ION: decentralized identity on Bitcoin

ION: decentralized identity on Bitcoin

The digital identity of tomorrow

Identity is an integral part of the digital world in which we live. Any individual, organization or computer is represented virtually by one or more identifiers, closely or distantly linked to different data. The digital identity allows to make the link between a real entity and its virtual representation.

Whether it is to authenticate, communicate or use a service on the Web, we use unique identifiers, which are associated with several personal information (email addresses, pseudonyms, random ids, etc.). These identifiers are usually managed by organizations that have control over our data. This data can be analyzed, altered, sold or stolen without the users’ consent, which represents a threat to their privacy. We must not forget that the data business is worth billions of euros; users do not always realize that their data has a real value.

It is from this observation that the concept of decentralized identity, also called self-sovereign identity (SSI), was born.

Decentralized identity aims to give users back control over their data, being at the core of Web3. It is based on decentralized identifiers (DID), deployed on a distributed registry. Users are the only ones who can manage their DID and the data linked to them. They can associate only the information they wish to share.

Several actors are developing solutions to build decentralized identity systems. Today we are going to take a look at one of them: ION (Identity Overlay Network). It is a decentralized identity management network, based on Bitcoin.

ION: decentralized identity on Bitcoin
Source : https://identity.foundation/ion/

SideTree: an identifier management protocol

In 2017, members of the Decentralized Identity Foundation (DIF) began working on a solution to manage decentralized identifiers, particularly using Blockchains as registries. The idea being to register credentials on a block chain, so that they can be verified and self-monitored by their holders. Because of its decentralized registry properties, Blockchains are particularly well suited to this need. Several projects around decentralized identity have used this type of technology to manage DID.

One of the problems of blockchains is the difficulty to scale up: scalability. For example, on Ethereum the network is often saturated, which causes slowness in transactions processing and increasing costs. Other blockchains offer better performance, but make a compromise on security or on system decentralization. This is known as the blockchains trilemma.

For an identity system to work on a global scale, it must be scalable. For this, there are solutions called Layer 2. These are solutions built “on top” of an existing blockchain, in order to aggregate several operations into a single transaction. This allows to significantly increase the number of transactions per second that can be processed, and thus to decrease the costs. This mechanism is particularly used by the Lighning Network on Bitcoin, and by various applications on Ethereum.

The members of the DIF then developed a Layer 2 protocol to manage decentralized identities: SideTree. This protocol allows to create a network on which the different nodes are connected in peer-to-peer. The protocol can be adapted to different underlying blockchains, to offer some interoperability. It is also important to underline that it follows the recommendations of the W3C regarding DID and Verifiable Credentials.

SideTree is built with several software components:

REST API: an interface to allow users to interact with the system.

SideTree Core: this is the “logical” part of the system, which manages the various operations on the identifiers.

Content Addressable Storage: manages the storage of identifiers and their metadata. SideTree uses IPFS, a protocol allowing to store and distribute data in a decentralized way. A MongoDB database is also used for local storage.

Blockchain Adapter: allows to communicate with an underlying blockchain, in order to record “states”.

ION: SideTree protocol coupled with Bitcoin

Bitcoin as layer 1

ION (Identity Overlay Network) is an implementation of the SideTree protocol based on Bitcoin and developed by members of the DIF. Thus it is a public, decentralized identity management system that is not controlled by any organization. It is able to handle several thousand transactions per second.

SideTree also has other implementations, including Element, which is based on the Ethereum blockchain.

ION has chosen Bitcoin for:

Its decentralization:

  • The network is open to all
  • The nodes are numerous and decentralized
  • Transactions are transparent, checkable and unchangeable

Its security:

  • Bitcoin has proven its resistance for over 10 years
  • Participants are encouraged to maintain and operate the network
  • The cost of a 50% attack is extremely high, and considered impossible

DID and documents

Concretely, an identifier on ION looks like a unique and complex sequence of characters: did:ion:EiD3DIbDgBCajj2zCkE48x74FKTV9_Dcu1u_imzZddDKfg

This DID is linked to a JSON document that contains several properties.

