KASWESHA APPLICATION

[Timothe Litt]

+1  Looking for an objective test: Number of dots in a domain name (level)
is not a practical test.  Too many rules, always changing.  Modulo privacy
proxies, a whois entry for the domain seems a reasonable test for
membership.  Or a bill for registration of a domain in the name of the
member issued by a registrar.  In either case the member would be one of the
names in the whois - or an appointee tracable to one.  Testing can be an
e-mail to the admin contact e-mail address - this is used today by others
(e.g. for domain-verified SSL certificates).  This can be done securely with
a token and a "confirm membership" url.

If control of a domain is part of the test (I'm inclined to say "yes", as
this also shows that a representative of an organization has its blessing
thu the org's controls), then we could require a TXT record in the domain,
say 'NCSG-Rep:' plus a SHA256 hash of the prospective member's name.  This
could be a one-time check, or the cookie could be verified at membership
renewal (and/or election) time... This is easily automated and doesn't
require a person in the domain to respond to each test.

The hash ensures that someone browsing the domain doesn't get the rep's
name.  We would not publish the domain name in the member records (for
privacy), but it could control the 'active' flag.

The cookie approach is used in the DNS today for demonstrating control.
(Google requires one, so does ISC's DLV [DNSSEC] although their schemes are
different.)

Note that the 'dyndns.org' type of  user could meet the cookie test but not
the whois/bill from a registrar test.  I think (and I was one once) that the
concerns of these tertiary users are quite different from those of direct
registrants.  E.g. ICANN regulation/process is indirect & leases can be
quite short.  If included, expect another constituency split... And another
discussion about gaming the system, as anyone could create subdomains purely
for membership/voting purposes.  (E.g. I could create otherwise unused
subdomains for family members; many organizations provide a vanity subdomain
for employees on request - {mypc,www}.fredsmith.example.org.  These are
indistinguishable from 'dyndns'.)  Which is why I don't favor interpreting
the "exclusive user" clause to include these tertiary users.

This doesn't help with the "purpose" requirement that's caused so much
traffic recently, but it should make the "exclusive user" question
mechanical (objective).

Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.


-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
Tapani Tarvainen
Sent: Friday, November 18, 2011 02:58
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] KASWESHA APPLICATION

On Thu, Nov 17, 2011 at 01:14:35PM -0800, Dan Krimm (dan at MUSICUNBOUND.COM)
wrote:

> As long as any sub-domain (or sub-sub-sub-domain) counts as a "domain"
> that seems to fly.  OTOH, if only first-level 2LDs count, then this
> might not qualify (though perhaps kbo.co.ke might?).

Without arguing about the charter wording, my understanding when I joined
was that this group would be for domain registrants, those who have at least
one domain registered directly to them.

Whether that implies 2nd level domain or not would depend on the policies of
the TLD: in some cases 3rd level domains can be registered directly, e.g.,
.co.uk or anything under .name and apparently .co.ke, and I see no reason to
exclude those.

But where an individual ISP offers subdomains to its customers, the
situation is different, especially considering companies offering subdomains
for free and more or less automatically.
Should we accept anyone who has a .dyndns.org subdomain, for example?
It would change the demographics of potential members and their common
interests rather radically.

As for commercial domains: the domain name doesn't really tell who is in
fact commercial and who isn't. Lots of private individuals and
non-commercial organizations use .com, for example.

> If the web site were located at kbo.co.ke/kaswesha/ then qualification
> might seem to be on shakier ground.  Is this minor technical
> distinction really that important?

I don't see it as particularly significant - and that is exactly why I
consider kaswesha.kbo.co.ke application shaky.
But I appreciate that it other views might be possible, I'm open to
persuasion here.

> Does kaswesha.kbo.co.ke get listed in WHOIS, or only kbo.co.ke?

Only the latter, apparently:

$ whois kaswesha.kbc.co.ke
[...]
Query: kaswesha.kbc.co.ke
Status: This WHOIS server does not have any records for that zone.

Having whois listing as a criteria might actually work, it would match my
understanding of the intent of the charter fairly well.

But: the charter wording "domain for exclusive use" is unclear.
It has to be clarified - if not by actually changing the charter, by an
interpretation decision. Which it seems we are in the process of doing right
now.

My present inclination would be to interpret "domain"
as something registered directly from TLD registrar and "exclusive use" as
right of use granted by a registrar - but not so much on the basis of the
wording but on how I've understood the purpose of the group.
And that would mean rejecting Kaswesha, unless and until the get a "real"
domain of their own.

--
Tapani Tarvainen