[gtld-tech] gtld-tech URS technical requeriments

Rubens Kuhl rubensk at nic.br
Wed Jul 10 14:46:18 UTC 2013

DNSSEC is already a foundation for PKI and it's a mandated requirement for new gTLDs. While DANE for SMTP is not ready for prime time, we could provisionally have only URS provider sign e-mail with S/MIME and include a random token in the subject there needs to be in the answer for recognition:

From: URS Provider
Subject: Suspension of xxxx.gtld , token 1234567890
Signed: URS Provider (S/MIME)

From: Registry:
Subject: Re: Suspension of xxxx.gtld , token 1234567890
(not required to be signed)

18 months from now, signing with DANE will likely be feasible to be a requirement to both URS Provider and registry. This way we also keeps authentication inside the DNS system and foster the roll-out of security measures. 


On Jul 10, 2013, at 11:37 AM, "Matthias Pfeifer" <info at freshmail.de> wrote:

> John,
>> Betreff: Re: [gtld-tech] gtld-tech URS technical requeriments
>>> ICANN should not be mandating that any of this be done in an automated
>>> fashion, nor should it mandate things like "all e-mails sent by
>>> Registry Operator to the URD Provider MUST be cryptographically signed
>>> using a S/MIME certificate....."
>> What are you going to do when sleazy domainers start phishing you with
> fake
>> messages from URS providers saying to turn their domains back on?
>> While I agree that it's silly to try and define all of the low level
> details, I don't
>> think it's silly to give some thought to security issues like how the URS
>> providers and registries recognize each other.
> almost a serious question.
> What about a PKI/Web-Of-Trust, managed by the URS provider instead of
> But at least I think it is too complex to manage and may delay the URS
> implementation/process.
> Matthias Pfeifer - dotVersicherung 

More information about the gtld-tech mailing list