Hacker News new | past | comments | ask | show | jobs | submit login
ICANN's new rules for domain registrants require you to verify an email address (iwantmyname.com)
91 points by alexbilbie on Jan 3, 2014 | hide | past | favorite | 82 comments



Competitor registrar here. This is actually required by the new 2013 ICANN contract. Not all registrars are on the new contract yet, but those that have already signed are required to start following it as of January.

Link: http://www.icann.org/en/resources/registrars/raa/approved-wi...

You can thank the law enforcement lobby and ICANN wanting to keep them happy. All of us registrars fought hard against it for a number of obvious reasons, but they went forward with it anyway.

Almost all registrars will be on the new contract soon if they already aren't because ICANN made it a requirement to be able to sell the new GTLDs. This is now going to be a normal part of owning a domain name.


Can you clarify what the 'obvious reasons' are, for those who are not domain experts?


Example 1: You are a large company, and registered 200 domain names for various products, spellings, local shops and such.

That is 200 verification emails, which now need to be pressed or whoops, no more working web shop, email!, and internal API will stop working and so on. Remember that broken DNS will cause emails to bounce rather than being resent later by the mail server.

Example 2: A company is changing name/owner, and in middle of all this need to register new domain name. Whoops, forgot to activate in all that?

Example 3: technical contact is on vacation.


Your first example isn't correct. As with the existing WDRP emails that people receive, registrars can batch the verifications. Also, verification doesn't need to be done on a domain-by-domain basis, but on a contact-by-contact basis, thus if all 200 domains use the same one contact in all roles, only one verification needs to be done.

Of course, if your registrar doesn't manage contacts as separate objects from domains (and some don't), they yeah, you'll end up getting a boatload of verification emails.

You'll also start finding a bunch of registrars doing email address checks to ensure deliverability before any registrations or contact updates are performed: this is for the customer's good and the registrar's good.

Registrars have to make a best effort to contact the customer by email. That means that if the email does bounce initially (due to DNS issues, full mailbox, &c.), it's up to the registrar to try again until the grace period expires.

Your second one isn't correct: if your contact has already been verified, there's no need to verified again. It's only if the contact is new or updated that verification needs to be done.

In the third case, you should be using roles, not individuals. Mail aliases were invented for a reason: no one person should be receiving these emails, so it's really your own tough luck if you're a business and you're not ensuring that there's somebody always able to receive and process the emails. Moreover, verification happens when a contact is created or updated, so it should be an address with somebody immediately able to process the verification request.

As far as my ability to write authoritatively on the subject goes, I'm the development lead for a registrar, and implemented most of our domain management system myself.


Not a domain expert, but I think the obvious reason of having your domains get deactivated because you didn't check email to be rather silly.


While I'm personally not a fan, it's not all that silly. If you've registered a domain in the past, your registrar likely invoices you by emailing you the invoice when your domain comes up for renewal (margins are so tight that it's the only cost-effective way). And if you're not checking your mail and you haven't authorised them to automatically charge your credit card, it's possible to miss your payment reminders, which could lead your domain to go into redemption and be deleted for non-payment.

Also, the verification checks only need to be done after you initially submit your contact details or after you attempt to change them, so it shouldn't be too much of an issue.

The big problem that registrars face is that law enforcement want us, the registrars, to verify phone numbers and addresses too, which is going to push up costs quite a bit, even if we find ways of doing so without having to actually phone people.

It's going to suck.


Verifying a phone number should be pretty easy - auto-call, force them to enter a code. Apart from calling cell phones and some countries, it shouldn't cost more than a few pennies.

Verifying addresses sounds like a real pain though. I imagine they'd want a scan of some ID or something else just as silly. Hopefully ICANN can push back on LE.


Less straightforward than you'd think. Ideally, it'd just be a matter of a text or call and having them input a code, but the costs lie in the failure state: we already deal with a large number of ccTLD registries, and many of those, including the IEDR (.ie) who we deal with regularly, require some form of documentation to allow domains to be registered, contacts to be updated, &c. Even with a 30% gross margin on .ie domains, the support costs with a highly automated application documentation submission process are high enough that we don't actually make much money on two-year registrations until the first renewal.

Thankfully, the new requirements for gTLDs aren't quite that onerous: we have to contact them to validate phone numbers and emails (which can mostly be automated), and we only have to ensure that the address provided is valid. That said, the costs involved in address verification aren't small, and we're hedging potential savings in avoiding fraudulent customers against the additional costs involved.

ICANN can't push back against the LEAs though: this stuff is now in the contract, so we're all stuck with it.


Some of us are waiting on ICANN to process waivers so that we can opt out of certain requirements of the 2013 RAA that are contrary to our local law, but ICANN are dragging their heels on processing the waiver requests. That's especially an issue for European registrars like ourselves, as we have stricter data privacy laws than the US does.