The user can also add all the properties he wants. It is possible to obtain the document from the identifier, by performing a resolution. This can be done using the REST API of an ION node, or by using a dedicated explorer. The idea is to be able to retrieve the information associated with a DID, in the same way as when retrieving IP addresses associated with domain names (DNS).

How does it work?

To generate a DID, a user must either use their own node or use one available on the network. The node operator must have a wallet with Bitcoin, as the operation requires a transaction. Managing identifiers is a multi-step process, on the command line and through a REST API; it is not trivial.

Each identifier is linked to 3 pairs of cryptographic keys:

  • Update keys
  • Recovery keys
  • Signature keys

The operations carried out during creation are recorded in a file. This instruction file is distributed on IPFS, and its unique identifier is recorded in a Bitcoin transaction. Simultaneous operations on multiple identifiers are grouped together, in order to have a single executed Bitcoin transaction. SideTree uses Merkel trees to structure the states of the different identifiers, and to allow the management of a large number of operations per transaction.

All other nodes in the ION network observe Bitcoin transactions and extract those that match the ION protocol. They retrieve the instruction file from IPFS, thanks to the unique identifier contained in the transaction. Then they execute the instructions in order to update themselves and contain the latest created identifiers. Thus, the new identifier is distributed throughout the network. The synchronization time may vary; we have not found any measurements of this time.

By definition, DID are not transferable; the user at the origin of an operation on a DID is thus necessarily the “owner” and the only one to have control over it with his private key. This property allows, in particular, to do without a consensus mechanism during operations on DID, because there are no possible double expenses.

Which future?

Several use cases

The ION project is developed by members of the DIF, and actively supported by Microsoft. The American company wants to exploit this protocol to offer new services based on decentralized identity.

Several use cases are possible:

  • Users can create their DID and use the OpenID authentication system. Thus, it would be possible to authenticate on various applications, sites and web services with a unique and decentralized identifier. Passwordless authentication is possible.
  • Users could choose the data they want to associate with their DID and revoke their access at any time. Business models could be developed to pay users directly for their data.
  • Users can manage different identities with multiple DID, through their digital wallets.
  • Companies, schools or organizations can generate verifiable digital certificates associated with DID. (Verifiable Credentials).
  • DID can be associated with domain names, in order to use readable names rather than complex addresses.

Services to be developed

ION’s ambition is to become a standard for tomorrow’s decentralized identity. The ingenuity of the protocol is interesting, and could stand out from other competitive solutions in particular thanks to the use of the Bitcoin protocol. Layer 2 solutions are promising for many use cases, and can significantly increase the scalability of decentralized registries.

However, today the protocol remains complex to use; tools and applications to facilitate its use will have to be developed. Microsoft will certainly offer services using ION, but it is to be hoped that other players will follow this path, especially with non-proprietary “end solutions”.

Furthermore, the recommended technical specifications for deploying a node are quite demanding; this can represent a significant cost in terms of hosting. The cost of registering a DID is also the responsibility of the node operator, who will submit the transaction on the network. Thus, there is no economic incentive to deploy a node, other than to create a business model by selling DID registration to other users. At first glance, these elements may be barriers to decentralization and adoption of ION, but it is still too early to tell.

Many competitors

Competition is tough in the world of digital identity. On the one hand, there are the identity solutions proposed by the big players (Google, Facebook, Thales, etc.), which today dominate the market, and on the other hand, there are the sovereign identity solutions pushed by governments (France Connect, Essif, etc.). Alongside these more or less centralized systems, there are also many self-sovereign identity protocols. Apart from ION, there is also Ethereum Name Service based on Ethereum, Evernym, Sovrin and countless projects under development.

The realization of concrete applications and the adoption by the general public are essential points in the success of a project; time will show us which ones will make the difference and become indispensable to tomorrow’s Web.

