About Intellectual Property IP Training IP Outreach IP for… IP and... IP in... Patent & Technology Information Trademark Information Industrial Design Information Geographical Indication Information Plant Variety Information (UPOV) IP Laws, Treaties & Judgements IP Resources IP Reports Patent Protection Trademark Protection Industrial Design Protection Geographical Indication Protection Plant Variety Protection (UPOV) IP Dispute Resolution IP Office Business Solutions Paying for IP Services Negotiation & Decision-Making Development Cooperation Innovation Support Public-Private Partnerships The Organization Working with WIPO Accountability Patents Trademarks Industrial Designs Geographical Indications Copyright Trade Secrets WIPO Academy Workshops & Seminars World IP Day WIPO Magazine Raising Awareness Case Studies & Success Stories IP News WIPO Awards Business Universities Indigenous Peoples Judiciaries Genetic Resources, Traditional Knowledge and Traditional Cultural Expressions Economics Gender Equality Global Health Climate Change Competition Policy Sustainable Development Goals Enforcement Frontier Technologies Mobile Applications Sports Tourism PATENTSCOPE Patent Analytics International Patent Classification ARDI – Research for Innovation ASPI – Specialized Patent Information Global Brand Database Madrid Monitor Article 6ter Express Database Nice Classification Vienna Classification Global Design Database International Designs Bulletin Hague Express Database Locarno Classification Lisbon Express Database Global Brand Database for GIs PLUTO Plant Variety Database GENIE Database WIPO-Administered Treaties WIPO Lex - IP Laws, Treaties & Judgments WIPO Standards IP Statistics WIPO Pearl (Terminology) WIPO Publications Country IP Profiles WIPO Knowledge Center WIPO Technology Trends Global Innovation Index World Intellectual Property Report PCT – The International Patent System ePCT Budapest – The International Microorganism Deposit System Madrid – The International Trademark System eMadrid Article 6ter (armorial bearings, flags, state emblems) Hague – The International Design System eHague Lisbon – The International System of Appellations of Origin and Geographical Indications eLisbon UPOV PRISMA Mediation Arbitration Expert Determination Domain Name Disputes Centralized Access to Search and Examination (CASE) Digital Access Service (DAS) WIPO Pay Current Account at WIPO WIPO Assemblies Standing Committees Calendar of Meetings WIPO Official Documents Development Agenda Technical Assistance IP Training Institutions COVID-19 Support National IP Strategies Policy & Legislative Advice Cooperation Hub Technology and Innovation Support Centers (TISC) Technology Transfer Inventor Assistance Program WIPO GREEN WIPO's Pat-INFORMED Accessible Books Consortium WIPO for Creators WIPO ALERT Member States Observers Director General Activities by Unit External Offices Job Vacancies Procurement Results & Budget Financial Reporting Oversight

browse comments: WIPO RFC-3

WIPO RFC-3
egerck@mcg.org.br
Wed, 3 Mar 1999 04:21:22 -0500

Browse by: [ date ][ subject ][ author ]
Next message: John Cody: "Suggestion to consider"
Previous message: john@annapolis.net: "WIPO RFC-3"

From: egerck@mcg.org.br
Subject: WIPO RFC-3

Sirs:

The following comment is scheduled for presentation at the WIPO Meeting in Washington D.C. on March 10th, with my registration for the Meeting. I submmit it for publication in your web site, section of RFCs & Comments, which I hereby authorize.

Best regards,

Ed Gerck
-----------------------------------------------------------------------

Arguments for recalling WIPO RFC3

Dr. rer. nat. Ed Gerck *
Coordinator - Meta-Certificate Group
egerck@mcg.org.br

NOTE: The arguments herein represent matters that were publicly
discussed by the MCG, an Internet Open Group on Security and
Certification that includes participants from 28 countries,
and in other fora. However, this presentation is not a MCG
document nor should its terms be considered statements by
anyone but myself.

