NOTE: The ICANN comments "ICANN Draft Accreditation Guidelines: Comments" are at http://mcwg.org/mcg-mirror/icannba.txt ----------------------------------------------------------------------- Arguments for recalling WIPO RFC3 Dr. rer. nat. Ed Gerck * Coordinator - Meta-Certificate Group egerck@mcwg WIPO Meeting in Washington D.C. on March 10th, 1999. NOTE: The arguments herein represent matters that were publicly discussed by the MCG, an Internet Open Group on Security and Certification that includes participants from 28 countries, and in other fora. However, this presentation is not a MCG document nor should its terms be considered statements by anyone but myself. INTRODUCTION The World Intellectual Property Organization (WIPO) is an organization founded through a treaty by States, which has 171 States of the World as members, essentially establishing international frameworks for each of the rights that make up intellectual property, and systems for obtaining international protection of such intellectual property rights. The National Telecommunications and Information Administration (NTIA), an agency of the United States Department of Commerce, issued on June 5, 1998, its Statement of Policy on the Management of Internet Names and Addresses (the “White Paper”). Based on this document, the U.S. Government called upon WIPO to: (1) develop recommendations for a uniform approach to resolving trademark/domain name disputes involving cyberpiracy, (2) recommend a process for protecting famous trademarks in the generic top level domains, and (3) evaluate the effects, based on studies conducted by independent organizations, of adding new gTLDs and related dispute resolution procedures on trademark and intellectual property holders. In response, WIPO has produced the document RFC3 [RFC3-98], which is the object of my present comments, below. In summary, I express the opinion that the RFC3 document is basically flawed in eight major areas and should be recalled in totum. In addition, as I advance in the conclusions, a positive answer to the US's NTIA requests should be possible. However, only by taking a quite different approach. Otherwise, I hope to be able to show ahead of time that pursuing the RFC3 recommendations will just lead to harm worldwide e-commerce, the Internet itself, Internet security, the public trust on business marks -- and, most importantly, users and consumers. I. CONFLICT WITH WIPO'S JURISDICTIONAL MATTERS The RFC3 specifically postulates that "Internet Domain Names have come into conflict with the system of business identifiers that existed before the arrival of the Internet and that are protected by intellectual property rights" -- which matters are under the jurisdiction of WIPO. The question arises whether this WIPO "declaration of conflict" is justified. In other words, even though Internet Domain Names are surely a human friendly form of Internet addresses and they are also used to designate Internet addresses where businesses may be reached, are they also "business identifiers" for the specific purposes of intellectual protection rights? If they would be business identifiers or marks, then in WIPO's RFC3 words, enforcing intellectual property rights would be useful, since: "The exclusive right to the use of the mark enables the owner to prevent others from misleading consumers into wrongly associating products with an enterprise from which they do not originate." Thus, if Internet Domain Names are business identifiers then they should allow customers to associate products with a business. But, they do not. In fact, Internet Domain Names highest security threat comes from such association -- which is fully unwarranted and forewarned against by every Internet Certification Authority (CA), browser's on-screen instructions to users, and security work groups such as the Internet Engineering Task Force (IETF), the Meta-Certificate Group (MCG) and also so handled by Network Solutions, Inc (NSI), the exclusive registrar for the gTLD .com, .org and .net domains as appointed by the United States. Instead, Internet Domain Names in naming conventions such as e-mail addresses, DNSs and IPs are actually just convenient mirages in the worldwide Internet. For example, it is perfectly possible for a site that ends with .jp (i.e., Japan) to be hosted in the USA -- so, just by the DNS convention one cannot affirm anything about the site's whereabouts, contents, owner or business branch. Further, such names can be diverted to different Internet locations by URL-hijacking, router intervention, malicious JavaScript, etc. Thus, Internet Domain Names are NOT business identifiers as RFC3 postulates, which negates the very postulated conflict that is stated by WIPO -- to provide a need for RFC3 within WIPO. II. WIPO ASSUMPTIONS NOT GRANTED EVEN IF ONE-SIDED On the other hand, notwithstanding what has been explained in item (I) above, if WIPO one-sidedly views or wants Internet Domain Names to be viewed as business identifiers, it should become aware that the basic requirements for a business identifier or mark are directly denied. Internet Domain Names are not stable references -- the first notion, according to some experts, that define the possibility of a mark that can serve as a business identifier. I doubt someone could trademark a cloud formation -- which is however a good metaphor for Internet Domain Names. Further, Internet Domain Names are not even objective as a cloud is -- they are simply references that depend on references, which are again references. No one can be objectify certain to any degree that they reached the correct Internet address when they type an Internet Domain Name. I doubt someone could understand a mirage on the Sahara desert of a reference of a cloud formation to be a business mark -- which is however and again a good metaphor for Internet Domain Names. III. UNWARRANTED ASSOCIATION -- SECURITY FLAW As discussed in Items (I) and (II), Internet Domain Names are address identifiers which may point to any Internet host in the world, to any business and may even be diverted without anyone noticing it. Thus, it is a basic security flaw to proceed with WIPO's RFC3 and try to associate Internet Domain Names with stable, objective, well defined marks. They are not and never will be, by TCP/IP Internet design. There is an ongoing