7Q9tccWIyPviJuzAatFIgQZVRr7mExznfbUR9Il with AAAAC3NzaC1lZDI17TE5AAAAIFwAU7Q9tccWIyPviJuzAatFIgQZVRr7mExznfbUR9Il.
At least you have a fighting chance of realising something is wrong when they say "x3blah has released a new album. Get it now from x4blah.com". Humans can only understand human understandable things.
If the point of the domain name for you is marketing, then get one you think is "memorable" and use it as a CNAME.
The point for me would be non-marketing uses, e.g., to get an SSL cert so I do not have to use a self-signed one when monitoring encrypted egress traffic from the local network. That name does not need to be memorable. I can get a free cert from Let's Encrypt but I cannot get free domain name. Best I can get for free is a subdomain of someone else's domain name.
As you know, not every domain name is used for the purposes of email addresses or a website. To use a common example, AWS Cloudfront subdomains are not memorable but they are useful to AWS. Like subdomains, domain names can still be useful without being memorable.
> If the point of the domain name for you is marketing, then get one you think is "memorable" and use it as a CNAME. The point for me would be non-marketing uses
This is a very fair and valid point. Thank you for pointing this out.
> to get an SSL cert so I do not have to use a self-signed one when monitoring encrypted egress traffic from the local network
This sounds like you're doing proxying / TLS interception / MITM? If so, you need a signing certificate with authority to sign for any arbitrary name. No vendor provides this for free, and using your own self generated CA is the solution here.
> Best I can get for free is a subdomain of someone else's domain name.
It's unclear what you mean here, as the words you're using are somewhat overloaded, depending on context.
An arbitrary gTLD is not something you can get for free, until we have a better solution for DNS than the current approach.
Anything else is just variations on a subdomain. Heck, technically even a gTLD is a subdomain of the root domain '.', where you don't own anything there either, and are simply getting a subdomain granted to you by the roots.
When you look at it from that perspective, and you're simply looking for something that is unique for you, what's the difference between a subdomain from a dyndns provider, and a subdomain from a registry?
"An arbitrary gTLD is not something you can get from free, until we have a better solution for DNS that the current appraoch."
This implies that there is a better approach. I agree. There are many possibilities. I have been running own root zone at home for several decades. I routinely experiment with different ideas. I am aware of many possibilities.
I do generate a CA pem file using openssl in order to view own traffic. However even with all these hoops we jump through to do such basic things, "Big Tech" seems to actively try to discourage users even more, .e.g., from monitoring their own traffic. For example, subjecting the user to a keylogger in Chrome and forcing them to type some undocumented, opinionated shibboleth such as "badidea" or "thisisunsafe" to proceed.
The subject of the OP is what was originally supposed to be a "non-commercial" TLD, which since abandoned that designation and began charging fees, and, more importantly, the current and future lack of any restrictions on raising those fees. If one is using a TLD in ways that demand transparency, e.g., to represent an entity that is taking money from the public, then involving a third party that accepts personally identifiable information, e.g., a registrar, makes some sense. However, interactions with the public, e.g., commercial uses, are not the only ways the internet can be used and such uses are not the only way domains can be used.
Hmm, it turns out that I’m actually wrong. I’d see domain registrars offer really cheap domains before, but they’re actually one or two year offers that then bump up to $10/year or $20/year.
We need a tld that offers domains for really cheap with the understanding that it’s mainly for people owning shdkshfkskfjslfjsk.sometldname.
I'm checking Gandi.net, and .site, .website and .space seems to be around 1 USD per year. They are marketing it as 95% off, but that doesn't change the fact that it's that price.
> What if no one gets "x3blah" and we each get some random string, e.g., an ed25519 public key.
I think you end up with TOR!
Names are just nicer, more convenient, easier to remember.
> Handshake looks like it wants to create another "gold rush" for "vanity" names.
I don't think that was the goal, but yes, this gold rush is already happening, even though it's not clear whether Handshake will ever receive any meaningful adoption. And I can understand why you find it distasteful.
> Are there limits on how many names a single applicant/organisation could register.
There aren't, and if there were, they would be easy to bypass.
Haha great point re: tor! You can even generate a vanity address using scallion. Of course, it’s subject to impersonation by a similar address if someone else wants it badly enough and has the hashpower to generate it.
Personally I’m interested to see where Handshake goes. Thanks for your constructive comments on this article.
This is what tor/i2p do. It is honestly much better (it gets rid of CAs!) but you will get people screaming for "convenience", despite never typing a domain name themselves.
As of late 2019, there were about 3,6×10⁹ domain names registered it seems[11].
Taking "ycombinator.com" and keeping just the 11 ycombinator letters, and supposing you would allow only the 26 letters of alphabet, that's about 3.6×10¹⁶. That is 7 order of magnitude bellow the number of registered entries.
> For me, the question remains why do user have to pay for domain names.
Payment acts as a kind of proof of life and continuing intrerest. And some sort of contact information for the holder.
There are, of course, actual costs of running the registries, registrars and the root and tld servers. They're low per domain, but large in aggregate.
Many countrie code TLDs have lower cost (or free) domains avaiable for users who are connected with that country, but they may not always be easy to find, and they may not look cool.
If they're free, I could instantly have all of them (in theory). A token price sets an easily-perceivable rate-limit to how many things you can acquire
A limit on acquirable token by person would do the trick just as well, if not better.
Those that feels like it is of worth can always create new moral entities to get new attached tokens, but will already have to pass the existing bureaucratic process required to do so.