Are you interested in blockchains and crypto-assets? Do not hesitate to visit the website of our expert Steve Despres: https://cryptoms.fr/

Image source : TheDigitalArtist via Pixabay

BIMI and VMC: display your logo with emails

BIMI and VMC: display your logo with emails

BIMI (Brand Indicators for Message Identification) allows you to authenticate your emails and reinforce the trust of your customers by displaying your logo in their inbox. VMC (Verified Mark Certificate) is a certificate associated with BIMI, which ensures the authenticity of the logo displayed.

BIMI - Nameshield

What is BIMI?

BIMI is an industry initiative aimed at standardizing the use and display of brand logos in email clients. By placing a brand or company logo next to an email, it is more easily identifiable by customers and users, builds a sense of legitimacy and trust, significantly impacts open rates, and increases consumer protection against fraudulent emails.

Technically speaking, BIMI is an emerging security technology that works alongside DKIM, SPF and DMARC protocols to protect your domain name from being used by malicious actors to send fraudulent emails.

Before BIMI, the steps to get your logo next to an email were specific to each email service your message was sent to. Sometimes the process was entirely manual or relied on other applications to aggregate your brand information and share it across participating platforms.

The AuthIndicators group, which includes email service providers such as Google, Verizon Media, IONOS by 1&1 and Fastmail, is working to implement BIMI in the most common email clients. Many players have already adopted BIMI, others are in the process, Microsoft’s and Apple’s positions are expected to drive final adoption of the standard.

Why is BIMI important?

To complete the arsenal of a brand’s protection on the Internet, more specifically against hijacking attempts through fraudulent spoofing emails whose goal is to deceive the user and lead them to phishing sites.

306 billion emails circulated worldwide in 2020, with an ever-increasing proportion of fraudulent emails hijacking brands.

To increase the desirability of emails, particularly in marketing campaigns. The implementation of BIMI and more widely of security protocols and certificates on the domain name associated with a brand is essential today and has a major impact on online reputation.

Because it is becoming a market standard, easy to implement unlike the number of existing anti-fraud email solutions that are often difficult to test and implement.

How does BIMI work?

BIMI uses a process of several steps to validate emails by ensuring that they are actually associated with the sender’s domain name. Senders must add a TXT DNS record dedicated to BIMI.

For BIMI to work, domain names must also have several other fraud protections, including:

  • SPF (Sender Policy Framework): authenticates emails by identifying mail servers authorized to send from specific domain names ;
  • DKIM (DomainKeys Identified Mail): adds a digital signature to each email to verify that it was sent from an authorized domain name;
  • DMARC (Domain-Based Message Authentication, Reporting, and Conformance): confirms SPF and DKIM records and specifies how non-compliant emails should be handled.

When emails are sent using BIMI, the receiving mail server will first do the standard DMARC/DKIM authentication and SPF validation. If the email passes these checks, the mail server will verify that it has a valid BIMI record and display the brand logo.

How does BIMI interact with DMARC, DKIM and SPF?

The first step towards using BIMI to display a logo is to implement DMARC. This is stored as a DNS record of TXT type on the domain name. For DMARC to work with BIMI, the reject policy in this record must be p=quarantine or p=reject for all emails sent from your domain.

BIMI requires DMARC… and DMARC requires your domain name to have DKIM records to work. While DMARC only requires SPF or DKIM to work, it is best to include SPF records for more security when using BIMI. These 2 security tools are also stored as TXT DNS records in the domain name zone.

VMC, the final link in the chain

A Verified Mark Certificate is a digital certificate that authenticates the ownership of a logo, and completes the use of BIMI in email clients such as Gmail.

The VMC certificate guarantees the authenticity of the logo displayed, which is necessarily owned by the domain name holder sending the email. It is the last link in the chain to guarantee the authenticity of the email received.

When you send an email to a contact, the receiving mail server that manages their inbox will take the URL of the tag that indicates where the logo should be displayed. It will then check the VMC certificate to ensure that the correct logo is used. Once the logo is verified by the VMC, BIMI will display it next to the email in the inbox.

To obtain a VMC certificate, the implementation of DMARC on the domain name is a prerequisite. Then follows a reinforced authentication process with a Certification Authority that will validate the identity of the Organization, the registration of the logo with a certified body and will issue the certificate after a one to one meeting with a notary.

