ICANN New gTLD Application

New gTLD Application Submitted to ICANN by: MTR Corporation Limited

String: MTR

Originally Posted: 13 June 2012

Application ID: 1-2028-44295


Applicant Information


1. Full legal name

MTR Corporation Limited

2. Address of the principal place of business

MTR Headquarters Building, Telford Plaza,
33 Wai Yip Street, Kowloon Bay
Hong Kong N⁄A
HK

3. Phone number

+852 29932111

4. Fax number

+852 2795 9991

5. If applicable, website or URL

http:⁄⁄www.mtr.com.hk

Primary Contact


6(a). Name

Mr. Chun Hang Henry Chan

6(b). Title

Manager, Business Development

6(c). Address


6(d). Phone Number

+852 9034 0174

6(e). Fax Number


6(f). Email Address

henry.chan@hkirc.hk

Secondary Contact


7(a). Name

Mr. Tat On Jonathan Shea

7(b). Title

CEO

7(c). Address


7(d). Phone Number

+852 6038 6838

7(e). Fax Number


7(f). Email Address

jonathan.shea@hkirc.hk

Proof of Legal Establishment


8(a). Legal form of the Applicant

Corporation

8(b). State the specific national or other jursidiction that defines the type of entity identified in 8(a).

Hong Kong

8(c). Attach evidence of the applicant's establishment.

Attachments are not displayed on this form.

9(a). If applying company is publicly traded, provide the exchange and symbol.

Hong Kong Stock Exchange;66

9(b). If the applying entity is a subsidiary, provide the parent company.

Not applicable

9(c). If the applying entity is a joint venture, list all joint venture partners.

Not applicable

Applicant Background


11(a). Name(s) and position(s) of all directors

Chew Tai ChongProjects Director
David Tang Chi-faiProperty Director
Gillian Elizabeth MellerLegal Director & Secretary
Jacob Kam Chak-puiOperations Director
Jay Herbert WalderCEO
Jeny Yeung Mei-chunCommercial Director
Lincoln Leong Kwok-kuenFinance & Business Development Director
William Chan Fu-keungHuman Resources Director

11(b). Name(s) and position(s) of all officers and partners

Jay Herbert WalderCEO

11(c). Name(s) and position(s) of all shareholders holding at least 15% of shares

The Financial Secretary Incorporated (in trust on behalf of the Government of HKSAR)

11(d). For an applying entity that does not have directors, officers, partners, or shareholders: Name(s) and position(s) of all individuals having legal or executive responsibility


Applied-for gTLD string


13. Provide the applied-for gTLD string. If an IDN, provide the U-label.

MTR

14(a). If an IDN, provide the A-label (beginning with "xn--").


14(b). If an IDN, provide the meaning or restatement of the string in English, that is, a description of the literal meaning of the string in the opinion of the applicant.


14(c). If an IDN, provide the language of the label (in English).


14(c). If an IDN, provide the language of the label (as referenced by ISO-639-1).


14(d). If an IDN, provide the script of the label (in English).


14(d). If an IDN, provide the script of the label (as referenced by ISO 15924).


14(e). If an IDN, list all code points contained in the U-label according to Unicode form.


15(a). If an IDN, Attach IDN Tables for the proposed registry.

Attachments are not displayed on this form.

15(b). Describe the process used for development of the IDN tables submitted, including consultations and sources used.


15(c). List any variant strings to the applied-for gTLD string according to the relevant IDN tables.


16. Describe the applicant's efforts to ensure that there are no known operational or rendering problems concerning the applied-for gTLD string. If such issues are known, describe steps that will be taken to mitigate these issues in software and other applications.

The gTLD string applied for is MTR. Its A-label is MTR. It is not an IDN.  
The A-label is a valid label as specified in RFC1035 and RFC2181.
The A-label is no more than 63 characters, and upper and lower cases characters are treated as identical.
The A-label is a valid hostname as specified in RFC952, RFC1123, RFC3696, RFC5890-5894.
The A-label consists entirely of letters. It is composed of three visually distinct characters.
As a result, we do not see any operational or rendering problems.

17. (OPTIONAL) Provide a representation of the label according to the International Phonetic Alphabet (http://www.langsci.ucl.ac.uk/ipa/).


Mission/Purpose


18(a). Describe the mission/purpose of your proposed gTLD.