The verification and validation requirements the LEAs pushed down our throats are still crazy, even if they're not as bad now as what they were initially looking for.


> You can thank the law enforcement lobby and ICANN wanting to keep them happy.

Yeah, because there's absolutely no way to have an anonymous email address... /s But seriously, what does law enforcement think this will accomplish? I could see ICANN wanting to cut down on squatters or other domain delinquents, but for tracking down criminals this seems pointless. If anyone has theories or info on what they hope to accomplish I'd be interested.


If domains weren't obnoxious enough to deal with, a combination of contact verification and hundreds of new top level domains really is just icing on the cake. I just renewed my domains so that I don't have to bother with verification for a while, and somehow the amount of upselling is just astounding.


Registrar here.

Here is the applicable rules. As nitinag pointed out this only is for registrar's who have signed the 2013 RAA. Registrars still under the 2009 RAA are not bound by this. (At some point they will have to sign the new RAA and they will right away if they want to sell (as was pointed out) the new f TLDs.

http://www.icann.org/en/resources/registrars/raa/approved-wi...

While I can't speak for what other registrars will be doing these ICANN policies in the past tend to leave plenty of wiggle room and the ability to game the system (by registrars) if they want to.

Specifically:

"In either case, if Registrar does not receive an affirmative response from the Registered Name Holder, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If Registrar does not receive an affirmative response from the Account Holder, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration."


To quote the source: ====================

Verify: the email address of the Registered Name Holder (and, if different, the Account Holder) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or

the telephone number of the Registered Name Holder (and, if different, the Account Holder) by either (A) calling or sending an SMS to the Registered Name Holder's telephone number providing a unique code that must be returned in a manner designated by the Registrar, or (B) calling the Registered Name Holder's telephone number and requiring the Registered Name Holder to provide a unique code that was sent to the Registered Name Holder via web, email or postal mail.

In either case, if Registrar does not receive an affirmative response from the Registered Name Holder, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If Registrar does not receive an affirmative response from the Account Holder, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration. ====================

So there are other methods that ICANN outlines in order to verify the account holder information to activate the domain, not _just_ an email address like the article states.


I already get all sorts of emails sent to the address listed on whois. Most, if not all, are outright scams. So now one of those will actually be genuine?

But which one?


The one from your domain registrar, I would imagine.


I have a separate secret mailbox for them to use.

I get plenty of emails in my whois-listed mailbox that purport to be from my registrar. Guess how many are genuine.


Basically the same way you tell if any email you receive is genuine and not a phishing attempt.

Also, consider using your registrar's WHOIS privacy service, if they provide one: your registrar only has to ensure the details you provided are genuine, and those can be masked in WHOIS.


We need decentralized DNS (like Namecoin) systems. Properly implemented cryptography and decentralization is the only hope for the free internet to remain free.


Namecoin is a good start, but it has scaling issues. We can use it as a authentication back-end for something a bit more scalable.


But do people want a free internet? People are looking for a medium they can profit from. And we are shortsighted by default.


People != People


How will this affect registrars that offer to hide your email address behind a randomly generated and periodically rotated address that forwards to your own?

For example, NameCheap' WhoisGuard service has an option to rotate the email address every 30 days. If I subscribe to a service like that, will I have to verify the randomly generated address every time it is rotated?


Namecheap and their whoisguard have already been sending out annual or bi-annual emails asking you to confirm that the address details are correct, but it sounds like those emails will contain some confirmation link in the future.


All registrars are required to do that currently as part of ICANN's WHOIS Data Reminder Policy: http://www.icann.org/en/resources/registrars/consensus-polic...

Those were basically a way to nudge name holders to ensure the details they provided were correct to minimise the chances to people lodging WHOIS inaccuracy complaints with registrars or directly with ICANN. See here: http://www.icann.org/en/resources/compliance/complaints/regi...

What's changed is that the Law Enforcement Agencies have pushed to make registrars be proactive in checking that any contact information is accurate rather than reactive in response to complaints. It's likely going to push up domain costs quite a bit. Here's what registrars on the 2013 RAA are required to do: http://www.icann.org/en/resources/registrars/raa/approved-wi...


That was not my question.

Right now, they only ask for confirmation once a year regardless of whether there has been any change of contact info. But OP makes it look like I'll have to verify my email address every time it changes, and one of the main features of WhoisGuard is that the email address in my whois changes all the time.

If I tell NameCheap/WhoisGuard to rotate my email every day (probably overkill, but it's possible), will I wake up every morning to find a new confirmation link in my inbox?


You'll only have to confirm any underlying email changes in your example. However, the new ICANN contract also mandates a yet to be defined "Privacy and Proxy Accreditation Program", which will bring changes to the different whois privacy services that registrars currently offer.


I wasn't really trying to answer your question, just adding context.