Depending on the country, the intellectual property offices for logos registrations may vary as well as the rules of acceptance to issue the certificate. The notions to keep in mind, the authorized trademarks can be:

  • Design trademarks: consist exclusively of a design;
  • Verbal trademarks: contain words, letters and/or numbers, without any particular font, size, color or style;
  • Combination trademarks: include a combination of words with a design, stylized letters or numbers.

While this is not a requirement for implementing BIMI on your domain name at this time, VMC should be part of the standard in the future.

Entrust Datacard and DigiCert are the first 2 companies to issue VMC certificates for the BIMI standard. Nameshield is a partner of both companies and will assist you in obtaining VMC certificates. You can contact directly our certificates department for any question on the subject.

BIMI + VMC = Guarantee of authenticity

BIMI, VMC… and Nameshield

Nameshield now assists its customers in all aspects of the implementation of DMARC, SPF, DKIM, but also BIMI protocols and the obtaining of associated VMC certificates. The domain name is at the core of the implementation of these different protocols. Our historical business as a registrar and DNS zones manager allows us today to assist our customers on these major subjects of the fight against online fraud and the increase of emails desirability.

New document : 5 minutes to understand monitoring solutions

5 minutes to understand - Domain names - Monitoring solutions - Nameshield

A domain name is not static, it evolves. It can be inactive, associated to a website, to a messaging service. The website can be operated, deactivated or its content can change. So many constant modifications that require a particular follow-up in the form of monitoring of domain names that may infringe your brand.

Find in this “5 minutes to understand” document, available for download on the Nameshield’s website, the different monitoring solutions that provide you with information to protect your domain names and brands from possible infringements.

DOWNLOAD

To understand all about Metaverse and alternative domain names

Metaverse and alternative domain names

The word “Metaverse” refers to everything related to virtual worlds (3D, augmented reality, virtual reality), and designates a “future” vision of the Internet, with fictive spaces such as stores, rooms or even games. It’s a bit of a buzzword of the moment, which was put forward by Facebook in October 2021, when it announced the creation of a metaverse (Meta). There is of course a trend effect, however several major brands seem to be working on the subject.

Many projects have used the term “Metaverse” around their services and products. There are projects related to digital assets, such as cryptocurrencies and NFTs, which allow the representation and exchange of value on the Internet. But also alternative domain names, like .eth, .crypto, .metaverse, etc. It’s also related to the concept of “web3”, which is a vision of a more decentralized web.

Regarding the alternative domain names, you have to know that they are extensions that are not regulated by ICANN, so they are not official. This explains why it is not possible to have WHOIS information. Furthermore, most alternative domain names systems do not work with the DNS protocol, but are built on a Blockchain infrastructure.

Here are some examples:

ENS (Ethereum Name Service): .ETH

ENS is one of the most used alternative domain name systems with .ETH. It is built on the Ethereum blockchain, through smart contracts, and allows to register domain names in order to link addresses of crypto wallets, websites or any other type of registration. A domain name can be registered for several years, and there are no domain name recovery procedures for trademark holders, as it is a decentralized project: the holder of an .ETH domain name is the only one who can control it.

The registration procedure is done through the use of an Ethereum wallet, and the payment with the ether cryptocurrency ($ETH).

ENS also allows traditional domain names holders to register their domain names on their system.

Unstoppable Domains: .CRYPTO, .ZIL, .COIN, .WALLET, .BITCOIN, .X, .888, .NFT, .DAO, .BLOCKCHAIN

This is also a domain names system developed on the Ethereum blockchain. It allows, like ENS, to register domain names with different extensions. Unstoppable Domains do not expire and do not need to be renewed. There is, however, a procedure for trademark holders.

Namebase

This is a project that allows the creation of all kinds of top-level extensions. It is built on the HNS blockchain.

Namecoin: .BIT

One of the first alternative domain names project on Blockchain.

Touchcast: .METAVERSE

This is a recent project that offers .METAVERSE domain names for sale. There is not much technical information about their system, and their community seems to be quite limited compared to their number of followers on social networks.

