Protecting the public interest: dot-zip
While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more. Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code. Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense. Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww Is anyone in domain-world looking at this? Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
Phil Katz has got to be rolling in his grave! Jonathan Zuck Director, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org ________________________________ From: NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> Sent: Saturday, May 27, 2023 4:18:34 PM To: NARALO Discussion List <na-discuss@atlarge-lists.icann.org> Subject: [NA-Discuss] Protecting the public interest: dot-zip While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more. Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code. Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense. Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww Is anyone in domain-world looking at this? Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
I wonder what sort of risk assessment .ZIP has for the name collision study. Jonathan Zuck Director, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org ________________________________ From: NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> Sent: Saturday, May 27, 2023 4:18:34 PM To: NARALO Discussion List <na-discuss@atlarge-lists.icann.org> Subject: [NA-Discuss] Protecting the public interest: dot-zip While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more. Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code. Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense. Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww Is anyone in domain-world looking at this? Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string? There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word). Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos. Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate. Evan Leibovitch, Toronto Canada @evanleibovitch / @el56 On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:
I wonder what sort of risk assessment .ZIP has for the name collision study.
*Jonathan Zuck* *Director*, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org
------------------------------ *From:* NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> *Sent:* Saturday, May 27, 2023 4:18:34 PM *To:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> *Subject:* [NA-Discuss] Protecting the public interest: dot-zip
While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more.
Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip
As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code.
Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense.
Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww
Is anyone in domain-world looking at this?
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
Certainly seems worthwhile to me and outweighs the value of having a .zip domain Jonathan Zuck Director, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org ________________________________ From: Evan Leibovitch <evan@telly.org> Sent: Sunday, May 28, 2023 8:09:11 PM To: Jonathan Zuck <JZuck@innovatorsnetwork.org> Cc: NARALO Discussion List <na-discuss@atlarge-lists.icann.org> Subject: Re: [NA-Discuss] Protecting the public interest: dot-zip Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string? There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word). Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos. Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate. Evan Leibovitch, Toronto Canada @evanleibovitch / @el56 On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: I wonder what sort of risk assessment .ZIP has for the name collision study. Jonathan Zuck Director, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org<http://www.InnovatorsNetwork.org> ________________________________ From: NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org<mailto:na-discuss-bounces@atlarge-lists.icann.org>> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org<mailto:na-discuss@atlarge-lists.icann.org>> Sent: Saturday, May 27, 2023 4:18:34 PM To: NARALO Discussion List <na-discuss@atlarge-lists.icann.org<mailto:na-discuss@atlarge-lists.icann.org>> Subject: [NA-Discuss] Protecting the public interest: dot-zip While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more. Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code. Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense. Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww Is anyone in domain-world looking at this? Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
Indeed. And as Ross pointed it, I can't see the real benefits of such a TLD but I do see the risks it brings! Louis Houle Le 2023-05-28 à 20:12, Jonathan Zuck via NA-Discuss a écrit :
Certainly seems worthwhile to me and outweighs the value of having a .zip domain
*Jonathan Zuck* /Director/, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org
------------------------------------------------------------------------ *From:* Evan Leibovitch <evan@telly.org> *Sent:* Sunday, May 28, 2023 8:09:11 PM *To:* Jonathan Zuck <JZuck@innovatorsnetwork.org> *Cc:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> *Subject:* Re: [NA-Discuss] Protecting the public interest: dot-zip Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string?
There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word).
Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos.
Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate.
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:
I wonder what sort of risk assessment .ZIP has for the name collision study.
*Jonathan Zuck* /Director/, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org <http://www.InnovatorsNetwork.org>
------------------------------------------------------------------------ *From:* NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> *Sent:* Saturday, May 27, 2023 4:18:34 PM *To:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> *Subject:* [NA-Discuss] Protecting the public interest: dot-zip While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more.
Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip
As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code.
Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense.
Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww
Is anyone in domain-world looking at this?
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online athttp://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Evan, Thank you for bringing up the topic of TLD and File Extension namespace collisions. I had not considered this topic before, but I believe it merits attention. The ZIP domain is only one example of the more general problem where TLD and File Extension namespaces. Other examples coming from ccTLD namespace are .PL (Poland vs Perl Script) and .SH (Saint Helena and Shell Script). An interesting detailed discussion on this complexity can be found here <https://news.ycombinator.com/item?id=35930160>. The fact there are already namespace collisions, does not diminish the need for us to pay attention to it when expanding TLD namespace.