MTR Corporation Limited intends to apply for the TLD .MTR for the purpose of branding and exclusive internal use. Nevertheless, understanding that operating a TLD means operating a critical part of the Internet, MTR Corporation Limited is committed to promoting competition, consumer trust, and consumer choice. While contemplating applying for our own TLD, MTR Corporation Limited and its consultant Hong Kong Internet Registration Corporation Limited (HKIRC) identified a number of issues that are related to the said commitment, including consumer protection, security, stability and resilience, malicious abuse issues, sovereignty concerns, and rights protection. MTR Corporation Limited is also committed to enforcing the existing policy relating to WHOIS, subject to the laws of the Hong Kong Special Administrative Region. 

In view of our said commitments, MTR Corporation Limited has adopted the mission of operating a world-class, trusted, resilient and robust, stable and secure, domain name space that is an integral part of the Internet.

In our subsequent responses in this application, we will demonstrate how our proposed operational, technical, and financial plans for .MTR will address the issues pertaining to our commitments.

18(b). How do you expect that your proposed gTLD will benefit registrants, Internet users, and others?

.MTR, our proposed TLD, shall be operated with the aim of promoting the brand of MTR Corporation Limited. Contents under the TLD shall include all the trusted information and online services related to different businesses of the MTR Corporation Limited world-wide. Having a TLD exclusively used for the Corporation’s online content, Internet users would find it much easier and secure to access to the information they needed regarding our businesses and railway services. 

In view of the above mentioned goals, domain names under .MTR TLD will not be opened publicly for registration. Domain names created at the second and lower levels will be for the use of different subsidiaries of MTR and their different products and services. Adequate internal controls shall be adopted within MTR Corporation Limited to ensure compliance with the registry agreement to be signed with ICANN upon registration of domain names internally.

Furthermore, MTR Corporation Limited shall comply with Personal Data (Privacy) Ordinance of the Hong Kong Special Administrative Region in our dealings related to the .MTR TLD.

18(c). What operating rules will you adopt to eliminate or minimize social costs?

As mentioned before, even though .MTR shall be used exclusively within MTR Corporation Limited, we shall adopt appropriate policies and internal controls for domain name registrations under the TLD. 

Community-based Designation


19. Is the application for a community-based TLD?

No

20(a). Provide the name and full description of the community that the applicant is committing to serve.


20(b). Explain the applicant's relationship to the community identified in 20(a).


20(c). Provide a description of the community-based purpose of the applied-for gTLD.


20(d). Explain the relationship between the applied-for gTLD string and the community identified in 20(a).


20(e). Provide a description of the applicant's intended registration policies in support of the community-based purpose of the applied-for gTLD.


20(f). Attach any written endorsements from institutions/groups representative of the community identified in 20(a).

Attachments are not displayed on this form.

Geographic Names


21(a). Is the application for a geographic name?

No

Protection of Geographic Names


22. Describe proposed measures for protection of geographic names at the second and other levels in the applied-for gTLD.

.MTR, the proposed TLD, shall be reserved for exclusive internal use with MTR Corporation Limited. We acknowledge the GAC Principles regarding New gTLDs (http:⁄⁄archive.icann.org⁄en⁄topics⁄new-gtlds⁄gac-principles-regarding-new-gtlds-28mar07-en.pdf) and shall adopt, before .MTR is introduced, appropriate procedures for reserving, at no cost and upon demand of governments, public authorities or IGOs, names with national or geographical significance at the second and other levels from public registration.

The detailed procedures and measures shall be as follows:

All geographic and geopolitical names contained in the ISO 3166-1 list from time to time shall initially be reserved at both the second level and at all other levels from public registrations. All names shall be reserved in English and in all related official languages.

In addition, we shall reserve names of territories, distinct economies, and other geographic and geopolitical names as ICANN may direct from time to time. Such names shall be reserved from public registration during any sunrise period. MTR Corporation Limited shall post and maintain an updated list of all such names on the registry operator’s website, including updates necessary to implement changes at ICANNʹs direction. Upon determination by ICANN of appropriate standards and qualifications for registration following input from interested parties in the Internet community, such names may be approved for registration to the appropriate authoritative body.

Registry Services


23. Provide name and full description of all the Registry Services to be provided.

The following registry services are offered by the .MTR registry:

A. Receipt of data from registrars concerning registration of domain names and name servers.
The registry will use a Shared Registration System (SRS) to provide two interfaces to receive data concerning registration of domain name and name servers from registrars. One interface is the web application and the other is the EPP. This service will be provided over both IPv4 and IPv6 networks.