INTRODUCTION

The World Intellectual Property Organization (WIPO) is an organization
founded through a treaty by States, which has 171 States of the World as
members, essentially establishing international frameworks for each of
the rights that make up intellectual property, and systems for obtaining
international protection of such intellectual property rights.

The National Telecommunications and Information Administration (NTIA),
an agency of the United States Department of Commerce, issued on June 5,
1998, its Statement of Policy on the Management of Internet Names and
Addresses (the “White Paper”). Based on this document, the U.S.
Government called upon WIPO to: (1) develop recommendations for a
uniform approach to resolving trademark/domain name disputes involving
cyberpiracy, (2) recommend a process for protecting famous trademarks in
the generic top level domains, and (3) evaluate the effects, based on
studies conducted by independent organizations, of adding new gTLDs and
related dispute resolution procedures on trademark and intellectual
property holders.

In response, WIPO has produced the document RFC3 [RFC3-98], which is the
object of my present comments, below. In summary, I express the opinion
that the RFC3 document is basically flawed in eight major areas and
should be recalled in totum.

In addition, as I advance in the conclusions, a positive answer to the
US's NTIA requests should be possible. However, only by taking a quite
different approach.

Otherwise, I hope to be able to show ahead of time that pursuing the
RFC3 recommendations will just lead to harm worldwide e-commerce, the
Internet itself, Internet security, the public trust on business marks
-- and, most importantly, users and consumers.

I. CONFLICT WITH WIPO'S JURISDICTIONAL MATTERS

The RFC3 specifically postulates that "Internet Domain Names have come
into conflict with the system of business identifiers that existed
before the arrival of the Internet and that are protected by
intellectual property rights" -- which matters are under the
jurisdiction of WIPO.

The question arises whether this WIPO "declaration of conflict" is
justified.

In other words, even though Internet Domain Names are surely a human
friendly form of Internet addresses and they are also used to designate
Internet addresses where businesses may be reached, are they also
"business identifiers" for the specific purposes of intellectual
protection rights?

If they would be business identifiers or marks, then in WIPO's RFC3
words, enforcing intellectual property rights would be useful, since:
"The exclusive right to the use of the mark enables the owner to prevent
others from misleading consumers into wrongly associating products with
an enterprise from which they do not originate."

Thus, if Internet Domain Names are business identifiers then they should
allow customers to associate products with a business. But, they do not.

In fact, Internet Domain Names highest security threat comes from such
association -- which is fully unwarranted and forewarned against by
every Internet Certification Authority (CA), browser's on-screen
instructions to users, and security work groups such as the Internet
Engineering Task Force (IETF), the Meta-Certificate Group (MCG) and also
so handled by Network Solutions, Inc (NSI), the exclusive registrar for
the gTLD .com, .org and .net domains as appointed by the United States.

Instead, Internet Domain Names in naming conventions such as e-mail
addresses, DNSs and IPs are actually just convenient mirages in the
worldwide Internet. For example, it is perfectly possible for a site
that ends with .jp (i.e., Japan) to be hosted in the USA -- so, just by
the DNS convention one cannot affirm anything about the site's
whereabouts, contents, owner or business branch. Further, such names can
be diverted to different Internet locations by URL-hijacking, router
intervention, malicious JavaScript, etc.

Thus, Internet Domain Names are NOT business identifiers as RFC3
postulates, which negates the very postulated conflict that is stated by
WIPO -- to provide a need for RFC3 within WIPO.

II. WIPO ASSUMPTIONS NOT GRANTED EVEN IF ONE-SIDED

On the other hand, notwithstanding what has been explained in item (I)
above, if WIPO one-sidedly views or wants Internet Domain Names to be
viewed as business identifiers, it should become aware that the basic
requirements for a business identifier or mark are directly denied.

Internet Domain Names are not stable references -- the first notion,
according to some experts, that define the possibility of a mark that
can serve as a business identifier. I doubt someone could trademark a
cloud formation -- which is however a good metaphor for Internet Domain
Names.

