Hello Jothan,
Yes, a lot of thought by the entire team.
Thank you for your comments. We look forward to discussion on your points within the Accreditation Models document and during the upcoming IRT session.
We hope to see you at this Thursday’s meeting.
Best,
Jason
Jason Kean
Sr. Manager, Reviews and Stakeholder Support
Internet Corporation for Assigned Names and Numbers (ICANN)
From: Jothan Frakes <jothan@jothan.com>
Date: Monday, May 12, 2025 at 5:30 PM
To: "PPSAI IRT members, including observers" <gdd-gnso-ppsai-impl@icann.org>
Cc: Karen Lentz <karen.lentz@icann.org>, Leon Grundmann <leon.grundmann@icann.org>, Jessica Puccio <jessica.puccio@icann.org>, Jason Kean <jason.kean@icann.org>
Subject: [Ext] Re: [Gdd-gnso-ppsai-impl] IRT Session Thur 15 May @15:30UTC **Please attend for Introduction of Accreditation Models and IRT Task Review**
Hi Jason-
This looks like there was a lot of thought put into the three paths of potential solution. This is a slow-simmer stew problem that has had a lot of new ingredients and dietary requirements and allergies added, so I envy you, chef.
We're still trying to microwave our way out of it. In the three options, they are leaving largely unaddressed the realm of unaffiliated third parties, known or not. This is still a number of fundamental gaps.
"How does the registrar provide data they don't have?"
"How does the registrar fulfill their obligations of notice, disruption of service, or other areas that require communication with an end registrant?"
Subjectivity: "What constitutes 'Known'?"
Let's also look at subjectivity regions that are going to need better definitions. There are disconnects related to interpretation of 'known' that will plague us, where one could have conflicting perspectives
on if a registrar did or did not know a domain name registrant was providing proxy service to a third party.
The proposals around use of regular expressions or pattern matching the org or registrant first name or last name fields are not an adequate remedy for demonstration of 'known' or enough to act with an appropriate level of elegance as a
registrar.
When I listen closely to requesters from law enforcement, security practitioners and intellectual property interests and hear their pain points about the particularly problematic situations like 'nested proxy layers' or that drove the concept of accreditation
of Privacy Proxy (P2 because I am tired of typing those) providers, it was to get at the information of the beneficial owner, for research or enforcement.
There is a narrative that suggests that by volume, the majority of P2 are affiliated with the registrar. While this is true, it is the last mile of those which are not affiliated represent the largest challenges, with the least solutions.
I have been presented examples of P2 layered 3-4 operators deep - which are a challenge to get ultimately to the responsible party.
the $64,000 question here : Was that a description of a law enforcement agent attempting to get to a perpetrator, or I was describing a legitimate corporate tactic of obfuscating the identity of a real domain owner? Should the corporation have a different
set of rules?
Ultimately, I suspect there is an interest in trying to salvage something that was developed over a decade ago out of respect for the time investments made back then and since, but we really have a lot of gaps that should be considered.
Jothan Frakes
This email and any attachments may contain confidential and/or privileged information intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient,
please notify the sender immediately and delete this message. Any unauthorized use, disclosure, or distribution is prohibited.
On Mon, May 12, 2025 at 10:28 AM Jason Kean via Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl@icann.org> wrote: