Brexit, and the impact on .EU domain names, sound the alarm?

I do not think it is time to sound the alarm yet, but some caution and some thinking ahead of the Brexit might be advised when it comes to .EU domain names and Brittish registrants.

Who will be affected?

Organisations that are established in the United Kingdom but not in the EU and natural persons who reside in the United Kingdom.

Impact

The above-listed persons or organizations will no longer be eligible to register .eu domain names or, if they are .eu registrants, to renew .eu domain names registered before the withdrawal date. Accredited .eu Registrars will not be entitled to process any request for the registration of or for renewing registrations of .eu domain names by those undertakings, organizations, and persons.

Relevant dates

Measures are effective as from 1 January 2021 or, in case that there was no withdrawal agreement in force prior to 30 March 2019, as from 30 March 2019. Negotiations are ongoing with the United Kingdom and the EU to come up a withdrawal agreement.

What to do?

At the moment there is little information to go about. The latest status update can be located here, we urge our customers to check this website often for more information.

If the EC really wants to push through remains to be seen, given the current status between the UK and the EU it looks pretty grim. It is advisable to contact high profile customers (if you have them) who have a .EU domain name and match the criteria mentioned earlier on.

A possible solution for Brittish registrants is to update the domain names via their European (non-UK) address (if available). We highly advise against the use of proxy solutions as they are in violation of Eurid’s terms and conditions. One can expect that after the Brexit, Eurid might monitor affected domain names and enforce their terms and conditions.

Using incorrect registrant information is always ill-advised and a violation of Registrar and Registry terms and conditions.

 

 

 

 

 

 

 

GDPR and SSL

Due to the recent developments regarding the public WHOIS and GDPR, limiting the output of WHOIS Servers it has become somewhat more difficult to order an SSL certificate, as email address validation might in some cases no longer be an option due to such restrictions imposed by the GDPR.

Email Validation for DV (domain validated) SSL certificates can only be approved via the default mail addresses known as:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

For more information regarding the GDPR and the changes to the WHOIS output can be found:

The ICANN WHOIS system is gone, the process for a GDPR compliant WHOIS has started!

However, there are alternatives that are more in the spirit of Art 25 of the GDPR and do not require the processing of possible personal data through a public WHOIS.

These alternatives are:

  • HTTP(s) validation, also known as File based validation.
  • DNS validation.

Below a screenshot with more information how to validate HTTP(s) or via DNS validation for DV SSL certificates via Realtime Register. Navigate to “SSL certificates” on the left tab. Select “Positive SSL” or the “Positive SSL Wildcard” and click on next.

On the next page, you can provide the CSR and for which server software it concerns.

After filling in the CSR and selecting the server software, you can continue to the next page:

Where you can provide the period, contact-handle, validation method or dcvEmailAddress. For the validation method there is the possibility to choose between:

  • E-mail based verification
  • DNS based verification
  • HTTP(S) based validation (file based validation)

For doing the validation via DNS or File-based validation there is a complete documentation and how-to via https://support.comodo.com/index.php?/Knowledgebase/Article/View/791/0/alternative-methods-of-domain-control-validation-dcv

 

Privacy by default account setting.

Today we introduce a new account setting called:”Default Privacy Protect setting”, which you can access by clicking here.

Setting disabled.

When selected, domain name registrations and transfers will not use our privacy service automatically. This is how it used to work for years.

Setting enabled when free (and available)

When enabled all domain name registrations and transfers will automatically use our privacy service. Regardless if you use WHMCS, our API or the domain name manager.

A list of available TLDs that can be used for this service is located here.

We keep recommending this service as it is unknown if gTLD registries will continue to publish the data in the WHOIS or not. Several large gTLDs will no longer publish the WHOIS, similar to how we will operate our WHOIS server. But some of them most likely will keep publishing registrant data.

Enabled (when available)

Same as above but also will use privacy services that are not free of charge. Please check the price list in your account if that is the case.

Registration

When you register a domain name you can override your account settings if required. Select the desired action from the drop-down menu.

Current Customers.

At the moment the default setting is not active, as mentioned earlier. Due to the new ICANN contractual regulations that have been rushed out of the door on 17-05-2018 this week, we are reviewing the option to turn this on for all customers. I apologize in advance for any inconvenience this may cause.

Post GDPR gTLD Transfers

Update: 25-05-2018

The procedure below is now live as per the ICANN temporary spec. I observe that not every Registrar was aware of the below situation. If you cannot transfer out your domain name(s) advise the gaining registrar to stop parsing WHOIS data and trying to send FOA emails to the registrant or admin contact, this will no longer work.