Further, Internet Domain Names are not even objective as a cloud is --
they are simply references that depend on references, which are again
references. No one can be objectify certain to any degree that they
reached the correct Internet address when they type an Internet Domain
Name. I doubt someone could understand a mirage on the Sahara desert of
a reference of a cloud formation to be a business mark -- which is
however and again a good metaphor for Internet Domain Names.

III. UNWARRANTED ASSOCIATION -- SECURITY FLAW

As discussed in Items (I) and (II), Internet Domain Names are address
identifiers which may point to any Internet host in the world, to any
business and may even be diverted without anyone noticing it. Thus, it
is a basic security flaw to proceed with WIPO's RFC3 and try to
associate Internet Domain Names with stable, objective, well defined
marks. They are not and never will be, by TCP/IP Internet design.

There is an ongoing education effort on the Internet, to explain to
users what Internet Domain Names are -- and what they are not. Even, and
specially, when such understanding may increase the user's doubts.
Companies, associations, groups, discussion lists and individuals have
invested much time and resources in order not to provide unwarranted
associations. This can be seen in commercial browser's on-screen user
messages such as this one from Netscape: "...you cannot check the
identity of the web site."

However, WIPO's RFC3 goes blatantly against such principles and implies
an Internet address assurance which simply does not exist and is even
denied by the TCP/IP design.

IV. WRONG TRUST -- DENIES TRUTH IN ADVERTISING

As item (III) shows, Internet Domain Names are on the same trust level
as a cloud mirage on the Sahara when used as business identifiers.

However, by using them in RFC3, WIPO will not be able to increase their
public trust as business identifiers -- which is one of NTIA's
motivations.

Why? As shown in [Ger98], trust is qualified reliance on received
information. The degree of trust is measured by reliance extent, clearly
reduced here by denying the very fabric of traditional rules that WIPO's
member States must follow when issuing a trademark -- and which
consumers need to rely upon.

In this analysis, Internet Domain Names under RFC3 would then become
"third-class" business identifiers, one that is not quite a mark, one
which history no one is sure of or can verify.

Which negates the very purpose of RFC3 and denies truth -- since an
Internet Domain Name cannot possess the basic trust qualities that would
qualify it to be a mark under current and tried trademark agreements.

Moreover, lack of trust here will negate trust there, by association
[Ger98] -- which will hurt the investments of companies in their
good-will and business identification for traditional commerce.

Finally, if an Internet Domain Name is not a mark under WIPO's member
States accepted rules for marks -- as I contest it is not, based on
several items here -- why consider it as a mark under WIPO? Is this
truth-in-advertising?

V. WRONG MARKET MOTIVATION

What is the message that WIPO RFC3 is sending to the market, with its
apparently unreasonable restrictions and imposed leonine clauses
[Fro99], coupled with the perceived lack of trust on Internet Domain
Names as stable and objective as a "real" mark should be?

Perhaps, it would force the way to a worldwide "generic" movement on
Internet names for e-commerce -- for example with non-denominated
auction sales sites, where the user places a bid for a good from a
non-denominated supplier as we can already see today.

Which can have positive sides for e-commerce at the beginning but will,
however, glitch on the lack of a mechanism to adequately represent
reputation -- one of the prime factors of a valuable mark -- as a
deterrent factor against a non-denominated supplier's default.

VI. WRONG CERTIFICATION

As discussed in Item (I), Internet Domain Names are address identifiers.
However, do they authenticate a business site? Do they provide some
degree of assurance that the address has been reached?

No, on both counts.

First, note that the Internet is an open system, where the identity and
origin of the communicating partners is not easy to define. Each user
controls only their end of the connection -- and no one controls both
ends at the same time. Further, the communication path is non-physical
and may include any number of eavesdropping and active interference
possibilities. Thus, Internet communication is much like anonymous
postcards, which are answered by anonymous recipients. However, these
postcards, open for anyone to read -- and even write in them -- must
carry messages between specific endpoints in a secure and private way
[Ger97].

This means that Internet Domain Names have routing problems which are
actually a feature of the Internet TCP/IP packet traffic design and
which cannot be avoided -- so, they need to be solved in an additional
design layer.