B. Dissemination of TLD zone files.
The registry will provide the DNS by operating the domain name servers. The servers will host the TLD zone files. Registered domain names records will be provisioned into the TLD zone files. Updates on the TLD zone files in the primary name servers will be propagated to the TLD zone files in the secondary and anycast name servers according to schedules and time intervals applicable to different types of transactions. The domain name servers will be accessible by Internet users to provide domain name resolution. This service will be provided over both IPv4 and IPv6 networks.

C. Dissemination of contact or other information concerning domain name
Command line (port-43) and Web base WHOIS service will be both provided by the registry. Internet users could submit WHOIS query to these WHOIS servers and obtain the result. This service will be provided over both IPv4 and IPv6 networks.


D. DNS Security Extensions (DNSSEC).
The registry will signed the .MTR zone using DNSSEC standards. Internet users will be able authenticate and ensure the integrity of the .MTR DNS resolution result. This service will be provided over both IPv4 and IPv6 networks.

The .MTR registry does not plan to offer Internationalised Domain Names registration initially.


No unique and special service

MTR Corporation Limited does not provide any special and unique service that is not commonly provided by other TLDs.


Security

The architecture design and the operation of the registry will take security into serious consideration. Both MTR Corporation Limited and our registry operator HKIRC have security policies in place (refer to the answer to question 30 for details). Efforts and measures will be put and taken into preventing the unauthorised disclosure, alteration, insertion or deletion of Registry Data; as well as the unauthorised access to or disclosure of information or resources on the Internet by the systems.


Stability

All services provided will comply with applicable relevant standards, such as RFCs sponsored by IETF. All services provided will not adversely affect the throughput, response time, consistency or coherence of responses to Internet servers or end systems.


Demonstration of Technical & Operational Capability


24. Shared Registration System (SRS) Performance

MTR Corporation Limited will engage HKIRC as the registry operator who is the registry for .hk ccTLD and .香港 IDN ccTLD.

Leveraging on the success in running the .hk registry and registrar since 2002 and .香港 since 2011, HKIRC will provide a comprehensive, robust and reliable SRS service.

HKIRC provides registration services through its registrars for domain names ending with .com.hk, .org.hk, .gov.hk, .edu.hk, .net.hk, .idv.hk, 公司.香港, .組織.香港, .政府.香港, .教育.香港, .網絡.香港, .個人.香港, .hk and .香港.

A high-level SRS system description; representative network diagram

HKIRC is currently managing approx. 230,000 domain registrations and is providing a full Shared Registration System (SRS) with the following services:

1. DNS IPv4⁄v6 service for .hk and .香港, ns1.hkirc.net.hk and ns2.hkirc.net.hk in Hong Kong + two anycast DNS Provider located around the world.
2. Whois IPv4⁄v6 service for .hk and .香港, whois.hkirc.hk
3. Web IPv4⁄v6 based Whois service, https:⁄⁄www.hkdnr.hk⁄whois⁄whois.jsp
4. IPv4⁄v6 Registration System for the registration of the above mention 1st and 2nd level domain, https:⁄⁄www.hkdnr.hk⁄
5. IPv4⁄6 EPP, epp.hkirc.hk and epp2.hkirc.hk

A high level system diagram for the SRS system, Appendix A, SRS system high level system diagram and a network diagram, Appendix B, High Level Network Diagram, are included.

The frequency of synchronisation between servers is described in Appendix C.

Performance

HKIRC is currently handling:

New domain registration: 4.000 per month
Domain renew: 8.403 per month
DNS Query: 2,588,520,824 per month
Whois transaction: 1,346,000 per month
Web page served: 1,121,000 per month

Operational Statistics:

DNS Availability (in 2011): 100%
Average Query Time (ns1.hkirc.net.hk and ns2.hkirc.net.hk): 128ms
Average Whois Response Time: 380ms
Web Site Availability (in 2011): 99.92%

HKIRC is already providing services in compliance with Specification 6 and Specification 10 of the New gTLD Agreement Specification.

Appendix D shows the detailed performance figures of the HKIRC’s SRS.
- NS query
- WHOIS command line
- WHOIS web
- EPP
- Web panel

As for .MTR, since the purpose of the gTLD is for branding purposes, the following describes its performance expectation

1) There will be very limited number of delegation within this domain, in the order of single to double digit.
2) Registration of domain names will be limited to internal use, i.e. high volume domain transaction volume is not expected.
3) Limited registrations hence low number of queries to the TLD
4) Since there will not be a large number of domain transactions and there will only be a small number (possibly 1) of registrars, there will not be a need for a dedicated EPP system. But in order to satisfy the Specification 6 of the New gTLD Agreement Specification, EPP system can be provided by HKIRC existing Infrastructure and EPP system.