From a strictly end user's perspective, I think it's safe to conclude that TLD and File Extension namespace collisions do have the potential to add cognitive load to an end user's ability to safely navigate domain name space.
ICANN's policy development takes into account a number of different stakeholders. It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too. As with many things in life, there are tradeoffs to be made. I don't have a strong opinion about ICANN policy at the moment, but it does seem wise for those stakeholders that wish to make money from a new TLD namespace asset (e.g. ZIP), to be aware of end user harms that can result from their new asset. An end user market that does not trust a new domain name because of abuse due to File Extension confusion will diminish the value of the new TLD asset for any business which chooses to purchase this asset. Yes, marketing can cover up DNS abuse problems, but it may be wise for business stakeholders to avoid the use of high risk new domain names to achieve their business goals. This type of feedback is not directly connected to ICANN policy of course, but market forces can be useful. The ICANN End User community can help raise awareness, which you have started with your email, even if we don't have effective policy mechanisms in place to avoid potential future problems. By the way, is NA-Discuss the right mailing list for this discussion? Would this thread be better in the CPWG mailing list? Cheers, David On Mon, May 29, 2023 at 7:34 AM Louis Houle via NA-Discuss < na-discuss@atlarge-lists.icann.org> wrote:
Indeed. And as Ross pointed it, I can't see the real benefits of such a TLD but I do see the risks it brings!
Louis Houle
Le 2023-05-28 à 20:12, Jonathan Zuck via NA-Discuss a écrit :
Certainly seems worthwhile to me and outweighs the value of having a .zip domain
*Jonathan Zuck* *Director*, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org
------------------------------ *From:* Evan Leibovitch <evan@telly.org> <evan@telly.org> *Sent:* Sunday, May 28, 2023 8:09:11 PM *To:* Jonathan Zuck <JZuck@innovatorsnetwork.org> <JZuck@innovatorsnetwork.org> *Cc:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> <na-discuss@atlarge-lists.icann.org> *Subject:* Re: [NA-Discuss] Protecting the public interest: dot-zip
Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string?
There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word).
Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos.
Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate.
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:
I wonder what sort of risk assessment .ZIP has for the name collision study.
*Jonathan Zuck* *Director*, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org
------------------------------ *From:* NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> *Sent:* Saturday, May 27, 2023 4:18:34 PM *To:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> *Subject:* [NA-Discuss] Protecting the public interest: dot-zip
While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more.
Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip
As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code.
Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense.
Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww
Is anyone in domain-world looking at this?
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
------ NA-Discuss mailing listNA-Discuss@atlarge-lists.icann.orghttps://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
On Mon, May 29, 2023 at 8:50 AM David Mackey via NA-Discuss < na-discuss@atlarge-lists.icann.org> wrote: The ZIP domain is only one example of the more general problem where TLD
and File Extension namespaces. Other examples coming from ccTLD namespace are .PL (Poland vs Perl Script) and .SH (Saint Helena and Shell Script). An interesting detailed discussion on this complexity can be found here <https://news.ycombinator.com/item?id=35930160>. The fact there are already namespace collisions, does not diminish the need for us to pay attention to it when expanding TLD namespace.
What is different IMO is the scale of use and awareness. Shell and Perl scripts are known to software developers but not generally known to the public, and they contain readable text. OTOH, both the ZIP and MOV extensions are in common use and their files are un-human-readable binary blobs; by definition both are compressed data.
From a strictly end user's perspective,
That's (supposed to be) the only perspective that matters within At-Large, as defined by the ICANN bylaws. Other constituencies have their own voices which they are not shy to use.
I think it's safe to conclude that TLD and File Extension namespace collisions do have the potential to add cognitive load to an end user's ability to safely navigate domain name space.
Funny how nobody has considered this to date. I guess since it's primarily an end-user concern, if ALAC doesn't raise it the issue doesn't get raised. Heaven forbid any other corner of ICANN, with all the resources available to it over the decades, would not consider this (or have considered it when applications for .ZIP and .MOV were evaluated).