The solution to the routing problem is to use cryptographic
authentication by means of digital certificates to assure that
communication is happening between the desired endpoints -- for example,
also including real-time challenge response authentication to avoid
replay attacks.

In this regard, the ITU-T Recommendation X.509 (which has been
implemented as a de facto standard) defines a framework for the
provision of authentication services, under a central control paradigm
represented by a "Directory". It describes two levels of authentication:
simple authentication, using a password as a verification of claimed
identity; and strong authentication, involving credentials formed by
using cryptographic techniques [Ger97].

The WIPO RFC3 however intends to provide a type of "business
certification" (i.e., a mark) by means of simple Internet Domain Name
unchallenged protocol authentication, without cryptographic
challenge response and without even a password. This is clearly wrong
and is a further reason to recall RFC3 -- as it imposes what the
Internet denies.

The consequences?

The problems that may be caused by false certification or no
certification mechanisms can range from a "man-in-the-middle" attack in
order to gain knowledge over controlled data, to a completely open
situation to gain access to data and resources [Ger97]. It is important
to note that these problems do not disappear with encryption or even a
secure protocol. If the user is led to connect to a spoofing site, which
appears to be what he wants, he may have a secure connection to a thief
and that will not make it safer.

To make matters worse, and as already commented, DNS hijacking can make
connections to www.good.com go to www.bogus.com -- without anyone
noticing it, even if you know that "bogus" is bad. Further invalidating
any presumed routing that an Internet Domain Name might have locally
acquired by trusted repeated use -- such as www.amazon.com. Each
Internet connection is a new one and each connection may go through
different routers.

Thus, identity certification, or at least origin authentication, is a
must in order to really define a business identifier -- which points out
the direction that WIPO could have followed on this matter in order to
define stable and objective references.

However, WIPO's RFC3 notion of "business authentication" behind the use
of Internet names as marks cannot help but may harm -- by implying a
level of security which is simply fictional.

VII. WRONG EXTENT

The "parochial model" of the Internet that is thus at the base of WIPO's
RFC3 breaks down easily when we recognize that all machines and
addresses are essentially peers in the Internet. The DNS system is only
hierarchical to the extent that one branch follows another but there is
no imposed relationship whatsoever between machines in different
branches or even in the same branch. For example, the .ml.org domain has
several fully unrelated machines in it, in different parts of the world.

Thus, RFC3 confuses the extent of a worldwide Internet, where no one
controls both sides of a connection, all Internet Domain Names are peers
and any machine (i.e., possibly business site, possibly hacker) can be
made to respond to any name (i.e., would-be mark in RFC3) by a variety
of techniques [Ger97] which the user cannot distinguish... and
eventually learns not to rely upon but for routing purposes only, never
as a business identifier per se.

VIII. WRONG THEORY

What is a name? What does it reference? What does a name mean? When I
communicate over the Internet with an entity that has an Internet Domain
Name, what can I suppose about the entity if I rely on that Name's
significance to me?

Perhaps, one's tentative conclusion is that when one exchanges
communications with an entity that uses a common name, one generally
relies on being able at least to find behind that name either a
particular mind or particular assets or, a particular business. This
thought implies a referential model of meaning, similar to Plato's view
of referential forms. This is the model followed by RFC3.

To better investigate this, suppose we express the general concept of a
name, as a sign or a symbol -- e.g., my name is a symbol for myself.
Then, for example, if I see footsteps on the sand (i.e., a symbol, a
name) then I generally rely on the existence of someone that walked by
(which is the meaning or cause of the footsteps), or, if I see smoke
(i.e., a symbol, a name) I rely on the existence of fire, and so on. Or,
as in the above question, I expect to find a particular mind or
particular assets, or particular business that would have a causal
relationship to the name and which provides meaning to my communication.

However, this model breaks down as I exemplify in [Ger98] and Frege [see
Ger98] has shown around 1910.

