Feeds

Verisign and .net: a winner all the way

Deeply flawed

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Both ICANN and VeriSign were informed of the relevant aspects of this story and their responses are given below with additional comments by ourselves.

ICANN's response

"As part of an open and transparent process the GNSO received comments regarding the RFP criteria - the GNSO then Adopted the RFP criteria and presented it to the ICANN Board - and as an additional part of the open and transparent process ICANN took comments on the draft RFP - that was based on the GNSO criteria - and then the ICANN Board (at its open, public Board meeting in Cape Town) approved the GNSO Criteria and the RFP based upon the GNSO criteria and public comments. This all took place in December - in plenty of time to have people voice concern of the process to date - so what you're therefore contending is factually inaccurate."

Our response: Our story refers explicitly to changes made during the period betwen the GNSO's final approved report on 5 August 2004, and ICANN's first draft of the RFP, released on 12 November 2004. In that time, an enormous number of extra criteria, requested by VeriSign were added, without any additional outside consultation. In addition, an entire new section "Security and Stability", requested by VeriSign, was added.

Also, the explicitly stated fact that "competition" should be the primary relative criteria ("1. Relative criteria related to promotion of competition") used to decide the winner in the GNSO report - which came complete with three categories and three sub-categories - was reduced in ICANN's RFP to relative criteria point "7. Additional Relative Criteria" and comprised just three sub-categories.

VeriSign and the GNSO had numerous public arguments over the competition criteria, during which VeriSign made it very clear it felt competition should come far below other relative criteria such as stability and security.

The result of these changes was to name VeriSign as the winner of the contest. If those changes had not been adopted, VeriSign would not have won the contest.

"ICANN didn't go forward with the evaluation process until all the bidders were satisfied that Telcordia could render an unbiased evaluation."

Our response: What happened was ICANN publicly announced it had chosen Telcordia without consulting or informing the bidders. At the same time as the announcement, ICANN published a disclosure statement from Telcordia, which was preceeded with a statement by ICANN's General Counsel stating that in his opinon that was no legitimate reason why Telcordia should not be chosen as the evaluator.

One bidder, Sentan, immediately complained about Telcordia's suitability. ICANN then called each bidder individually and outlined Sentan's concerns. Bidders were not given the option of veto over Telcordia and had no choice but to accept Telcordia is they wished to continue bidding for .net.

"Pursuant to the adopted RFP process, it is the ICANN Board (not ICANN Staff) that will make any decision and who will consider the following at its upcoming meeting:

A. the Telcordia report; B. the Applicants' written comments on the Telcordia report; C. any response from Telcordia to the Applicants' written comments; D. any and all public or Internet Community comments received by ICANN on its website; and E. the proposed .NET Registry Agreement negotiated between ICANN and VeriSign."

Our response: It is our contention that the process was unfairly skewed (by ICANN staff)in favour of VeriSign before Telcordia had even been chosen. As such, the Board will only have the opportunity to decide on the results of what was already a flawed process.

"I don't think ICANN will have the names of the Telcordia team until the process of commenting on the evaluation by all parties is concluded."

In the previous mentioned disclosure statement from Telcordia, approved by ICANN's General Counsel, it stated: "Neither Telcordia Technologies, Inc. nor individual member of the evaluation team has any financial interest in or similar dealings with any of the applicants". How can ICANN agree with that statement if it does not know the identities of the individual members of the evaluation team? ICANN also informed us over two weeks ago that it had requested the names of the evaluation team from Telcordia. Does ICANN have those names, or has Telcordia withheld them? What are the reasons for not making the names public?

VeriSign's response

"VeriSign did not offer any comments to ICANN outside of the approved comment channels for all bidders and all public comment. Nothing was shown to VeriSign prior to it being publicly available or available to all bidders. "VeriSign offered comments, as I believe all bidders did on the RFP and GNSO report. ICANN posted many of the comments. VeriSign did not make any threat of a lawsuit. VeriSign did - in its comments - note how certain aspects of the RFP and GNSO report were contrary to our contract." Our response: On 24 June 2004, VeriSign informed ICANN: "VeriSign objects to the Draft Procedure for designating a subsequent .net Registry Operator... on the grounds that it does not comply with the procedural or substantive requirements of the existing .net Registry Agreement, the Memorandum of Understanding between ICANN and the Department of Commerce, or the Bylaws of ICANN...

"...VeriSign believes that anything less than the true 'adoption of an open and transparent procedure for designating a successor Registry Operator' is a material violation of applicable requirements on ICANN, including as set forth in the current .net Registry Agreement."

ICANN and the GNSO took this threat seriously enough to seek legal advice from its General Counsel. A vote on final approval of the GNSO report was delayed while this legal situation was reviewed.

If VeriSign didn't explicitly state it would launch a lawsuit, it was certainly assumed by ICANN that this was what VeriSign's statement implied. We believe the threat of a further lawsuit was used to add pressure to VeriSign's demands for changes in the report and its criteria. ®

Related stories

VeriSign responds to .net report criticisms
VeriSign wins back .net registry
VeriSign enters MMS market with Lightsurf buy

Secure remote control for conventional and virtual desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Big Content outs piracy hotbeds: São Paulo, Beijing ... TORONTO?
MPAA calls Canadians a bunch of bootlegging movie thieves
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.