By the way, is NA-Discuss the right mailing list for this discussion? Would this thread be better in the CPWG mailing list?
The supposed bottom-up process is that ALSs raise issues here in the RALO, and appropriate committee members (be they ALAC or CPWG) escalate as needed if deemed worthy. In addition to the two elected ALAC reps that are accountable to the ALSs, there are many CPWG members who are in NARALO (including its Chair). Since I am no longer on the CPWG I raise the issue here in the hope that At-Large will see this as an issue worthy of deeper attention. My expectations are low since CPWG members tend to focus on issues with little or no relevance to non-registrant end users (applicant support, closed generics, TLD auctions, registry relationships). Its track record on ICANN issues that actually impact end-users (enforcement against bad actors, PICs, the .ORG transfer, public education, etc) is pretty grim. Let's see if attention to this issue can improve that record. - Evan
" It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too." I am struggling to see the potential added value of a TLD like .ZIP. Well, except for someone desiring to propagate some malware, of course. How much money from DNS Abusers there may be to be made, I don't know. But it appears that someone thinks there are enough would-be DNS Abusers out there to make such a TLD profitable. I would say that, if someone wants to register a TLD which duplicates a widely used file extension, the burden should be on them to make a very, very persuasive case for why such a TLD is needed. If ICANN's current procedures do not provide for such a review, well then the procedures are clearly in need of revision. Bill Jouris On Monday, May 29, 2023 at 05:49:44 AM PDT, David Mackey via NA-Discuss <na-discuss@atlarge-lists.icann.org> wrote: Evan, Thank you for bringing up the topic of TLD and File Extension namespace collisions. I had not considered this topic before, but I believe it merits attention. The ZIP domain is only one example of the more general problem where TLD and File Extension namespaces. Other examples coming from ccTLD namespace are .PL (Poland vs Perl Script) and .SH (Saint Helena and Shell Script). An interesting detailed discussion on this complexity can be found here. The fact there are already namespace collisions, does not diminish the need for us to pay attention to it when expanding TLD namespace.
From a strictly end user's perspective, I think it's safe to conclude that TLD and File Extension namespace collisions do have the potential to add cognitive load to an end user's ability to safely navigate domain name space. ICANN's policy development takes into account a number of different stakeholders. It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too. As with many things in life, there are tradeoffs to be made. I don't have a strong opinion about ICANN policy at the moment, but it does seem wise for those stakeholders that wish to make money from a new TLD namespace asset (e.g. ZIP), to be aware of end user harms that can result from their new asset. An end user market that does not trust a new domain name because of abuse due to File Extension confusion will diminish the value of the new TLD asset for any business which chooses to purchase this asset. Yes, marketing can cover up DNS abuse problems, but it may be wise for business stakeholders to avoid the use of high risk new domain names to achieve their business goals. This type of feedback is not directly connected to ICANN policy of course, but market forces can be useful. The ICANN End User community can help raise awareness, which you have started with your email, even if we don't have effective policy mechanisms in place to avoid potential future problems. By the way, is NA-Discuss the right mailing list for this discussion? Would this thread be better in the CPWG mailing list? Cheers,David
On Mon, May 29, 2023 at 7:34 AM Louis Houle via NA-Discuss <na-discuss@atlarge-lists.icann.org> wrote: Indeed. And as Ross pointed it, I can't see the real benefits of such a TLD but I do see the risks it brings! Louis Houle Le 2023-05-28 à 20:12, Jonathan Zuck via NA-Discuss a écrit : Certainly seems worthwhile to me and outweighs the value of having a .zip domain Jonathan Zuck Director, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org From: Evan Leibovitch <evan@telly.org> Sent: Sunday, May 28, 2023 8:09:11 PM To: Jonathan Zuck <JZuck@innovatorsnetwork.org> Cc: NARALO Discussion List <na-discuss@atlarge-lists.icann.org> Subject: Re: [NA-Discuss] Protecting the public interest: dot-zip Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string? There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word). Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos. Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate. Evan Leibovitch, Toronto Canada @evanleibovitch / @el56 On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: I wonder what sort of risk assessment .ZIP has for the name collision study. Jonathan Zuck Director, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org From: NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> Sent: Saturday, May 27, 2023 4:18:34 PM To: NARALO Discussion List <na-discuss@atlarge-lists.icann.org> Subject: [NA-Discuss] Protecting the public interest: dot-zip While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more. Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code. Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense. Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww Is anyone in domain-world looking at this? Evan Leibovitch, Toronto Canada @evanleibovitch / @el56 ------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. ------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. ------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Bill, Many security experts are wondering the same thing. You may want to ask Google for an explanation about their .ZIP business case. Google pushes .zip and .mov domains onto the Internet, and the Internet pushes back <https://arstechnica.com/information-technology/2023/05/critics-say-googles-n...> "Two of Google’s new TLDs—.zip and .mov—have sparked scorn in some security circles. While Google marketers say the aim is to designate “tying things together or moving really fast” and “moving pictures and whatever moves you,” respectively, these suffixes are already widely used to designate something altogether different. Specifically, .zip is an extension used in archive files that use a compression format known as zip. The format .mov, meanwhile, appears at the end of video files, usually when they were created in Apple’s QuickTime format. Many security practitioners are warning that these two TLDs will cause confusion when they’re displayed in emails, on social media, and elsewhere. The reason is that many sites and software automatically convert strings like "arstechnica.com" or "mastodon.social" into a URL that, when clicked, leads a user to the corresponding domain. The worry is that emails and social media posts that refer to a file such as setup.zip or vacation.mov will automatically turn them into clickable links—and that scammers will seize on the ambiguity." ... "Several engineers who responded opposed the proposal, mainly on the grounds that removing TLDs approved by ICANN would create instability and work against the purpose of the PSL. Eventually, the original poster relented. “My criticisms lie with Google, which has provided no substantial technical benefits of these new TLDs, so we can only conclude that the incentive is money; and the community has demonstrated several new PoC risks and threats that we must now deal with,” *the engineer wrote, adding:“Honorable mention goes to Google for undoing years of anti-phishing and anti-deception work overnight, and for making computers more confusing and risky to use.* 🏅”" Cheers, David On Mon, May 29, 2023 at 5:31 PM Bill Jouris <b_jouris@yahoo.com> wrote:
" It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too."
I am struggling to see the potential added value of a TLD like .ZIP. Well, except for someone desiring to propagate some malware, of course. How much money from DNS Abusers there may be to be made, I don't know. But it appears that someone thinks there are enough would-be DNS Abusers out there to make such a TLD profitable.
I would say that, if someone wants to register a TLD which duplicates a widely used file extension, the burden should be on them to make a very, very persuasive case for why such a TLD is needed. If ICANN's current procedures do not provide for such a review, well then the procedures are clearly in need of revision.
Bill Jouris
On Monday, May 29, 2023 at 05:49:44 AM PDT, David Mackey via NA-Discuss < na-discuss@atlarge-lists.icann.org> wrote:
Evan,
Thank you for bringing up the topic of TLD and File Extension namespace collisions. I had not considered this topic before, but I believe it merits attention.
The ZIP domain is only one example of the more general problem where TLD and File Extension namespaces. Other examples coming from ccTLD namespace are .PL (Poland vs Perl Script) and .SH (Saint Helena and Shell Script). An interesting detailed discussion on this complexity can be found here <https://news.ycombinator.com/item?id=35930160>. The fact there are already namespace collisions, does not diminish the need for us to pay attention to it when expanding TLD namespace.
From a strictly end user's perspective, I think it's safe to conclude that TLD and File Extension namespace collisions do have the potential to add cognitive load to an end user's ability to safely navigate domain name space.
ICANN's policy development takes into account a number of different stakeholders. It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too. As with many things in life, there are tradeoffs to be made.
I don't have a strong opinion about ICANN policy at the moment, but it does seem wise for those stakeholders that wish to make money from a new TLD namespace asset (e.g. ZIP), to be aware of end user harms that can result from their new asset.
An end user market that does not trust a new domain name because of abuse due to File Extension confusion will diminish the value of the new TLD asset for any business which chooses to purchase this asset. Yes, marketing can cover up DNS abuse problems, but it may be wise for business stakeholders to avoid the use of high risk new domain names to achieve their business goals. This type of feedback is not directly connected to ICANN policy of course, but market forces can be useful. The ICANN End User community can help raise awareness, which you have started with your email, even if we don't have effective policy mechanisms in place to avoid potential future problems.
