On 6 March 2024, the ICANN At Large Advisory Committee (ALAC) held a plenary session entitled “Building Trust on the Internet Through Registrant Verification” at the ICANN79 Community Forum in San Juan, Puerto Rico, that Michael Palage and Avri Doria co-moderated. This session was inspired in part by a recent World Economic Forum report entitled “Reimagining Digital ID” that noted “[d]espite a sustained focus on ID, the increasingly widespread use of digital technologies, and the rapid development of AI, the internet lacks an ID layer.” This session focused on innovations by TLD registry operators (both gTLD and ccTLD) that are increasing trust in their respective namespace using enhanced registrant verification, and how this innovation can have an impact beyond the domain name marketplace.
Listed below is a summary of each speaker’s comments, along with a link to their respective presentation in the order they presented:
- Finn Petersen, the Danish Director of International ICT Relations Agency for Digital Government, provided a presentation on the recently enacted European Network and Information Security Directive 2 (NIS 2.0) and its potential impact on domain registration authorities. Finn specifically addressed Article 28 and its requirements regarding the collection, verification, and publication of domain name registrant data. Finn is uniquely qualified to provide insight on Article 28 as he is the Chair of the Work Stream on WHOIS that currently encompasses a Task Force on Verification and Legitimate Access.
- Karla McKenna, Managing Director/Head of Standards at the Global Legal Entity Identifier Foundation (GLEIF), provided a presentation on the establishment of GLIEF in 2011 to create global unique Legal Entity Identifiers (LEIs) to identify parties in financial transactions. Karla explained how GLIEF has used 38 global partners to issue over 2 million LEIs and the recent innovation of verifiable LEIs (vLEIs). vLEIs enable Zero Trust Architecture for Organizational Identifiers through Verifiable Provenance and Instate Revocation State Verification.
- Avri Doria, a research consultant, then spoke on the various standards (some complimentary and some competitive) surrounding digital identity and why it is so hard to find a universal solution. Avri produced a readout of her presentation via a short blog available where she included a compilation of current and evolving standards in various standard bodies to help educate those attempting to navigate the digital identity landscape.
- Lucas Prêtre, Telecommunication Engineer at the Swiss Federal Office of Communications OFCOM provided a presentation about how OFCOM has historically handled registrant verification of legal entities through the use of an UID (Enterprise Identification Number) corresponding to the Swiss corporate identifier. Lucas also spoke about how OFCOM intends to expand registration of .SWISS domains to natural persons through the use of a UPI (Unique Person Identification) in 2024. Another unique aspect of the .SWISS TLD that Lucas discussed is how they have integrated the UID and UPI into the registry via the “publicID” in the WHOIS/RDAP protocol.
- Niamh Lewis, Senior Digital Health & Policy Expert at the National Association of Boards of Pharmacy (NABP), gave a presentation on how a 120 old US-based non-profit organization dedicated to protecting public health has leveraged its skill set in licensing and accreditation to vet registrants in the .pharmacy TLD. Niamh also shared how domain name registrants in .pharmacy can use their registration as a fraud-proof seal that is recognized by third-party stakeholders, such as Google, Bing, TikTok, Twitter/X, Reddit, Visa and Mastercard.
- Craig Schwartz, Managing Director, fTLD Registry Services spoke about the importance of security in the operation of the .Bank and .Insurance domains and the various security innovations they have implemented. Craig also spoke about fTLD’s continued enhancements regarding registrant verification and how 80% of .Bank registrants already have an existing GLEIF LEI.
- Thomas Keller, Executive Board Member DENIC presented on how DENIC has worked in collaboration with its 290 Members to implement appropriate safeguards they believe comply with the requirements of NIS 2.0 before the end of the year. As one of the world’s largest TLDs with over 17 million domain names under management, DENIC was looking for an approach that would not only meet its immediate needs but also provide a future-oriented, scalable, and risk-based approach. The solution presented proposes a Traffic Light Risk Assessment (red, yellow, green) toward domain name registrant verification that relies heavily upon close coordination with its Registrar Members.
- Bruce Tonkin, Chief Operating Officer at .au Domain Administrator (auDA), spoke about auDA has incorporated Registrant verification of natural and legal persons into their normal business operations to comply with Australian nexus requirements. Bruce also spoke to how .au has had low volumes of malicious registrants with those instances generally associated with stolen identities.
- Jaromir Talíř, Technical Fellow at CZ.NIC, provided a historical overview of the pioneering work that CZ.NIC has been engaged in the area of registrant verification over the past 18 years. These innovations include, but are not limited to: the rollout of MojeID (digital identity service) in 2010; participation in RegeID, a joint EU project involving 4 ccTLDs exploring the use of eIDs; and their current active participation in one of the four Large-Scale eIDAS 2.0 pilots involving the European Digital Identity Wallet.
- Timo Võhmar, Head of Business and IT Development at the Estonia Internet Foundation, spoke about .EE’s commitment to registrant verification since 2010 and some of the challenges they have faced with foreign registrants. Timo also shared a new eeID initiative leveraging FIDO and passkeys to promote the use of federated user-centric identifiers and enhanced multi-factor authentication.
- Jacques Latour, Chief Technology & Security Officer at CIRA presented on CIRA’s involvement in various IETF working groups and a recent report that he co-authored entitled A trust Layer for the Internet is Emerging. Jacques also spoke about various CIRA pilots involving verified registrant credentials. Some of the additional work that Jacques and CIRA have been involved in was also discussed during two other ICANN79 sessions: DNS Trust Panel and eID Panel Discussion.
A Zoom recording from this ALAC Plenary session is available from the ICANN website