Other alternative domain names projects have also emerged. It is important to know that anyone can create an extension not regulated by ICANN.

For users, it is necessary to use another means than a classic DNS resolver to use these extensions (browser extensions, dedicated applications, etc.).

As expected, there is a lot of speculation and cybersquatting related to this type of domain names.

Image source : xresch via Pixabay

Changes in the administration of Turkish extensions

Changes in the administration of Turkish extensions

It is a new change that has been in preparation for a few years in the digital world of Turkey.

Indeed, the administration of extensions in Turkey (.com.tr, .net.tr and .org.tr…) has been entrusted to .TR Network Information Systems (“TRABİS”) which will be incorporated under the Information and Communication Technologies Authority (“BTK”).

With TRABIS, changes will therefore occur in the process of assigning domain names.

The allocation of domain names under the extensions com.tr, net.tr and org.tr, under this new system will be liberalized and will answer to the principle of “first come, first served” (without required supporting documents).

As a reminder, under the management of NIC.TR, it was necessary to justify a trademark or the name of the company with an official document to register a .com.tr (the most used extension).

It will be easier to register a domain name in Turkey in a few weeks.

This change of rules was initially planned for January 2022 but has not happened yet.

BTK will announce soon the official dates and we hope to be able to confirm this liberalization of .com.tr, .net.tr and .org.tr during February 2022.

Do not hesitate to prepare your orders and contact your consultants and account managers to check your .com.tr domain names portfolio.

Image source : RiZeLLi via Pixabay

New document : 5 minutes to understand DNS cache poisoning

5 minutes to understand - Domain names - DNS cache poisoning - Nameshield

The DNS (Domain Name System) is a key service of the Internet. It is a giant, hierarchical and distributed directory that associates IP addresses with domain names that are easier to identify, remember and transmit. It is the cornerstone of the Internet, whose infrastructure has flaws by its very conception, making it an ideal target for attacks.

On one hand, the DNS service is based on the authoritative DNS, which holds the information, and on the other hand, the resolver DNS, which carries out the resolution for the web users.
The DNS cache poisoning attack targets resolver DNS.

Find in this “5 minutes to understand” document, available for download on the Nameshield’s website, what is this DNS cache poisoning attack and how to protect against it.

Download

ICANN72, between prioritisation needs and fragmentation risks

ICANN72, between prioritisation needs and fragmentation risks

At the end of October, the 72nd ICANN summit was held, devoted to the development of policies that impact the domain name system (DNS) and the global Internet community. As already announced during the past summer, this latest annual meeting was to be held by videoconference in the time zone of Seattle in the United States. “Sleepless” were therefore not in Seattle but rather in Europe.

ICANN72, between prioritisation needs and fragmentation risks

The thorn in the side of the next round of new generic extensions

A month before this summit, ICANN announced the schedule for the Operational Design Phase (ODP) for one of the most anticipated topics by the contracting parties: the organisation of a future round of applications for new generic extensions. The ODP is a new mechanism now linked to the policy development process (PDP). It is similar to a project scoping exercise as it aims to identify the steps, risks, costs and resources to be allocated to implement a project, in this case a new round of generic extensions. The PDP was conducted between 2015 and 2020, with the submission of a final recommendations report to the ICANN Board in March of this year. However, it is not until February 2023, almost two years later, that the Board should consider these recommendations, the time to let the ODP conduct. Indeed, ICANN confirmed before the opening of ICANN72 that this scoping phase should last sixteen months in its entirety, including ten months for the conduct of the ODP, three months upstream to initiate the latter and in particular to constitute the teams that will conduct it and three months downstream to conclude the work. This timetable surprised many of the contracting parties and gave rise to much discontent. These discontents were particularly expressed through the Brand Registry Group that represents and promotes the interests of its members, dotBrand owners. For most members, things are not moving fast enough and the ODP would even be partly useless since some aspects overlap with the work already conducted during the previous PDP. Another aspect pointed out was the cost of the ODP estimated to $9 million, which is not a small amount.

