[everfree]

> So call the registry?

Verisign's phone tree is pretty gnarly last time I checked.

> The difference is that a judgement will actually get you something

It could easily cost tens to hundreds of thousands of dollars to win a lawsuit in the registrar's jurisdiction, which is not feasible for an individual or small business.

As far as large corporations go, they don't have to worry about domain theft anyways. They all just pay tens of thousands of dollars for MarkMonitor to guard their domains with enterprise security, never have their domains stolen, and call it a day. I think where ENS shines is for small businesses and individuals.

The better option than recovery is just to prevent your domain from being stolen in the first place. For ENS or DNS this is fundamentally the same concept - just make sure you trust the company that holds custody of your domain name. For ENS, you have the option but not the obligation to custody your name yourself, or to use an M-of-N signature scheme amongst trusted friends, business partners, and/or third-party companies. It's hard to steal a domain name when you need to fool 3 out of 5 executives plus a third party into approving a transfer.

> the registry can give the domain to whoever they want

Could be a feature, could be a bug.

[cyberax]

> Verisign's phone tree is pretty gnarly last time I checked.

If your name is like `microsoft.com`, then you call the registrar. They have contacts in the .com and .net TLD administrators to file issues. If that fails, there's a formal process: https://www.icann.org/resources/pages/providers-6d-2012-02-2...

Never mind that most registrars have protections against the transfer and will generally spam the hell out of you with notifications.

This makes the domain hijacking a low-value target for crooks. It happens, but not a lot.

> The better option than recovery is just to prevent your domain from being stolen in the first place.

Which will not happen. You still have all the same issues with lost keys, misconfigured settings, etc. Except now with zero recourse.

> For ENS, you have the option but not the obligation to custody your name yourself, or to use an M-of-N signature scheme amongst trusted friends, business partners, and/or third-party companies.

Yeah. Have you actually ever done anything like that in real life?

That's the thing, blockchain astronauts are kinda like PGP enthusiasts. They keep claiming that it solves all the problems, if you attend their groupie, erm, key signing party.

[everfree]

> If your name is like `microsoft.com`, then you call the registrar.

As I said, large companies like Microsoft don't risk their domains being stolen in the first place, since they use enterprise protection services like MarkMonitor.

> there's a formal process

Ultimately every time I discuss ENS, the conversation turns into a discussion about how feasible it is for a layperson to afford, file, and actually win a UDRP dispute to recover a stolen domain name, which doesn't have any provision for theft by the way. UDRP only considers whether the current owner of the domain is using the domain to infringe upon your business trademark (if you have one).

The answer is that UDRP is completely unworkable for the vast majority of people who are at risk of domain theft; it isn't even an anti-theft tool. In terms of theft resolution, it's a justice theater where you can watch it work for very specific types of companies who have very specific trademark issues that the UDRP covers, and imagine that it must work great for every mom and pop who has a domain name nicked because surely we live in a just world.

The individual filing the dispute is on the hook for the UDRP fees which are significant and I believe well into the four figures (completely unaffordable in developing countries, and likely not worth it for small businesses). Typically companies need to hire a specialized lawyer to navigate the UDRP system, at additional expense.

So you're misinformed that there is a formal process for domain theft - the UDRP is only for trademark infringement. UDRP is unnecessary for large companies (who have the resources to safeguard their name from theft) and it's useless to individuals and small companies who can't afford it and/or have theft problems but no trademark infringement problems. UDRP is only useful if you are a medium-sized company with a well-established trademark in a developed country and you didn't do your due diligence in properly securing your domain name.

So I'll give you that - if you're a medium-sized company with a well-established trademark in a developed country and you didn't do your due diligence in properly securing your domain name, then UDRP might be better than nothing. But depending on what kind of company you are, it still might be cheaper and easier to just switch domain names.

> Never mind that most registrars have protections against the transfer and will generally spam the hell out of you with notifications.

A blockchain can be designed to be more reliable because it doesn't "generally" do anything. It always, specifically, does exactly what it's programmed to do. A smart contract's predictability is a function of how well it's understood, and the tooling for creating and auditing bug-free smart contracts is maturing rapidly.

If you want to be spammed with notifications, there's nothing more reliable than multiple audited pieces of open source software that run directly on all your devices and monitor a public blockchain for an action. Add several third-party blockchain monitoring services for good measure.