HKIRC will provide the following to fulfill the requirements of Specification 6 and 10 of the New gTLD Agreement Specification:

1. Bind 9.8 for DNS Server (Specification 6, 1.1)
2. Two DNS Servers located in two different geolocations (Specification 6, 3.1, 3.2, 3.3).
3. Full DNSSEC Infrastructure for zone signing, key management etc. which are compliance with Specification 6, 1.3.
4. Full IPv6 and IPv4 network access to the Internet. (Specification 6, 1.5)
5. Two WHOIS and WHOIS with web Interfaces located in two different geolocations (Specification 6, 3.1, 3.2, 3.3)
6. Two Registration System Servers for the registration located in two different geolocations (Specification 6, 2.1, 3.1, 3.2, 3.3)
7. High availability Database system (Oracle RAC cluster pair in Primary Site) with addition near real time data synchronization to hot standby Database server (in Secondary Site). (Specification 6, 2.1, 3.1, 3.2, 3.3)
8. EPP system will be provided, if needed, through HKIRC’s EPP Infrastructure, which is fully compliance Specification 6, 1.2.
9. Nearw real time synchronization of data within the SRS, ie. DNS zone transfer is active-active for both servers, Database sync between hot standby Database is near real time, all EPP and Web services are active-active using load balancing technology.
10. All services will be implemented on HKIRC’s existing Infrastructure in order to fully comply with Specification 10’s SLA.

Resources Planning

HKIRC will provide resources for the initial implementation of the systems, as well as the long term operation of the systems. These resource are already available as part of the Technical Team who is operating the .hk and .香港 domain.

In order to support .MTR from the point of view of initial implementation and continuous technical operation, we propose the following teams:

Initial implementation:

IT Project Manager x 1, responsible for project planning and co-ordination.
System Engineer x 2, responsible for initial project setup, system implementation and carrying out System Acceptance Test
Database Administrator x 1, initial project setup and system implementation and carrying out System Acceptance Test
Analyst Programmer x 1, will be responsible for initial system development and implementation.

Technical Operation Team:

IT Manager x 1
IT Project Manager x 1
System Engineer x 1
Database Administrator x 1

The Technical Operation Team will carry out day to day operation of the .MTR domain with typical duty including:

One IT Manager
• Who will be responsible for the overall operation of the Technical Department
• Direct the team to implement the policy, security review, audit and management processes and cycles.
• Report the status of the IT operation to the senior management

IT Project Manager:

- Lead a team of IT Specialists to manage systems and networks services
- Provide lead in technical as well as management for System & Network Team
- Ensure the team is properly skilled for the work on hand and future, through training and other mean
- Ensure the System & Network Team are properly staff for the work on hand and future
- Establish policies, guidelines and procedures for system management, system administration and operations, as well as system security.
- Regular review and update of policies, guidelines and procedures for system management, system administration and operations, as well as system security
- Ensure all users and team member are award of the above policies, guidelines and procedures for system management, system administration and operations, as well as system security.
- Ensure all member of team perform all operation according to the above policies, guidelines and procedures
- Undertake IT process review and re-engineering, service and system quality assurance, information security evaluation and risk assessment within the organization in-house and with vendors.
- Manage system⁄security projects including vendor⁄product evaluation and implementation
- Perform system and security configuration checking and documentation on various systems.
- Perform system and application vulnerability scanning and compliance testing
- Foster information security awareness within the organization
- Perform day-to-day security operations

System Engineer⁄Database Administrator:

- Perform daily system monitoring and operation tasks, assist system administration, planning and technology evolution
- Service⁄Server Performance Monitoring
- Carry out regular maintenance on system to ensure proper and efficient operation. These may include;
- SSL Certificate Renewal
- Regular data backup
- Patch review and up-keep for all database
- Database Security implementation based on the companyʹs Security Guidelines & Policy
- Carry out daily system health checks including;
- Network traffic monitoring
- DNS health checks
- System loading check
- Email health check, Public Blacklist check
- Anti-virus update checks
- Database System loading check
- Backup system health check
- Service Alert check
- Roster duty for non-office hour technical support
- Undertake system and network infrastructure enhancements in-house and with outsourced vendors
- Conduct system implementation, system testing and user acceptance testing
- Set up and conduct proof-of-concept testing and evaluation on test-beds for assessing new technology, technical standards and products
- Maintain documentation and develop reports for system implementation and infrastructure changes