The clouds are gathering as are the processes underway

As the other sessions scheduled during the week-long summit progressed, it was clear that the clouds continued to gather in the weather of ICANN’s policies. For example, the announcement of the launch of an expedited policy development process (ePDP) to review the Uniform Domain-Name Dispute Resolution Policy (UDRP), which allows for the recovery of disputed domain names, caused a great deal of misunderstanding, given that a review of all rights protection mechanisms (RPMs) has already been conducted between 2016 and 2020 and its final recommendations have not yet been examined by the ICANN Board. Now this review to validate the recommendations is scheduled to take place at best in the summer of 2022, by which time the aforementioned ePDP should be finalised. This example illustrated the gap that is being created between the community’s expectations for decisions and ICANN’s decision-making bodies, which seem to be overwhelmed by the policy negotiation processes that are piling up and stretching out over time, risking rendering decisions obsolete if they are made too late. According to some participants, this even affects ICANN’s ability to continue to carry out its mission as set out in its founding documents: To preserve and enhance the operational stability, reliability, security and global interoperability of the Internet.

“Prioritisation”, the word is out

On the first day of the sessions, ICANN CEO Goran Marby defended himself against the idea that the Board was slow to make decisions. He pointed out that the Board had recently examined 228 recommendations from the Competion Consumer Choice & Consumer Trust (CCT), which had just conducted a review to assess the extent to which the expansion of generic TLDs, gTLDs, had promoted competition, consumer confidence and consumer choice. 166 have been approved to date, 44 placed on hold and 18 rejected. Many of these measures are correlated with research and data collection to better understand market trends for new gTLDs.

Goran Marby also justified the delays in decision-making by the large number of ongoing and overlapping issues and by the fact that ICANN sometimes needs additional expertise to make decisions. In response to the criticisms, he also indicated that ICANN is now working on some form of prioritisation, a wish expressed by NAMESHIELD that seems to have been heard. However, Marteen Botterman of the Board nuanced this by specifying that prioritisation is not the Board’s responsibility, as it must ensure that the multi-stakeholder model is respected and must therefore maintain a certain neutrality on the subjects submitted to it.

A risk of fragmentation

From an organisation that has difficulty in making decisions, to its questioning, there is only one step. From the first day of the sessions, Goran Marby, who was particularly involved in the exchanges, spoke of “threats to ICANN”. ICANN is working on a risk management framework for the organisation. He also spoke of the need to talk more closely with governments as the current governance model is being challenged. Indeed, one only has to look at Russia to see that in November 2019, the Russian government introduced new regulations that create a legal framework for centralised state management of the internet within Russia’s borders. Russia has also proposed to hand over the management of the root servers to BRICS (Brazil, Russia, India, China and South Africa) member states. Proof that the States are going on the offensive in terms of their legislation, recent European directives also have an impact on the governance model, such as the General Data Protection Regulation (GDPR) and the forthcoming NIS2 (Network and Information Systems) directive, subjects which were also recalled at the summit. In China, for example, a law strengthening controls on digital services operated in China has just been adopted.

The failure of the ICANN governance model, if confirmed, could lead to a fragmentation of the DNS as we know it today, a fragmentation which takes shape as ICANN becomes bogged down in sterile debates. This summit has highlighted that the community and ICANN leadership have identified this major risk. The challenge for the future is to address it. We will watch the next ICANN summit scheduled in March 2022.

The observation that DNS regulation policies are bogged down, particularly at ICANN72, was widely shared by NAMESHIELD well before this summit. In particular, NAMESHIELD had expressed the need to prioritise topics in agreement with the community during the ICANN72 preparatory sessions. NAMESHIELD, which participates in working groups working on recommendations in the context of the periodic reviews conducted by ICANN, also advocated for re-enchanting voluntary work and helping diversify representatives in these working groups, in particular from small structures. Indeed many volunteers are now overwhelmed by the increasing volume of topics to be considered as the processes accumulate and decisions do not follow. New participants are discouraged from taking an interest in these topics by lengthy and cumbersome processes.