By the way, is NA-Discuss the right mailing list for this discussion? Would this thread be better in the CPWG mailing list?
Cheers, David
On Mon, May 29, 2023 at 7:34 AM Louis Houle via NA-Discuss < na-discuss@atlarge-lists.icann.org> wrote:
Indeed. And as Ross pointed it, I can't see the real benefits of such a TLD but I do see the risks it brings!
Louis Houle
Le 2023-05-28 à 20:12, Jonathan Zuck via NA-Discuss a écrit :
Certainly seems worthwhile to me and outweighs the value of having a .zip domain
*Jonathan Zuck* *Director*, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org
------------------------------ *From:* Evan Leibovitch <evan@telly.org> <evan@telly.org> *Sent:* Sunday, May 28, 2023 8:09:11 PM *To:* Jonathan Zuck <JZuck@innovatorsnetwork.org> <JZuck@innovatorsnetwork.org> *Cc:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> <na-discuss@atlarge-lists.icann.org> *Subject:* Re: [NA-Discuss] Protecting the public interest: dot-zip
Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string?
There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word).
Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos.
Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate.
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:
I wonder what sort of risk assessment .ZIP has for the name collision study.
*Jonathan Zuck* *Director*, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org
------------------------------ *From:* NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> *Sent:* Saturday, May 27, 2023 4:18:34 PM *To:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> *Subject:* [NA-Discuss] Protecting the public interest: dot-zip
While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more.
Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip
As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code.
Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense.
Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww
Is anyone in domain-world looking at this?
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
------ NA-Discuss mailing listNA-Discuss@atlarge-lists.icann.orghttps://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
I agree with you Bill, There is no evidence that such a TLD is usefull and brings an added value. There is evidence that DNS abusers stand near in the back office of Dot.Zip though. Louis Houle Le 2023-05-29 à 17:31, Bill Jouris via NA-Discuss a écrit :
" It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too."
I am struggling to see the potential added value of a TLD like .ZIP. Well, except for someone desiring to propagate some malware, of course. How much money from DNS Abusers there may be to be made, I don't know. But it appears that someone thinks there are enough would-be DNS Abusers out there to make such a TLD profitable.
I would say that, if someone wants to register a TLD which duplicates a widely used file extension, the burden should be on them to make a very, very persuasive case for why such a TLD is needed. If ICANN's current procedures do not provide for such a review, well then the procedures are clearly in need of revision.
Bill Jouris
On Monday, May 29, 2023 at 05:49:44 AM PDT, David Mackey via NA-Discuss <na-discuss@atlarge-lists.icann.org> wrote:
Evan,
Thank you for bringing up the topic of TLD and File Extension namespace collisions. I had not considered this topic before, but I believe it merits attention.
The ZIP domain is only one example of the more general problem where TLD and File Extension namespaces. Other examples coming from ccTLD namespace are .PL (Poland vs Perl Script) and .SH (Saint Helena and Shell Script). An interesting detailed discussion on this complexity can be found here <https://news.ycombinator.com/item?id=35930160>. The fact there are already namespace collisions, does not diminish the need for us to pay attention to it when expanding TLD namespace.
From a strictly end user's perspective, I think it's safe to conclude that TLD and File Extension namespace collisions do have the potential to add cognitive load to an end user's ability to safely navigate domain name space.
ICANN's policy development takes into account a number of different stakeholders. It appears that some ICANN stakeholders feel they can make money from an expanded TLD namespace and potentially add value to end users too. As with many things in life, there are tradeoffs to be made.
I don't have a strong opinion about ICANN policy at the moment, but it does seem wise for those stakeholders that wish to make money from a new TLD namespace asset (e.g. ZIP), to be aware of end user harms that can result from their new asset.
An end user market that does not trust a new domain name because of abuse due to File Extension confusion will diminish the value of the new TLD asset for any business which chooses to purchase this asset. Yes, marketing can cover up DNS abuse problems, but it may be wise for business stakeholders to avoid the use of high risk new domain names to achieve their business goals. This type of feedback is not directly connected to ICANN policy of course, but market forces can be useful. The ICANN End User community can help raise awareness, which you have started with your email, even if we don't have effective policy mechanisms in place to avoid potential future problems.
