- Joined
- May 17, 2002
- Messages
- 2,254
- Reaction score
- 72
Given all the domain name thefts of late, I was thinking last night that maybe a group of folks should get together and offer a "D-Prize" (kind of like the X-Prize), for open source development of security tools that all registrars could offer. e.g. one can create a series of best practices and targets, such as (off the top of my head, and not in order):
- emails sent to multiple email addresses whenever an account login occurs
- fax or SMS sent whenever an account login occurs
- fax or SMS sent with a code to permit login to an account (along with normal username/password), as a form of 2-factor security
- RSA SecurID-style 2-factor security for account logins
- "sticky" unlock, where an unlock is allowed only for a certain number of days, and then re-locks automatically (as discussed at http://gnso.icann.org/mailing-lists/archives/ga/msg02020.html ; some registrars have done this)
- "soft" unlock, whereby when unlocked, transfers can only occur to a white-list of registrars
- human confirmation (e.g through telephone call) of "unusual" domain name changes (e.g. outgoing transfer, or user-specified changes (e.g. a bank like Bank of America might want to verify any nameserver changes whatsoever, even if the domain details otherwise stayed the same)
- public (or "available", either privately or for a small fee) audit trails of all domain changes
Maybe a "D-Prize" wouldn't work, but perhaps a matrix listing domain registrants (perhaps aliased), how many domain names they own, what security they want, and how much extra they'd be willing to pay. This would let registrars get a sense of the economic advantage to them of adding more security, as they could look at the costs (e.g. SMS apparently can be done for 2 or 3 cents each, faxes 4 or 5 cents), versus the benefits.
Would appreciate your thoughts.
- emails sent to multiple email addresses whenever an account login occurs
- fax or SMS sent whenever an account login occurs
- fax or SMS sent with a code to permit login to an account (along with normal username/password), as a form of 2-factor security
- RSA SecurID-style 2-factor security for account logins
- "sticky" unlock, where an unlock is allowed only for a certain number of days, and then re-locks automatically (as discussed at http://gnso.icann.org/mailing-lists/archives/ga/msg02020.html ; some registrars have done this)
- "soft" unlock, whereby when unlocked, transfers can only occur to a white-list of registrars
- human confirmation (e.g through telephone call) of "unusual" domain name changes (e.g. outgoing transfer, or user-specified changes (e.g. a bank like Bank of America might want to verify any nameserver changes whatsoever, even if the domain details otherwise stayed the same)
- public (or "available", either privately or for a small fee) audit trails of all domain changes
Maybe a "D-Prize" wouldn't work, but perhaps a matrix listing domain registrants (perhaps aliased), how many domain names they own, what security they want, and how much extra they'd be willing to pay. This would let registrars get a sense of the economic advantage to them of adding more security, as they could look at the costs (e.g. SMS apparently can be done for 2 or 3 cents each, faxes 4 or 5 cents), versus the benefits.
Would appreciate your thoughts.
