'World-first' security standard set for .au
The .au Domain Administration (auDA) is seeking comment from the domain-name industry on proposed changes to how Australian registries operate, including the use of a world-first mandatory security standard.
As part of the changes, auDA's Industry Advisory Panel has developed a draft auDA Information Security Standard (ISS) that it states will "assist registrars to manage and improve the security of their own businesses in a way that also protects the integrity and stability of the .au domain space".
Under the ISS, registrars will be required to adhere to or implement a number of policy and business controls. These include developing an information-security policy; an asset-management plan; a human-resources policy; a physical security plan; documentation on managing malicious code and vulnerabilities; cryptographic controls; and a regulatory-compliance register.
Companies will need to comply with the standard in order to become certified as a registrar. Achieving this certification means undergoing a certification process, and passing with no instances of non-compliance and no more than three "areas of concern". If the registrar passes compliance, but has between one and three areas of concern, then there will be an interim reassessment in three months. A perfect score of zero instances of non-compliance and zero areas of concern will result in auDA setting an interim assessment date within three to 12 months.
Instances of non-compliance will have less leeway than areas of concern. Registrars that have up to two instances of non-compliance will be given a second chance, with three months to fix their issues and reapply — but any more than that, and they'll miss their chance to become certified.
The industry panel has acknowledged that the procedure may be tough, stating that it "is aware that the introduction of a mandatory security standard for registrars would be a 'world first', and would represent a significant change to the industry — not just for existing accredited registrars, but also for prospective applicants for accreditation".
Security issues with domain registrars have been raised in the past. For example, auDA stripped Bottle Domains of its domain registrar accreditation, following security incidents.
To gain the industry's feedback on the ISS, the panel has released an issues paper (which includes the draft ISS), and will go through two rounds of public consultation.
The paper also tackles several other issues relating to the .au domain-name industry, as outlined below.
2LD registry operator selection/appointment post-2014
The panel noted that it needs to decide what company to appoint for the second-level domain (2LD), as AusRegistry's appointment to provide this function expires in 2014. There are several issues surrounding the new appointment, including the fact that AusRegistry itself would have a significant advantage if it applies to become the new operator, due to its existing infrastructure.
Policy and process for registrar accreditation
The panel is examining changes to registrar-accreditation fees; on which organisations can apply for accreditation; and on the necessary experience that they require to do so.
Status and regulation of resellers
There is some confusion around the definition of what a reseller is, as well as debate over whether resellers should be listed in Whois Lookups. The panel is seeking comment on how resellers should be defined, and what status they should be given.
Policy and process for registrar transfers
The process of getting written permission and reconfirmation of when customers change registrars has been seen as slow and overprotective, and has subsequently been opened to be discussed by the panel. The topic of whether the bulk transfer of domain names should be allowed is also an issue that the panel is seeking consultation on.
Status and operation of.au Domain Name Suppliers' Code of Practice
The code is voluntary, and does not go through the same scrutiny as auDA's other regulations. While the panel stated that it would like to keep the code "owned" by the industry, there could be a benefit in having auDA review the code regularly, like it does its own regulatory policies.
Public submissions are being accepted until 20 July.