And, of course, it's easy to write custody code in such a way that transfers are time-locked, so you have time to see the notification before the name changes owners. Write-once, audit-once, use-many.

> Have you actually ever done anything like that in real life?

Yes.

But aside from that, I use cryptographic keys in my life for countless reasons other than cryptocurrency. Git, SSH, E2E messaging apps, web passkeys, object storage, HTTPS server certificates, tapping my credit card at the supermarket, accessing the cell network, unlocking my car, etc. Everyone is already managing cryptographic keys whether they know it or not, and everyone's cell phone has keys already available and quite safe in its secure element, ready to sign messages with.

No need to break out the pocket protectors and meet up in someone's living room. A key signing ceremony for ENS could be easily piggybacked off a standard E2E group chat, like for example a Signal or iMessage chat:

* Someone creates a group chat on their smartphone and invites people (specifying the "M" value, aka the threshold for a valid group signature)

* The invited people join, their devices silently and automatically exchange keys, and the chat displays the group key

* Whoever has the asset transfers it to the group key

* Whenever someone proposes a message to sign, the system messages the group chat showing how many more signatures are needed, with a "sign" button that people can click.

This is pretty similar to what Safe Wallet already does, and it currently secures over $100 billion worth of cryptocurrency for some of the largest companies in the industry. But it's also quite simple to just download the app and use it as an end-user. It's directly compatible with ENS, since they both implement the ERC-721 token standard.

I've thought through all of this extensively, I know quite a lot of details about how both blockchains and the current DNS systems work, I've had numerous conversations with countless people about it, and it all adds up to me.

[cyberax]

Hi, LLM!

The thing is, ENS is strictly _worse_ than regular domains. If your key is stolen, then you are at the total mercy of the thief. With the regular domains, you simply lodge a complaint with the registrar, and they'll roll back the transfer within 90 days.

You can lose a domain if you basically register it, don't use it, and then forget to renew it for a year.

> But aside from that, I use cryptographic keys in my life for countless reasons other than cryptocurrency.

Can you please stop the bullshit? It's downright nauseating.

We're not talking about the general cryptography, which is incredibly useful. We're talking about "code is law" blockchains with proof-of-work/proof-of-stake method of consensus. They are completely useless for anything but paying for illicit drugs and other illegal transactions.

[everfree]

Not an LLM, just someone who has way too much time on my hands and a penchant for jumping into internet comment threads in a way that I end up regretting later. I'm not sure whether I should take it as a compliment that I can apparently type with flawless spelling and grammar just like an LLM (shout outs to my excellent English teachers!) or as an insult that my writing is not particularly compelling.

Yes, I naturally type in walls of text that are usually grammatically sound but tend to meander in structure. I'm pretty sure I repeated myself in places. You're repeating yourself in places, too. But believe what you want to believe. Maybe you're the LLM and the dead internet theory is well underway.

> With the regular domains, you simply lodge a complaint with the registrar, and they'll roll back the transfer within 90 days.

Domain registrars (for DNS) do not do this and they structurally cannot do this.

> You can lose a domain if you basically register it, don't use it, and then forget to renew it for a year.

Equally true of both systems.

> We're not talking about the general cryptography, which is incredibly useful. We're talking about "code is law" blockchains with proof-of-work/proof-of-stake method of consensus. They are completely useless for anything but paying for illicit drugs and other illegal transactions.

When you say that, what I hear is "When you use cryptography to sign messages, it's incredibly useful. When you timestamp messages, that can also be useful. But if you sign and timestamp messages, that makes it a Blockchain and Blockchains are incredibly UnUseful. That's silly.

To be very clear I think "code is law" is a nonsensical idea, almost as incongruous as the term "cryptocurrency" itself. They are definitely not currencies, and their code is definitely not law. But blockchains can be useful without trying to create new currencies, and without their code being law.

I've been seeing where the tides are headed in both the public and private sectors, and everyone wants to use cross-organization attributable append-only timestamped databases as an accounting tool now, in part because they are so easily auditable. From there it makes perfect sense to want to attach expressive internal constraints to these databases, via a scripting language. And I'm not sure what anyone could call that kind of database except "blockchain".