Nominet announced a little while ago a consultation on allowing domains to be registered directly within .uk rather than in .co.uk. So, for instance, you can register example.uk rather than example.co.uk. In itself this is an interesting proposal worthy of consideration; I think the arguments for and against are pretty balanced. But Nominet has mixed it up with so much other stuff in a rather misguided attempt to improve internet security that this probably counts as one of their sillier ideas. In their current form, my view is that the proposals are seriously flawed.

My full consultation response can be found here. You can reply to the consultation online here (hats off to Nominet for making it easy to do). But hurry hurry hurry! It closes on Monday.

I’ve put a version of the executive summary of my response and my counterproposals below.

Links:


 

Summary

This is consultation document is one of the least well thought-out proposals I have yet to read from Nominet. Whilst there are a number of problems with the detail of the proposal, there are two significant and overarching problems: conflation of purpose, and naivety as to the proposed mechanisms.

Conflation of purpose

The first problem is that it conflates two entirely separate issues:

  • The question of whether direct registrations should be capable of being made at the .uk level; and
  • The question of whether Nominet should encourage more ‘secure’ registrations (validated contact address details, virus checks, DNSSEC and so on), and if so under what circumstances and under what commercial terms.

Nowhere in the consultation document does Nominet adequately explain why registrants within the existing subdomains should not be able to avail them of the ‘high security’ registrations, and why it is thus in the interests of Nominet’s stakeholders to require such registrants to re-register another domain within .uk, at considerable cost to them. As such costs involve not payments to Nominet and/or the registrar concerned, but also the far larger costs of re-branding, it seems perverse not to provide such ‘high security’ registrations where possible in .uk. A cynic might suggest this was simply a revenue or empire building exercise.

Equally, nowhere in the consultation document does Nominet adequately explain why the first-come first-served light-weight registration model which has served Nominet well from inception should not be available within direct registrations in .uk (assuming opening up .uk for third party registrations is a good idea). Nominet proposes that .uk be a domain with enhanced checking of registration details (including the rather quaint idea of sending letters by post). Nominet has already tried this model with (e.g.) ltd.uk and plc.uk. Whilst I cannot find current information on Nominet’s web site, I believe these subdomains are less than 1% of the size of co.uk and considerably smaller than (say) org.uk.

The only purported link is the one set out at the head of the next section, which is in my opinion laughably naïve.

Naivety of mechanism

The only arguable link between the two issues set out in the section above is that consumers will somehow draw a link between the fact that the web site they visit or email they receive has the domain name ‘example.co.uk’ or ‘example.plc.uk’ and conclude that is insecure (being registered as third level domains within existing SLDs), but also know that ‘example.bt.uk’, ‘example.pcl.uk’ (sic) or ‘exampleplc.uk’ are secure (being registered as second level domains within the .uk subdomain). This seems fantastically unlikely unless Nominet embarks on a world wide education program of its own domain registration structure.

Nominet appears to be around 15 years out of date in this area. Consumers increasingly do not recognise domain names at all, but rather use search engines. The domain name is becoming increasingly less relevant (despite Nominet’s research) as consumers are educated to ‘look for the green bar’ or ‘padlock’. Whilst SSL certification has many weakness in proving security, it is by no means as poor a solution as the solution Nominet proposes to replace it.

Recommendations

I make the following recommendations:

  1. Nominet should abandon its current proposals in their entirety.
  2. Nominet should disaggregate the issue of registrations within .uk and the issue of how to help build trust in .uk in general. Nominet should run a separate consultation for opening up .uk, as a simple open domain with the same rules as co.uk. There are plenty of arguments for and against this, but the current consultation confuses them with issues around consumer trust. Whilst consumer trust and so forth are important, they are orthogonal to this issue.
  3. Nominet should remember that a core constituency of its stakeholders are those who have registered domain names. If new registrations are introduced (permitting registration in .uk for instance), Nominet should be sensitive to the fact that these registrants will feel compelled to reregister if only to protect their intellectual property. Putting such pressure and expense on businesses to reregister is one thing (and a matter on which subject ICANN received much criticism in the new gTLD debate); pressurising them to reregister and rebrand by marketing their existing co.uk registration as somehow inferior is beyond the pale (for instance marketing as ‘less secure’ as proposed here). Any revised proposal for opening up .uk should avoid this.
  4. Nominet should recognise that there is no silver bullet (save perhaps one used for shooting oneself in the foot) for the consumer trust problem, and hence it will have to be approached incrementally.
  5. Nominet should be more imaginative and reacquaint itself with developments in technology and the domain market place. Nominet’s attempt to associate a particular aspect of consumer trust with a domain name is akin to attempting to reinvent the wheel, but this time with three sides. Rather, Nominet should be looking at how to work with existing technologies. For instance, if Nominet was really interested in providing enhanced security, it could issue wildcard domain validated SSL certificates for every registration to all registrants; given Nominet already has the technology to comprehensively validate who has a domain name, such certificates could be issued cheaply or for free (and automatically). This might make Nominet instantly the largest certificate issuer in the world. If Nominet wanted to further validate users, it could issue EV certificates. And it could work with emerging technologies such as DANE to free users from the grip of the current overpriced SSL market.