As far as I know, the address confirmations are for your real address details. Namecheap isn't asking you to confirm the whoisguard details, and presumably the new provisions will function the same way.


This doesn't look like verifying contact details.

It looks like verifying a contact email address, which is nothing new and a routine with most registrars anyways.


The difference is that the registrar is now obligated to shut down any domains where the registrant changes first name, last name or email address and does not verify the email address using the link from the sent email. This is why it's such a big deal.


For GoDaddy this is new as far as I can tell. You now get an email with a verification link. That never happened in the past (at least not by default).


One other has clarified, and it's important: Email is pseudonymous, and that's all that is required. Frustrating, but not quite as speech-quelling as addresses and phone numbers.

Oh, and you bought that domain with a credit card.


> Oh, and you bought that domain with a credit card.

Namecheap actually accepts Bitcoin[0], but yes - the way they are currently implemented and used, TLD domain names are not at all anonymous.

[0] https://www.namecheap.com/support/payment-options/bitcoin.as...


Do registrars not accept pre-paid cards?


I haven't tried personally, but most of the time now one cannot purchase or use a prepaid card without associating it to an address.

You know, for turrursm.


Associating an address is as easy as Googling "1 Main Street" in whatever town you'd like, and grabbing the zip code. There's no real verification to it.


That's not true, at least not in the US. In particular, the Vanilla Visa prepaid cards sold at Walgreens and CVS don't even allow you to register an address, only optional registration of a ZIP code for partial address verification.

Some, but not most, vendors do require more extensive address information on file.


Are these formal ICANN rule-changes, or just how iwantmyname is choosing to enforce the verification aspect of domain ownership? Seems like what they're saying they may do is replace your domain with some lead-generation landing-page similar to what many domain registrars do upon registering a new domain prior to modifying the DNS settings.


I've spoken to Timo and the others on the team at iwantmyname before and they're all pretty laid back so I can't imagine them doing this unless they really had to.

Edit. This seems to be a more legal-like explanation of the relevant rules from a registrar called enom. http://www.comprotex.com/icann.html


As commented above[1] it looks like this is required by a new contract which is required for registrars to sell all of these new (and imo, silly) TLDs such as .cab, .sexy, etc

[1] https://news.ycombinator.com/item?id=7005417


As many others pointed out this is a change in ICANN policies and we are required to do this. The page will be completely neutral without any ads.


It's almost certainly just them. You'll note that you haven't heard of any of the other registars talking about this.


No, this is incorrect - it is part of the new Registry Registrar Agreement that ICANN ratified earlier this year. It goes into effect 1 January. All accredited registrars will have to agree to it this year to retain their accreditation.



It's only them, the upline we use hasn't said a word to us about it. I just asked support and he seemed shocked I would even ask ha ha.


You should be very concerned about your registrar, then, because they are not paying attention to ICANN policy.


No, it's not. Any registrar on the 2013 RAA has to proactively validate and verify WHOIS data accuracy. Those still on the 2009 RAA only have to reactively validate and verify WHOIS data accuracy in response to complaints.


[deleted]



Yes, I'm sorry.


I blame Google for this. Yes, there were others who pushed "real name policies" before, but it wasn't until Google when they really forced people to do it, and now that they got away with it, others are taking the example from them, and doing the same.


This isn't a "real name" policy.

It states that for certain types of changes/new contact details, there will be a verification email sent, with a link you have to click.

That doesn't involve giving your real identity to anyone.


Real name policies greatly benefit the community as a whole. Of course we all see that there is a rare need for anonymity, but it should be far from the default. I wish the net could be divided into two halves -- "Willing to put my name behind what I write", and "Anonymous Cesspool".


Anglo-American common law tradition allows me to manage my own identity. I am who I say I am, and I publish the name that I will answer to when strangers say it. And I am also free to have multiple nicknames, which might be associated with my public name, or not.

I am very disappointed in the cultural trend over the last few decades that makes a third-party entity, usually a government, the final arbiter over who someone is. If I want to be a certain name in person, and "logfromblammo" on HN, or another pseudonym somewhere else, I question the motives of anyone who wants to undermine that separation. I think it is a fundamental human right to decide who you are, and the ability to separate your social circles by the identity you use is essential to privacy and free discourse.

Several of the positions I hold as an on-line personality--religion, political views, spectator sport preferences--could be used against me in my job or hometown. An atheist anarchist that doesn't even like football is just one step away from social assassination in my physical location. If I cannot establish a separate and distinct identity to discuss such things in another venue, I cannot be free of the social prejudices of my neighbors, ever.

So I believe your assertion is incorrect. Real name policies promote self-censorship for everyone who is not blessed enough to live in a socially tolerant locale. I am content for logfromblammo to have a separate karma rating than my in-person name, and for it to be a discardable on-line identity. That arrangement can certainly be abused, but making that abuse impossible hurts far more than it helps.