By the way, is NA-Discuss the right mailing list for this discussion? Would this thread be better in the CPWG mailing list?
Cheers, David
On Mon, May 29, 2023 at 7:34 AM Louis Houle via NA-Discuss <na-discuss@atlarge-lists.icann.org> wrote:
Indeed. And as Ross pointed it, I can't see the real benefits of such a TLD but I do see the risks it brings!
Louis Houle
Le 2023-05-28 à 20:12, Jonathan Zuck via NA-Discuss a écrit :
Certainly seems worthwhile to me and outweighs the value of having a .zip domain
*Jonathan Zuck* /Director/, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org <http://www.InnovatorsNetwork.org>
------------------------------------------------------------------------ *From:* Evan Leibovitch <evan@telly.org> <mailto:evan@telly.org> *Sent:* Sunday, May 28, 2023 8:09:11 PM *To:* Jonathan Zuck <JZuck@innovatorsnetwork.org> <mailto:JZuck@innovatorsnetwork.org> *Cc:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> <mailto:na-discuss@atlarge-lists.icann.org> *Subject:* Re: [NA-Discuss] Protecting the public interest: dot-zip Very likely the name collision assessment came up clean -- against other domains. But that's not the issue here. Is there any requirement for applicants to do due diligence regarding collisions with other common non-DNS computer uses of the applied string?
There are some precedents, notably dot-onion being unavailable to reduce collision with the TOR network (which is certainly out of ICANN's jurisdiction). But I don't know if, for instance, there would be any inherent ICANN-based opposition to anyone applying for, say, dot-exe or dot-bat (which, like zip, is also a dictionary word).
Perhaps there is room to develop advice to have a mechanism that measures evaluates conflict not just with other domains, but also common computer uses that could if implemented cause pubic confusion or harm. There are a LOT of file extensions and not all need to be protected, but surely the most common file extensions (and perhaps also command-line utilities) need protections. I see that dot-run is delegated, which could affect Linux systems (which run a lot of the Internet's infrastructure). So is dot-mov which is a popular Apple file extension for videos.
Anyway, I leave it with NARALO's ALAC reps to determine if this issue is sufficiently end-user to care about and investigate.
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
On Sun, May 28, 2023 at 7:35 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:
I wonder what sort of risk assessment .ZIP has for the name collision study.
*Jonathan Zuck* /Director/, Future of Work Project Innovators Network Foundation www.InnovatorsNetwork.org <http://www.InnovatorsNetwork.org>
------------------------------------------------------------------------ *From:* NA-Discuss <na-discuss-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch via NA-Discuss <na-discuss@atlarge-lists.icann.org> *Sent:* Saturday, May 27, 2023 4:18:34 PM *To:* NARALO Discussion List <na-discuss@atlarge-lists.icann.org> *Subject:* [NA-Discuss] Protecting the public interest: dot-zip While my hopes that ALAC will champion this are dim, and ICANN itself is even less likely to act, I draw your attention to a policy goof that is already causing public harm and is likely to cause far more.
Now anyone can buy a dot-zip second-level domain, ie evan.zip or naralo.zip
As anyone who works with computers should know, long before dot-zip was a domain it was a very popular computer-file extension to denote something that contained a file (or collection of files) in compressed form. Such a collection could easily contain malicious data or code.
Is anyone seeing the problem? People could be sent "attachments" that are really URLs and URLs that are really attachments. The potential for end-user confusion and harm is immense.
Here are two videos that explain the situation well: https://www.youtube.com/watch?v=GCVJsz7EODA https://www.youtube.com/watch?v=V82lHNsSPww
Is anyone in domain-world looking at this?
Evan Leibovitch, Toronto Canada @evanleibovitch / @el56
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online athttp://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online at http://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
------ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
Visit the NARALO online athttp://www.naralo.org ------ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
participants (6)
-
Bill Jouris -
David Mackey -
Evan Leibovitch -
Jonathan Zuck -
Louis Houle -
Ross Campbell