Image source : David Mark via Pixabay

New document : 5 minutes to understand domain names extensions (TLD)

5 minutes to understand - Domain names extensions (TLD) - Nameshield

The “Top Level Domains” also called TLD or extensions, are defined by the IANA (Internet Assigned Numbers Authority) which depends on ICANN since 1998.

ICANN and IANA are in charge of allocating Internet protocol (IP) addresses space, assigning protocol identifiers and managing the top level domain names system, i.e. the “Top Level Domains”.

Find out in this “5 minutes to understand” document, available for download on the Nameshield’s website, the different types of top level domains.

Download the document

New document : 5 minutes to understand who manages the Internet

5 minutes to understand - Domain names - Who manages the Internet - Nameshield

There is a multitude of players involved in the management of the network of networks !
Its management is the responsibility of a decentralized and international multiparty network of independent groups from civil society, private sector, governments, academic and scientific communities, and national and international organizations.

Find out in this “5 minutes to understand document”, available for download on the Nameshield’s website, who manages the Internet, what are the roles of ICANN, registries and registrars.

Download

Data escrow no longer escapes the concentration of the domain names industry

concentration of the domain names industry

There is a lot of talk about the concentration that is taking place in registries and registrars, two of the key actors in the domain names ecosystem. The two companies that have been in the news the most in the last two years, are Ethos Capital and Clearlake Capital, two private equity firms that have specialised in acquisitions in this sector.

Ethos Capital, founded in 2019, had proposed in November in a 1.135 billion euros deal to acquire Public Interest Registry, the registry in charge of the historical extension .ORG, which then claimed some 10.5 million registrations.  If this deal was not done after a surprise veto from ICANN as part of a provision of the Registry agreement that provides for an approval process for each type of transfer whether it is a change of control or a major subcontracting agreement, Ethos Capital was quickly comforted with the confirmed acquisition on March 31, 2021 of the registry Donuts, which in December 2020, had concluded the acquisition of Afilias, the registry operator of the .INFO and .MOBI gTLDs, among others. Donuts currently claims 270 generic extensions out of a total of 1268, i.e. 21% of them! It recently acquired the .watches extension from the luxury goods manufacturer Richemont.

As for Clearlake Capital Group, this company founded in 2006, acquired Endurance International in a $3 billion deal and recently took a significant stake in Web.com. The two entities were merged to form a new company called Newfold Digital. Newfold’s portfolio includes registrars such as Register.com, Network Solutions, Domain.com, BuyDomains, BigRock, PublicDomainRegistry and CrazyDomains as well as BlueHost and HostGator, two very important companies in the field of web hosting. The group claims approximately 16.5 million domain names.

Another well-known player, the American registrar GoDaddy, announced in February 2021 that it was raising 800 million dollars to make acquisitions. Since then GoDaddy seems to have gone on the offensive. The world’s largest registrar by volume is currently finalising the acquisition of Minds & Machines, a registry of new generic extensions (27 in all) in a deal worth 120 million dollars. Europe is of course not immune to the concentration phenomenon, even if the deals taking place are not as high as those mentioned above.

Indeed, these are just a few examples of a concentration that seems to be accelerating unstoppably in the domain name sector. Yet another important key players in the domain name management, the escrow operators whose critical mission is to store and safeguard domain name data for registrars and registries, rather like a bank, seemed less exposed to the phenomenon until now. However, if we look at the list of ICANN-designated agents, we recently noticed that one of them, namely Iron Mountain, has disappeared. This is not due to an error but to the fact that this actor has been absorbed by its competitor NCC Group. The deal, made in June, is estimated to be worth 165 million dollars. 

Across the concentrations now taking place in all the key areas necessary for the management of domain names portfolios, questions arise about the range of services on offer, which is constantly shrinking as a few major players take over the market, and also about prices (PIR had obtained from ICANN the lifting of the ceiling on .ORG prices just before Ethos Capital made its takeover offer) and the control of the domain name data, a control that seems difficult with the globalisation of the market. It should be remembered that NAMESHIELD remains an independent French company for which all these issues are at the heart of its concerns.

Image source : Geralt via Pixabay