But then where do we draw the limit on that? Should then a person who might start a lot of companies be capped at a certain point?
Seems like it's slipperly territory to tread onto.
In the early days the demand for domain names was much lower. I'm not sure that there's a more fair way to distribute right now than putting a price tag on it.
> Additionally, in the summer of 2019, PIR’s ten year agreement with ICANN renewed, but under new terms: looser contractual conditions to mirror those for the new gTLDs (yes, including .wtf), including the removal of a price cap and certain other provisions.
It's seems like something got hugely screwed up in PIR's bylaws. I mean, with a name like "Public Interest Registry", you'd think that serving the public interest would be its top priority.
It’s not hard to see why .ORG rattled so many cages. It seems like there’s a lot of passive anger of old school vs new money, even now in 2020. Thinking about domains, it doesn’t take too long to get into the politics of property.
How do you think domain names should work?
Should you just be able to buy them openly? If one person has all the money, then should they be allowed to buy all the domain names?
Should they be limited to some sensible amount per person? Is a company a person? Should companies be limited in the same way?
If there is a limit, should the price be capped as well, or left open to the market? Those with the most money get to control the best domains?
Personally: I am grateful that we still have a system that works for all and I’m very motivated to not see it go the way of rampant commercialism. Mozilla’s post helps me proselytize.
Hopefully this is indicative of where Mozilla stands on this.
It would be great if there could be a net wide push to relieve ISOC of their .org duties, preferably before 2029. It feels strange to say this, because ISOC is a legitimate organization with more than 50k members world wide.
Mozilla and EFF have shown themselves to be very good Internet citizens with Let's Encrypt and are likely more than capable of running a top domain operation too.
Ideally, you would address the underlying issues that caused this attempt to cash in on the .org domain at the same time. Or you would just be making whichever organization you choose a target for the underhanded types that infiltrated ISOC.
Perhaps the key would be to signal that for the next contract, priority would be given to bidders that are owned by multiple organizations. Also require the owners to be non-profit. So a new XYZ co-owned by Mozilla, EFF and ISOC might work.
You'd want at least three non-profit owners and for the new company to have by-laws prohibiting any one company from accumulating more than 50% control.
> .web in my view is the only possible challenger to .com
Is .biz not in the running? Or .site? Why not .hot? The true challenger to .com is clearly .wtf.
Using .web doesn't even make sense, because it's a protocol. If you're example.web, your website is www.example.web? Kind of redundant. And then is your mail server mail.example.web? But it's an SMTP server, not a web server.
What you really want to replace .com isn't some other general purpose TLD of the same kind anyway, it's the domain-specific ones. Let Ford Motor Company have ford.car and the Ford Foundation have ford.org and the Ford Theatre have ford.theatre and the Ford Cup have ford.tennis etc.
Stephen Fry once suggested pronouncing 'www' as 'wuh wuh wuh', taking around a third the time to say as the usual pronunciation. A pity it didn't catch on.
I typically drop the middle syllable to get "dub-yew dub-yew dub-yew"; not as fast but no one seems to realize what I did and they just hear the full name.
.net was/is supposed to be for people/orgs/companies that are on the net. Initially its purpose was for ISPs and other infra orgs, but it's more general now.
.web is about one particular technology on the .net :)
What are the implications for consumers, orgs, or businesses who register .org domains going forward, compared to registering a .com, .net, or other top-level domains?
There are no implications for now since the status quo will remain. But it sounds like ISOC will continue to look for a way to restructure their finances so there's likely to be future discussion about doing something with .org.
So if ".org" is supposed to be for non-profits (and not-for-profits?) and ISOC/PIR are supposed to be running the .org registry for two reasons:
1. To provide a gTLD for non-profits at an affordable price
2. To provide an ongoing income stream for ISOC
Given that those are the professed reasons, then ISOC's management and diversification of its revenue stream is ISOC's problem to solve, however, selling its revenue stream should/must not interfere with the other purpose of the ".org" gTLD.
A stable revenue stream like ".org" is a valuable thing in its own right. ISOC could sell the rights to that stream now, receiving a fixed amount for endowment and other investments, or it can plan around that revenue stream.
Either way, the other primary purpose of the gTLD has equal weight to ISOC/IETF etc need for income.
>So if ".org" is supposed to be for non-profits (and not-for-profits?)
Where I live what English generally name a "non-profit" have a single important juridical difference: the assets of the organization belongs to the organization, and can not be transferred directly to founders or whoever has control of its board.
Also a non-profit can benefit from some advantages on fiscal side that a for-profit can not, but the latter will far more likely "optimize" their contribution to public services.
I remember those days when a single person -- usually working for free -- made the domain decisions. Specifically I remember Hungary. Registering under the .hu domain was free for a while (it started in '91 Oct) and the rules were made up by the person registering because, well, who else? and in '96 an organization not fitting those rules laid immense pressure to get the domain they wanted so said person resigned. And then the Council of Hungarian Internet Providers was established and the free domains were gone...
Amusingly this made me go check if cthul.hu was registered. The domain name has been claimed since 2000 (according to Whois.net). Hope I didn’t trigger the awakening...
When the US allowed commercial activity seems like they forgot to make a carve-out set of rules for non-profits. Are the .edu domain restrictions set by laws established back then or by ICANN and can therefore theoretically be changed without any input by governments?
This sounds like a rather shortsighted decision, to give up a very reliable source of recurring revenue because you'd rather only have multiple smaller sources of revenue... why not both?