 

The new procedure has been communicated last week by ICANN to all registrars. To view this communication click here,

 

 

As mentioned in a previous blog the WHOIS will change drastically over the next few weeks.

At the moment when you start a transfer through the API or domain manager, our system sends an FOA to the registrant or the admin contact based on our contractual ICANN requirements. Once the FOA has been approved by one of the above contacts the transfer is requested at the registry,

 

Transfer solution post-GDPR

We will no longer send the incoming FOA, the auth code is sufficient to request the transfer on a registry level.

The losing registrar will still be required to send the outgoing FOA, the registrant can agree or decline the request. If there is no response from the registrant the transfer will be processed automatically after 5-7 days unless the losing registrar not acknowledges the transfer and cancel the transfer on their side.

Domain names that are set to transfer prohibited will not be transferred, if your customer wishes to transfer in or out, the transfer lock needs to be removed prior to the transfer. We recommend setting your domain names to transfer prohibited and regularly change the auth-codes for the domain names under your management for security reasons.

The above-described transfer process should not be to complex for most resellers, as it works somewhat similar how the larger ccTLD registries operate.

Recommended domain name security reading

A Registrant’s Guide to Protecting Domain Name Registration Accounts a report from the ICANN Security and Stability Advisory Committee (SSAC)

SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle

Domain theft?

Though at first glance it seems the above changes might lead to more domain theft. This is counter mitigated due to the fact that the WHOIS info will no longer contain registrant data and email addresses. This info is usually an attack vector for hackers who steal domain names, with this attack factor no longer in play we expect to see fewer cases of domain theft.

Key transfer changes post GDPR summary.

  • Transfers will continue to require a valid authorization code; just like EU ccTLDs
  • The gaining registrar will no longer be required to send a Form of Authorisation (FOA) to the registrant, again most likely there is no WHOIS info to create one.
  • The losing registrar will continue to send an FOA (aka outgoing FOA) that allows the registrant or admin contact to ACK (acknowledge) or NACK (not acknowledge) the transfer;
  • If there is no action/response, the transfer will auto-ACK by the registry after five days from initiation of transfer;
  • Registration information will not be transferred as part of the IRTP-C, registrants will independently re-enter transfer information with the gaining registrar. This will include entering into a registration agreement with the new registrar as it is now.

 

 

The ICANN WHOIS system is gone, the process for a GDPR compliant WHOIS has started!

 

After twelve months of endless discussions and a looming deadline, ICANN received information from the Art 29 Working Party. 

The EU Data Protection Authorities will not grant ICANN forbearance regarding the May 25th deadline when it comes to the WHOIS. Again the DPA’s re-confirmed their advise towards ICANN and does not deviate much from the advice they have provided ICANN since 2000.

The full press release from ICANN and the Article 29 WP letter can be read here.

Now that it is official there will be no forbearance regarding WHOIS, which was a silly request to begin with, registrars must shift into gear to get the WHOIS GDPR compliant.

Our solution will look like the screenshot below, though the below is subject to future change, I do not expect our GDPR solution will change drastically.

 

We will continue to display the country code and state field (if provided), due to the fact that it might be relevant for trademark lawyers.

The solution mentioned above is a mix of what ICANN has sent to the Art 29 WP, there is some advice incorporated from the ECO playbook. Last but not least we cherry-picked some elements from the WHOIS output solution by the Dutch Registry SIDN.

SIDN does not publish personal data of the registrants for many years now, so we have a great deal of experience with such WHOIS output and as a result, we have many operational procedures and solutions in place.

 

Reseller lookup tool
Our Reseller lookup tool is available here. We will also mention the link to this tool in the WHOIS output of the Realtime Register WHOIS server.
This tool allows people to look up the domain and the relevant reseller contact information.

As a data processor, we are limited in our role due to data protection laws, and we must refer to the data controller (our reseller) when it comes to domain name inquiries.
I think our lookup tool will be of great assistance for Law Enforcement Agencies, Trademark Lawyers, etc.

Most of our Dutch resellers will be very familiar with the above concept, as reseller data plays a significant role in the WHOIS for .NL domain names.

I expect that the WHOIS will become less relevant on May 25th and will have an effect on transfers.
Expect a blog post about the transfer details within a week.

Also, this blog describes the WHOIS server of Realtime Register, not the WHOIS servers operated by thick registries all over the world. It is possible that while we at a registrar level do not display personal data, a Thick WHOIS registry continues to show the data of your customers in their available public WHOIS…