[ISN] Security Concerns Boosted VeriSign's Dot-Net Bid

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/articles/A62302-2005Apr18.html

By David McGuire
washingtonpost.com Staff Writer
April 18, 2005

When the nonprofit organization that oversees the Internet's domain 
name system announced last month that the world's fourth largest 
domain would remain in the hands of VeriSign Inc., technology workers 
and Internet policy wonks around the world were incredulous, wondering 
aloud how the company had managed to navigate a process that was, in 
many ways, designed to reduce its hold on key pieces of Internet real 
estate. 

Online message boards lit up with rants and conspiracy theories about 
how VeriSign had managed to keep dot-net -- a vital piece of the 
Internet's infrastructure, particularly in the United States where 
major Internet service providers like Verizon and Comcast have 
assigned millions of dot-net e-mail accounts to their customers. 

"I would give the job to Microsoft before I'd willingly let VeriSign 
have another crack at it, and that's not something I'd say lightly. If 
they built cars, people would have died in the VerisSgn Pinto," one 
angry poster wrote on Slashdot.org, a message board and news site that 
caters to the technology audience. 

Other message boards swelled with accusations that VeriSign had 
inappropriate connections with the technical team that evaluated the 
company's proposal to continue managing dot-net, or that VeriSign had 
somehow bullied Internet authorities into compliance. 

But experts who closely follow VeriSign and the Internet domain market 
say the Mountain View, Calif.-based company owes its latest coup to a 
savvy lobbying effort in which VeriSign worked through the press and 
with its industry allies to play up already heightened concerns about 
the stability and security of the Internet. 

"Competition isn't the only parameter of concern. Security and 
stability are also issues of concern," said Vinton Cerf, chairman of 
the Internet Corporation for Assigned Names and Numbers (ICANN), the 
Marina Del Rey, Calif.-based group that was commissioned by the U.S. 
government in 1998 to oversee the domain name system. "It's not clear 
to me anymore that competition comes from binding a top-level domain 
to a particular operator," Cerf told reporters at an ICANN meeting 
earlier this month, a few days after the dot-net decision was 
announced. 

Cerf's comments were surprising to some observers, as he heads a group 
that was created with the express mission of breaking up the near 
monopoly on domain name management maintained at that time by Network 
Solutions, a company VeriSign bought in 2000. 

"It's shocking because ICANN and VeriSign basically hate each other 
and have hated each other since [ICANN's] inception," said Milton 
Mueller, an information studies professor at Syracuse University and 
author of a book about Internet governance. "VeriSign basically had to 
be bludgeoned into accepting ICANN as the administrator of the domain 
name system, and ICANN has always been run by people fundamentally 
hostile to VeriSign." 

ICANN and VeriSign have locked horns in courtrooms, at negotiating 
tables and even before Congress, as the company has sought to protect 
its valuable domain name business. The bad blood between the two sides 
boiled over last year when VeriSign sued ICANN after ICANN officials 
forced the company to jettison a controversial search service called 
Site Finder. That suit is still pending in California. 

But in the post-Sept. 11 world, VeriSign found itself in a strong 
position to play on ICANN's realigned focus on protecting the 
stability of the global Internet infrastructure. When ICANN put out 
its request for dot-net bids last December, the group made security 
and technical competence two of its top requirements for the next 
dot-net operator. Telcordia, the company chosen by ICANN to review the 
dot-net bids, ranked the criteria it used to judge bidders by 
importance -- high, medium or low. The ability to run a secure and 
stable registry was ranked "high," while promoting greater competition 
ranked "medium." 

Prior to the January deadline for submitting dot-net bids, VeriSign 
began pleading its case to reporters, touting the importance of the 
domain and warning of the disruptions that could occur if the domain 
were ever to go down for any substantial length of time -- something 
that hasn't occurred under VeriSign's stewardship. 

"During the period we've been operating dot-net, we've run it at the 
highest level," Mark McLaughlin, the general manager of naming and 
directory services for VeriSign said in January. "By definition, 
changing [the] operator would create the possibility for adding a 
great deal of instability to the system." 

"We believed this was a big decision on ICANN's part, and we certainly 
wanted people to focus on that decision. We wanted people to 
scrutinize our bid. We wanted people to scrutinize other bids, and we 
wanted people to scrutinize the process that ICANN used," said Tom 
Galvin, who was VeriSign's vice president of government relations when 
the bids were submitted and now works as an outside consultant for the 
firm. 

VeriSign also garnered support from some of the nation's largest 
high-tech companies, including Microsoft, Sun Microsystems and MCI, 
each of which sent letters to ICANN backing VeriSign's track record on 
security. Galvin said ICANN didn't do any formal briefings with those 
companies, but rather had informal conversations about the issue. In 
some cases, Galvin said the companies offered to write letters 
support, and in others VeriSign asked for them. 

"For the .net registry operator to be less than dependable would harm 
business growth and could endanger the commerce that runs across the 
Internet Infrastructure," Microsoft Chief Technical Officer Craig 
Mundie wrote in a letter to ICANN last July. "We endorse VeriSign's 
performance to date and we hope they will continue to operate the .net 
registry." 