education effort on the Internet, to explain to users what Internet Domain Names are -- and what they are not. Even, and specially, when such understanding may increase the user's doubts. Companies, associations, groups, discussion lists and individuals have invested much time and resources in order not to provide unwarranted associations. This can be seen in commercial browser's on-screen user messages such as this one from Netscape: "...you cannot check the identity of the web site." However, WIPO's RFC3 goes blatantly against such principles and implies an Internet address assurance which simply does not exist and is even denied by the TCP/IP design. IV. WRONG TRUST -- DENIES TRUTH IN ADVERTISING As items (I, II, III) shows, Internet Domain Names are on the same trust level as a cloud mirage on the Sahara when used as business identifiers. However, by using them in RFC3, WIPO will not be able to increase their public trust as business identifiers -- which is one of NTIA's motivations. Why? As shown in [Ger98], trust is qualified reliance on received information. The degree of trust is measured by reliance extent, clearly reduced here by denying the very fabric of traditional rules that WIPO's member States must follow when issuing a trademark -- and which consumers need to rely upon. In this analysis, Internet Domain Names under RFC3 would then become "third-class" business identifiers, one that is not quite a mark, one which history no one is sure of or can verify. Which negates the very purpose of RFC3 and denies truth -- since an Internet Domain Name cannot possess the basic trust qualities that would qualify it to be a mark under current and tried trademark agreements. Moreover, lack of trust here will negate trust there, by association [Ger98] -- which will hurt the investments of companies in their good-will and business identification for traditional commerce. Finally, if an Internet Domain Name is not a mark under WIPO's member States accepted rules for marks -- as I contest it is not, based on several items here -- why consider it as a mark under WIPO? Is this truth-in-advertising? V. WRONG MARKET MOTIVATION What is the message that WIPO RFC3 is sending to the market, with its apparently unreasonable restrictions and imposed leonine clauses [Fro99], coupled with the perceived lack of trust on Internet Domain Names as stable and objective as a "real" mark should be? Perhaps, it would force the way to a worldwide "generic" movement on Internet names for e-commerce -- for example with non-denominated auction sales sites, where the user places a bid for a good from a non-denominated supplier as we can already see today. Which can have positive sides for e-commerce at the beginning but will, however, glitch on the lack of a mechanism to adequately represent reputation -- one of the prime factors of a valuable mark -- as a deterrent factor against a non-denominated supplier's default. VI. WRONG CERTIFICATION As discussed in Item (I), Internet Domain Names are address identifiers. However, do they authenticate a business site? Do they provide some degree of assurance that the address has been reached? No, on both counts. First, note that the Internet is an open system, where the identity and origin of the communicating partners is not easy to define. Each user controls only their end of the connection -- and no one controls both ends at the same time. Further, the communication path is non-physical and may include any number of eavesdropping and active interference possibilities. Thus, Internet communication is much like anonymous postcards, which are answered by anonymous recipients. However, these postcards, open for anyone to read -- and even write in them -- must carry messages between specific endpoints in a secure and private way [Ger97]. This means that Internet Domain Names have routing problems which are actually a feature of the Internet TCP/IP packet traffic design and which cannot be avoided -- so, they need to be solved in an additional design layer. The solution to the routing problem is to use cryptographic authentication by means of digital certificates to assure that communication is happening between the desired endpoints -- for example, also including real-time challenge response authentication to avoid replay attacks. In this regard, the ITU-T Recommendation X.509 (which has been implemented as a de facto standard) defines a framework for the provision of authentication services, under a central control paradigm represented by a "Directory". It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed by using cryptographic techniques [Ger97]. The WIPO RFC3 however intends to provide a type of "business certification" (i.e., a mark) by means of simple Internet Domain Name unchallenged protocol authentication, without cryptographic challenge response and without even a password. This is clearly wrong and is a further reason to recall RFC3 -- as it imposes what the Internet denies. The consequences? The problems that may be caused by false certification or no certification mechanisms can range from a "man-in-the-middle" attack in order to gain knowledge over controlled data, to a completely open situation to gain access to data and resources [Ger97]. It is important to note that these problems do not disappear with encryption or even a secure protocol. If the user is led to connect to a spoofing site, which appears to be what he wants, he may have a secure connection to a thief and that will not make it safer. To make matters worse, and as already commented, DNS hijacking can make connections to www.good.com go to www.bogus.com -- without anyone noticing it, even if you know that "bogus" is bad. Further invalidating any presumed routing that an Internet Domain Name might have locally acquired by trusted repeated use -- such as www.amazon.com. Each Internet connection is a new one and each connection may go through different routers. Thus, identity certification, or at least origin authentication, is a must in order to really define a business identifier -- which points out the direction that WIPO could have followed on this matter in order to define stable and objective references. However, WIPO's RFC3 notion of "business authentication" behind the use of Internet names as marks cannot help but may harm -- by implying a