[antonp]

disclaimer: I work on a wal-related project for a TLD

Let's not throw the baby out with the bathwater.

Projects like the WAL actually do help prevent the spread of malicious sites. Some TLD registries go into great length to ensure that the identity of their registrants is valid (address, phone, email).

Valid whois data is a necessity when processing some of these cases (from a legal point of view). I see this in practice every day.

The potential burden for the majority of domain owners (those who don't plan to do anything illegal with their little piece of internet real estate) is undeniably an issue, but projects like WAL have very real merit for the internet as a whole.

[klausjensen]

But if all it takes is an email confirmation, how on earth does this prevent bad actors from faking their data? Or use a straw-man?

This looks exactly like security theater to me.

Disclaimer: I may or may not have a domain registered in the name of my cat.

[astrodust]

It's true. There's honestly no way for these companies to know that "Walter P. Fluffington" isn't a real person.

[LLWM]

Sure there is. Outsource that verification to someone who already needs to do it, like the local government. South Korea has a pretty poor implementation of this already, but things will only get better over time.

[astrodust]

Do you honestly think it's feasible to maintain a database of contacts for every country and quasi-political entity in the world?

Secondly, I'm not even sure how you'd reasonably do this in a country like the United States where there's a functioning government if only because there's 50 states plus other territories to deal with. How would you go about verifying that "Walter P. Fluffington" exists and lives at some arbitrary address in Puerto Rico? It seems extremely time-consuming unless you are going to exclude people who have driver's licenses or some kind of government ID issued to them, or are foreign citizens living and working there under a visa of some sort.

This also doesn't even come close to addressing what happens when you register a domain with someone else's name.

The whole thing is completely pointless. If South Korea can't do it, nobody can.

[LLWM]

The whole point is you don't verify it. You accept their government-issued identification and verify the validity of that. Currently this is done stupidly by comparing their face to a photograph, but if the demand is there, the process will improve.

Compare to how we verify certificates. Trusted CAs issue certs and we verify the chain of trust.

[astrodust]

If you're depending on "government-issued identification" you've already failed.

A) What does that even mean? What's considered valid? There's got to be at last 100 different forms of this in the United States alone. How can anyone be familiar enough with all of these forms to verify them? Then consider there's several hundred countries around the world, each with equally quirky identification systems.

B) So the "face to photograph" method of identification depends on someone supplying a photograph of themselves? Since when is this part of the process for applying for a domain name? Secondly, it's impossible to verify that the photograph is of the applicant. Are we applying for domains at the DMV now? What about people who have identification where their face is concealed, or is a woman no longer allowed to register a domain in places like Saudi Arabia?

C) Why should having government-issued identification be a pre-requisite for owning a domain name? What if you're 10 and want "billyslemonadestand.com", paid by Bitcoin?

This isn't a trust issue. Owning a domain name shouldn't be terribly difficult. This isn't like an EV SSL certificate where a notary is going to be involved. Their entire process is complete bullshit and does nothing to improve the security of anything.

[Lawtonfogle]

>Projects like the WAL actually do help prevent the spread of malicious sites.

Outlawing encryption helps catching terrorists. Ruling that the use of Tor is justification for a full search of all of one's electronics helps catch child abusers. Forcing every email to be tied to a real life identity helps stop spam.

None of that is justified.

[zaroth]

There may exist some TLDs which indeed go to "great lengths" to verify contact information. I don't know if it's true, but if it is then that's an effective policy which has absolutely nothing to do with WAL.

No doubt valid WHOIS data is helpful when wanting to know the identity of a domain administrator, but again the point is WAL does absolutely nothing to ensure that in any case where the owner doesn't actually want to be identified.

[hoopism]

Not only do the ends not justify the means but the means are in noway a path to the end.

This is laughably implemented.