Paraphrasing one of Frege's examples, if I tell you "I will photograph
the Morning Star" or if I tell you "I will photograph the Evening Star"
then, clearly, the two phrases have the same reference (i.e., the planet
Venus) but one describes it as the last celestial body to disappear at
dawn and the other as the first one to appear at dusk -- thus, they have
different senses or meanings. The same can happen with Internet Domain
Names.

If I see a site with a Domain Name "www.gifts.com" -- what do they
sell?

Presents -- as the English word "gift"? No, perhaps they distribute
poison as the German word for it (and pronunciation) is the same. Or
perhaps, they simply count all visitor's URLs (which they can
automatically collect upon entry) as the "General Insurrection on
Free-Trade Support" movement -- whatever that name may mean to them. As
another example, if an Internet Domain Name is www.amazon.com -- do they
sell trips to the Amazon?

CONCLUSIONS

We must recognize that Internet Domain Names can contain reference
information in varying degrees of completeness and human reading, but
not at all the corresponding sense or meaning. Further, they inherently
lack by their DNS/IP free floating assignment rules and by the TCP/IP
design of the Internet, any objective and stable information qualities.

That is why Internet Domain Names are simply ... names. Any extent added
to them is not warranted by the supporting Internet infrastructure and
protocols. So, their use as a mark would deny the minimal properties
that WIPO member States have agreed upon to define what a mark is -- as
a mark is not simply a name. And, WIPO would need to affirm what
Internet security protocols need to deny.

These points, discussed in eigth items in the text, cannot allow such
references to be meaningful in a trademark system -- which would be
essential to support a least agenda of WIPO's objectives in RFC3.

Thus, I suggest that RFC3 should be recalled in totum. Its application
will more probably cause more difficulties to Internet users and to
trademark owners than the few pathological cases it may avoid -- and
which have other solutions in public and open Internet discussions
within the jurisdiction of each country's domain name registrar,
according to local uses, rules and laws. As they have had in the recent
past -- but the Internet is a learning experience and certainly the WIPO
consultation has served and will serve that purpose.

On the other hand, identity certification, or at least origin
authentication, is considered a must in order to really define a
business identifier on the Internet. This points out the direction that
WIPO could follow on this matter in order to help provide stable and
objective references that would have business significance. In this
approach, Internet Domain Names may also be less susceptible to
parasitical appropriation -- for example, if the corresponding
certification would need to link the Internet address to a company's
legal name. This approach can, in my opinion, be carried out both in the
extrinsic certification mode (X.509, CAs, PGP) as well as with intrinsic
certification (Meta-Certificates) [Ger97], offering flexibility and
technologically-neutral options both to users as well as to businesses.

----------------------------
REFERENCES:

[Fro99] Froomkin, M. "A critique of RFC3" in
http://www.law.miami.edu/~amf/critique.htm - 1999.

[Ger97] Gerck, E., Overview of Certification Systems: X.509, CA, PGP
and SKIP. MCG, http://www.mcg.org.br/cert.htm - 1997.

[Ger98] Gerck, E., "Towards real-World Models of Trust: Reliance on
Received Information", in http://www.mcg.org.br/trustdef.htm - 1998.

[RFC3-98] WIPO, "THE MANAGEMENT OF INTERNET NAMES AND ADDRESSES:
INTELLECTUAL PROPERTY ISSUES", in http://wipo2.wipo.int - 1998.

------------------------------------------------------------------------

* Copyright © 1999 by E. Gerck. All rights reserved, free copying and
citation allowed with source and author reference.

 -- Posted automatically from Process Web site
Next message: John Cody: "Suggestion to consider"
Previous message: john@annapolis.net: "WIPO RFC-3"
https://www3.wipo.int/contact/en/area.jsp?area=arbitration https://www.wipo.int/pressroom/en/ https://www.wipo.int/tools/en/disclaim.html https://www.wipo.int/en/web/privacy-policy/ https://www.wipo.int/en/web/accessibility/ https://www.wipo.int/tools/en/sitemap.html https://www3.wipo.int/newsletters/en/ https://www.wipo.int/podcasts/en/ https://www.wipo.int/news/en/