Tell a transperson that. Or an abuse survivor. Or someone with HIV trying to get information. There are many, many, many situations where requiring real names is harmful to a community. As a further counterexample, look at news sites which use facebook comments as their backend. People are quite willingly assholes even if their "real" name is behind what they write.


As I said, there is a rare need for anonymity, and it should exist -- on the 'anonymous net'. Anonymity is abused far more often than used.


Or cesspit of trolls who don't care you know their real "Name"


Is there any reason you want everyone on "put my name" part of the Net to be forced to use traditional¹ name format instead of free-form pseudonyms? Is there any difference except for the looks? Or you want services to register accounts only after a notary confirms your identity?

Best regards,

John Doe Jr.

___

P.S. ¹) Some people will likely to be unable to use their "real" name with such policies. http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-b...


... so now that YouTube did that, and it didn't help (as the trolls were, in fact, "willing to put my name behind what I write"), we aren't going to adjust our understanding and stop believing in this false dichotomy? :(


This is nothing to do with Google. It's the Law Enforcement Agencies who were pushing this with ICANN, not Google.


Can the registrars send an automatic reply on behalf of their customers?


No. That wouldn't constitute verification and validation of contact details, and registrar are required to verify and validate any contact details provided to them. It's the registrar that's contacting the customer, not some other third party who they deal with.


How will this affect current domain squatters? Will they be required to follow this when they renew these domains? Or is this just for new registrations moving forward?


It doesn't, aside from it being more difficult for them to hide behind invalid contact details, which should make it easier for others to initiate UDRP proceedings against them.

As soon as they register a new domain with a registrar under the 2013 RAA or if they update their contact details, they'll be forced to validate them.


ICANN needs to lower their price per domain. I don 't think they originally thought so many people would buy a domain? Or, just got greedy?


If anything, it's the registries who will need to lower their cut. They have the largest margin out of ICANN, the registries, and the registrars. The registrars, however, are the ones who are going to end up hurting because the onus to check all this stuff is on us, and margins for registrars are thin as it stands.


ICANN charges 22 cents per domain. What would you propose the price be lowered to?


But isn't it still possible to use an address at the newly-registered domain? And what's the point then? Or, if not, how broken is that?


[deleted]


No, you don't need to identify yourself - you just need to confirm that there is a valid way to contact you (via email). That mail address can still be a pseudonym.


I'm going to start a cool new service called "iwillclickit.com". You can sign up for youraccount@iwillclickit.com, and then for any email that account receives with a link, I'll click it. And maybe charge $5.


I think Mailinator can already do this (free). Of course, you'd need to make sure you click the confirm link, not the reject links.


Automatically? As if - you specify willclick@mailinator.com and forget it, and when the email'll arrive any links in in will receive a GET request.

I haven't found such option at Mailinator. Had I missed it?


Hmm, I can't find it now. Maybe I imagined it :\. Or maybe it was part of the Mailinator Pro thing.


So can someone setup a service that auto-replies and we all use that email address?


Is there a way to register a domain name completely anonymously?


No, not any more, and strictly speaking there hasn't been one for quite some time. Your registrar needs to have accurate contact details for you, but you can use their WHOIS privacy service (if they provide one) to ensure the rest of the world doesn't have your contact details. Before the 2013 RAA, you were still required to provide accurate contact information, it's just that the onus was on the registrant, not the registrar, to ensure the contact details were accurate unless the registrar or ICANN received a complaint about the accuracy of the contact details associated with a domain.


Someone else can register it on your behalf, but I'm fairly sure that's as close as you can really get to anonymous. Of course if you do bad things with that domain, people are going to go after that person first.


What would it take to have a p2p DNS?


Check Namecoin and dot-bit http://dot-bit.org/Main_Page


Why are so many of you upset by this?


I'm not--but I don't like what they charge per domain. I can deal(go else where)with Godaddy, but I can't deal with fixed costs.


15 days. I am literally stunned. so if you go to long holiday you might come back and your site is .. banned. way to go on free speech.


There's absolutely no reason to be stunned, surprised, or disappointed that not finalizing a transaction within two weeks will result in discontinuation of the service.

These verifications don't show up out of the blue. They're only for when you create or modify a domain registration. If you change your domain records less than an hour before going off-grid for an extended vacation, you deserve the consequences.


Your site isn't "banned" in any sense: you are leasing your domain, and as part of the lease agreement, you are required to provide accurate contact detail. That was the case even before ICANN brought in the 2013 RAA.

As wtallis wrote, this only applies when you initially register a domain or modify the contact details associated with a domain. While registrars are required to re-validate contact details, they only need to email you to notify you that you should check that your contact details are still accurate, which they currently have to do already. Of course, if the email bounces... but if that's the case then you've seriously screwed up.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: