ICANN’s WHOIS ACCURACY PROGRAM SPECIFICATION, a closer look.

Dissecting the Registrar Accreditation Agreement 2013 part 1

Now that the RAA 2013 is up for public comments on ICANN’s website I decided to zoom in on some parts of this new agreement.

It’s a been long road, 18 months of negotiations between the domain name Registrars and ICANN is now over. As written many times before on this site, one of the most controversial and debated part of the entire RAA.

What the FBI and other law enforcement agencies wanted

Under ideal circumstances the law enforcement agencies would have loved a domain name registration system, where you as the domain name registrant would have to visit the domain name Registrars office, and after handing over a boatload of documentation you wouldbe on your way home while your domain name Registrar would run several background checks, and perhaps in a month or two your domain name would be registered or perhaps if the background check did not produce enough information. you would have to visit the Registrar again so the Registrar could take some DNA samples CSI style.

What the rest of world wanted

The Registrars and other stake holders didn’t embrace the above vision and wanted less intrusive methods of registrant verification. So after 18 months we have something called :”WHOIS ACCURACY PROGRAM SPECIFICATION”. An end result that did not make the LEA‘s jump for joy.

Let’s zoom in on this verification system and theorise about the implementation and the implications for you as a registrant.

Registrar shall validate:

  • Validate the presence of data for all fields required under Subsection 3.3.1 of the Agreement in a proper format for the applicable country or territory.
  • Validate that all email addresses are in the proper format according to RFC 5322 (or its successors).
  • Validate that telephone numbers are in the proper format according to the ITU-T E.164 notation for international telephone numbers (or its equivalents or successors).
  • Validate that postal addresses are in a proper format for the applicable country or territory as defined in UPU Postal addressing format templates, the S42 address templates (as they may be updated) or other standard formats.
  • Validate that all postal address fields are consistent across fields (for example: street exists in city, city exists in state/province, city matches postal code) where such information is made available to Registrars.
  • With the above in mind we can conclude that the WHOIS will have less odd elements as we know it today. Telephone numbers will have one and the same format. The last validation bullet (matching data) is one that is very intresting Not all countries use postal codes and that is just for starters.

Registrar shall verify :

  • The email address of the Registered Name Holder (and, if different, the account holder paying for the Registered Name) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or
  • The telephone number of the Registered Name Holder (and, if different, the account holder paying for the Registered Name) by either (A) calling or sending an SMS to the Registered Name Holder’s telephone number providing a unique code that must be returned in a manner designated by the Registrar, or (B) calling the Registered Name Holder’s telephone number and requiring the Registered Name Holder to provide a unique code that was sent to the Registered Name Holder via web, email or postal mail.

What the Registrar has to verify is pretty straight forward, and as you can read no DNA samples require verification to have your domain name registered, just your email address.

Return to sender.

What if the verification does not happen ? A registry like DK Hostmaster has an email verification system in place for many years now. One is an email that contains your login to activate the domain name and if your email is down for some reason you will receive a letter from the registry that also contains your login details. If you do not activate your domain name the domain name will simply not resolve and stays reserved for 30 days and then the registration will be undone.
A simple system, yet 10% of all the registrations fail when it comes to the ccTLD .DK. That is a massive amount of domain names when you would apply such a system for .com or .net. However ICANN has come up with a different solution.

In either case, if Registrar does not receive an affirmative response from the Registered Name Holder, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If Registrar does not receive an affirmative response from the account holder paying for the Registered Name (when that information is different from the Registered Name Holder), Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

So here we have it and let’s see how that one works in the real world.
Lets assume the Registrar works with a reseller model, the flow would go like this:

Domain name gets registered and an email is send to the registrant and the reseller.
Registrant does the verification and also the Reseller and both have been verified.
Much rejoicement and happy people everywhere.

In the scenario where the registered domain name holder/registrant does not go through the verification process the domain name gets suspended after 15 days. If the reseller does not respond the Registrar will verify the data manually, but the domain names does not get suspended.

More fun.

If the Registrar discovers that the information is incorrect then the Registrar is required to re-verify the data.
Sounds simple, in reallity however this is going to be alot of fun. Registrars currently need to send a so called WDRP email to either the registrant or the admin contact. Currently it is only required to send the email regardless if the email bounces back or not. With this provision if it bounces back or the email does not get delivered the re-verification process kicks in. The ICANN text is as follows :

Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the customer paying for the Registered Name, if applicable, providing the required verification, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

Here it says the Registrar does not have to suspend the domain name. However the next section says :

Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.

Willful, what can be considered willful and not willful ? There is the obvious part where a registrant tells the Registrar to take a hike, and then there is the not so obvious part when you have to deal with a company with multiple departments and decision makers. Needless to say this could use some clarification.

So it is time to get your email addresses up to date, together with your other information and check for yourself if you would pass the verification. Afterall it would be a shame if one or perhaps all of your domain names will get suspended due to a bounced email.

All Registrars who wish to sell all the new gTLD domain names are required to sign the RAA 2013 and i expect the new RAA 2013 to go live within a few months from now if not earlier.