The four other groups that submitted bids for dot-net responded that 
VeriSign was fear mongering. "There's no question that dot-net helps 
underpin the Internet. The one [assertion] that strikes me as 
incongruous is that if you touch dot-net, everything will fall apart," 
Ram Mohan, chief technical officer of Afilias, said last October. 
Based in Dublin, Afilias finished third in the five-way dot-net race. 


A Valuable Line of Business

The domain name market is lucrative for the largest Internet 
registries and registrars, the companies that sell and catalog 
Internet addresses. Starting in 1999 when ICANN began the process of 
breaking up Network Solutions's monopoly, it focused on the retail 
side of the business. At the time Network Solutions was sole 
wholesaler (registry) and the sole retailer (registrar) for Internet 
addresses ending in dot-com, dot-net and dot-org. 

In order to give consumers more choices and spur price competition for 
Internet addresses, ICANN created several new registrars, requiring 
Network Solutions to offer the new companies a fixed wholesale rate of 
$6 per domain per year. The move opened the domain name market to 
hundreds of companies (ICANN has now accredited more than 400 
registrars), helping drive the annual price of an Internet address 
down from a fixed $35 to less than $10 in many cases. VeriSign left 
the retail business altogether in 2003 when it spun off its Network 
Solutions business. 

VeriSign's share price climbed $1.40 to close at $27.40 the day after 
ICANN announced that dot-net would remain where it is, reflecting the 
importance some investors placed on the company maintaining a leading 
role the domain name market. "It's meaningful in terms of the bragging 
rights. It's not meaningful in terms of stand-alone revenue, but 
losing it would puncture a hole in VeriSign's story about how unique 
they are," Merrill Lynch analyst Ed Maguire said. 

The dot-net operation generates about $30 million in revenue a year 
for VeriSign -- not a vast sum compared with the nearly $1.2 billion 
in revenues and $186 million in profits the company reported in 2004. 

Scott Sutherland, an analyst at Wedbush Morgan, said losing the domain 
could have panicked some investors, who may have taken it as a sign 
that VeriSign would eventually lose dot-com as well. That's unlikely, 
since VeriSign's contract to run dot-com presumes that the company 
will retain control of the domain indefinitely unless it does 
something to warrant having it taken away, but Sutherland said winning 
the dot-net contract is likely to quell investors' concerns on that 
front. The dot-com registry generates more than $150 million a year 
for VeriSign. 

Also, while dot-net may not contribute a large revenue stream, Maguire 
and Sutherland noted it is an extremely profitable line of business 
because the technology required to run the registry is already in 
place. The two analysts don't own stock in VeriSign and their firms 
don't provide investment-banking services for the company. 


Unfair Advantage?

While it was stressing security in its dot-net bid, VeriSign also 
argued that competition at the consumer level wouldn't necessarily be 
served by moving the domain to another operator -- saying that from a 
consumer standpoint it's more important to bolster competition at the 
retail level. 

"I don't think this was a choice between security and competition, 
security and stability are important, but Telcordia gave VeriSign its 
highest score for competition," McLaughlin said. 

But even the choice of Telcordia as the evaluator has raised some 
hackles among VeriSign and ICANN critics. 

Telcordia is owned by Science Applications International Corporation, 
a company that once owned a piece of Network Solutions. Although 
Telcordia fully disclosed its historic ties before the dot-net 
evaluation began, the company couldn't help but view VeriSign in a 
favorable light, said Paul Vixie, president of the Redwood City, 
Calif.-based Internet Systems Consortium, a company that publishes a 
key piece of Internet software. 

"Telcordia shares a lot of corporate DNA with VeriSign. They're the 
same type of people, and they do things in the same general way, and 
these evaluations are really smell tests. ... [ICANN] picked someone 
who would recognize VeriSign as someone who was like themselves," 
Vixie said. 

ICANN spokesman Kieran Baker said ICANN didn't go forward with the 
evaluation process until all the bidders were satisfied that Telcordia 
could render an unbiased evaluation. 

But in the wake of the decision in VeriSign's favor, at least three of 
the four losing bidders have filed formal complaints about some 
portion of the evaluation process, and all five bidders told ICANN 
that they'd be submitting written comments on the evaluation process. 
DeNic, the company that operates Germany's sovereign dot-de, the 
world's second-largest Internet domain behind dot-com, has been vocal 
about its unhappiness with the process. 

"We will comment on these issues, but I'm not sure we'll do further 
complaints, because we don't think it will change the results. But 
we're disappointed that ICANN and Telcordia did not take the 
opportunity to run this process more properly," DeNic director Sabine 
Dolderer said. DeNic complained that Telcordia misstated information 
about DeNic's in-house technology in the first draft of the report. 
Telcordia issued an amended report that did not change DeNic's 
ranking, which was fourth out of five. 

Sentan, the joint venture between Sterling Va.-based NeuStar and Japan 
Registry Services, which runs Japan's sovereign dot-jp domain, placed 
second in the dot-net bidding process. Sentan wrote a letter to ICANN 
voicing concerns about the selection process, but other than that has 
remained fairly silent. 

VeriSign's current contract to run dot-net expires June 30, and ICANN 
expects to complete negotiations in the next couple weeks. The ICANN 
board of directors must approve the final deal, and the U.S. 
Department of Commerce will then have the final say, but in recent 
years, the department has gone along with every major decision by the 
ICANN board. The agency declined to comment on the dot-net issue.