level of security which is simply fictional. VII. WRONG EXTENT The "parochial model" of the Internet that is thus at the base of WIPO's RFC3 breaks down easily when we recognize that all machines and addresses are essentially peers in the Internet. The DNS system is only hierarchical to the extent that one branch follows another but there is no imposed relationship whatsoever between machines in different branches or even in the same branch. For example, the .ml.org domain has several fully unrelated machines in it, in different parts of the world. Thus, RFC3 confuses the extent of a worldwide Internet, where no one controls both sides of a connection, all Internet Domain Names are peers and any machine (i.e., possibly business site, possibly hacker) can be made to respond to any name (i.e., would-be mark in RFC3) by a variety of techniques [Ger97] which the user cannot distinguish... and eventually learns not to rely upon but for routing purposes only, never as a business identifier per se. VIII. WRONG THEORY What is a name? What does it reference? What does a name mean? When I communicate over the Internet with an entity that has an Internet Domain Name, what can I suppose about the entity if I rely on that Name's significance to me? Perhaps, one's tentative conclusion is that when one exchanges communications with an entity that uses a common name, one generally relies on being able at least to find behind that name either a particular mind or particular assets or, a particular business. This thought implies a referential model of meaning, similar to Plato's view of referential forms. This is the model followed by RFC3. To better investigate this, suppose we express the general concept of a name, as a sign or a symbol -- e.g., my name is a symbol for myself. Then, for example, if I see footsteps on the sand (i.e., a symbol, a name) then I generally rely on the existence of someone that walked by (which is the meaning or cause of the footsteps), or, if I see smoke (i.e., a symbol, a name) I rely on the existence of fire, and so on. Or, as in the above question, I expect to find a particular mind or particular assets, or particular business that would have a causal relationship to the name and which provides meaning to my communication. However, this model breaks down as I exemplify in [Ger98] and Frege [see Ger98] has shown around 1910. Paraphrasing one of Frege's examples, if I tell you "I will photograph the Morning Star" or if I tell you "I will photograph the Evening Star" then, clearly, the two phrases have the same reference (i.e., the planet Venus) but one describes it as the last celestial body to disappear at dawn and the other as the first one to appear at dusk -- thus, they have different senses or meanings. The same can happen with Internet Domain Names. If I see a site with a Domain Name "www.gifts.com" -- what do they sell? Presents -- as the English word "gift"? No, perhaps they distribute poison as the German word for it (and pronunciation) is the same. Or perhaps, they simply count all visitor's URLs (which they can automatically collect upon entry) as the "General Insurrection on Free-Trade Support" movement -- whatever that name may mean to them. As another example, if an Internet Domain Name is www.amazon.com -- do they sell trips to the Amazon? CONCLUSIONS We must recognize that Internet Domain Names can contain reference information in varying degrees of completeness and human reading, but not at all the corresponding sense or meaning. Further, they inherently lack by their DNS/IP free floating assignment rules and by the TCP/IP design of the Internet, any objective and stable information qualities. That is why Internet Domain Names are simply -- names. Any extent added to them is not warranted by the supporting Internet infrastructure and protocols. So, their use as a mark would deny the minimal properties that WIPO member States have agreed upon to define what a mark is -- as a mark is not simply a name. And, WIPO would need to affirm what Internet security protocols need to deny. These points, discussed in eigth items in the text, cannot allow such references to be meaningful in a trademark system -- which would be essential to support a least agenda of WIPO's objectives in RFC3. Thus, I suggest that RFC3 should be recalled in totum. Its application will more probably cause more difficulties to Internet users and to trademark owners than the few pathological cases it may avoid -- and which have other solutions in public and open Internet discussions within the jurisdiction of each country's domain name registrar, according to local uses, rules and laws. As they have had in the recent past -- but the Internet is a learning experience and certainly the WIPO consultation has served and will serve that purpose. On the other hand, identity certification, or at least origin authentication, is considered a must in order to really define a business identifier on the Internet. This points out the direction that WIPO could follow on this matter in order to help provide stable and objective references that would have business significance. In this approach, Internet Domain Names may also be less susceptible to parasitical appropriation -- for example, if the corresponding certification would need to link the Internet address to a company's legal name. This approach can, in my opinion, be carried out both in the extrinsic certification mode (X.509, CAs, PGP) as well as with intrinsic certification (Meta-Certificates) [Ger97], offering flexibility and technologically-neutral options both to users as well as to businesses. ---------------------------- REFERENCES: [Fro99] Froomkin, M. "A critique of RFC3" in http://www.law.miami.edu/~amf/critique.htm - 1999. [Ger97] Gerck, E., Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG, http://mcwg.org/mcg-mirror/cert.htm - 1997. [Ger98] Gerck, E., "Towards real-World Models of Trust: Reliance on Received Information", in http://mcwg.org/mcg-mirror/trustdef.htm - 1998. [RFC3-98] WIPO, "THE MANAGEMENT OF INTERNET NAMES AND ADDRESSES: INTELLECTUAL PROPERTY ISSUES", in http://wipo2.wipo.int - 1998. ------------------------------------------------------------------------ * Copyright © 1999 by E. Gerck. All rights reserved, free copying and citation allowed with source and author reference.