All our staff has also qualified with varies certifications. These included:

• ITIL v3 Foundation
• Certified Information Systems Security Professional (CISSP)
• Certify Ethical Hacker (CEH)
• VMware Certify Professional (VCP)
• Sun Certified System Administrator (SCSA)
• Sun Certified Network Administrator (SCNA)
• Oracle Certify Professional (OCP)
• Cisco Certify Network Associate (CCNA)
• Cisco Certify Network Professional (CCNP)
• Checkpoint Certified Security Expert (CCSE)

HKIRC will utilise existing staffing so to leverage the in house expertise in the field of Internet and Domain Name registration. The current IT Operation team consists of experience project manager (more 20 years in the IT field and more than 15 years in the UNIX and Networking) and engineers (with at least 5 to 7 years in IT field, of which at least 5 or more years in UNIX, networking and database field).

HKIRC is currently providing a 24x7, all year round support and monitoring service for the .hk and . 香港 domain SRS system, either through the own staff or through external party (NOC). The systems and services are monitoring through an industry standard Infrastructure Monitoring system (Nagios and Cacti for performance monitoring), as well as custom monitoring system for specify function, e.g. VIP DIG check, GENZONE and Zone transfer alert etc. All the staff are on roster duty to provide 24x7 technical support hotline service.



Appendix
Appendix A, SRS system high level system diagram
Appendix B, High Level Network Diagram
Appendix C, Frequency of synchronization between servers
Appendix D, Performance figures

25. Extensible Provisioning Protocol (EPP)

The purpose of the .MTR gTLD is for branding and exclusive internal use. Since there will not be large number of domain transactions and there will probably be no more than one registrar, there will not be a need for a dedicated EPP system. But in order to satisfy the Specification 6 of the New gTLD Agreement Specification, EPP system can be provided by HKIRC existing Infrastructure and EPP system.

We plan to have 2 EPP servers geographically located in two different sites for failover support.

The EPP server architecture is shown on the attachment A: Q25-A_EPP architecture


Registrar can interact with our registry system through EPP XML interface. In our EPP XML schema, it is indicated that the requirement of RFC3735 and 5730-5734 can be met regarding to the following:-

A. Support URI extension

e.g
〈?xml version=“1.0” encoding=“UTF-8”?〉
〈epp xmlns=“urn:ietf:params:xml:ns:epp-1.0”
xmlns:xsi=“http:⁄⁄www.w3.org⁄2001⁄XMLSchema-instance”
xsi:schemaLocation=“urn:ietf:params:xml:ns:epp-1.0
epp-1.0.xsdʺ〉
〈command〉
〈login〉
〈clID〉ClientX〈⁄clID〉
〈pw〉foo-BAR2〈⁄pw〉
〈newPW〉bar-FOO2〈⁄newPW〉
〈options〉
〈version〉1.0〈⁄version〉
〈lang〉en〈⁄lang〉
〈⁄options〉
〈svcs〉
〈objURI〉urn:ietf:params:xml:ns:domain-1.0〈⁄objURI〉
〈objURI〉urn:ietf:params:xml:ns:contact-1.0〈⁄objURI〉
〈objURI〉urn:ietf:params:xml:ns:host-1.0〈⁄objURI〉
〈svcExtension〉
〈extURI〉urn:ietf:params:xml:ns:ext-1.0〈⁄extURI〉
〈⁄svcExtension〉
〈⁄svcs〉
〈⁄login〉
〈clTRID〉ABC-12345〈⁄clTRID〉
〈⁄command〉
〈⁄epp〉




Support command-response, protocol-level, object-level of extension with XML format

e.g. Domain name transfer function

〈?xml version=“1.0” encoding=“UTF-8”?〉
〈epp xmlns=“urn:ietf:params:xml:ns:epp-1.0”
xmlns:xsi=http:⁄⁄www.w3.org⁄2001⁄XMLSchema-instance xsi:schemaLocation=“urn:ietf:params:xml:ns:epp-1.0
epp-1.0.xsdʺ〉
〈command〉
〈transfer op=ʺqueryʺ〉
〈domain:transfer xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ
xsi:schemaLocation=ʺurn:ietf:params:xml:ns:domain-1.0
domain-1.0.xsdʺ〉
〈domain:name〉example.com.hk〈⁄domain:name〉
〈domain:authInfo〉
〈domain:pw〉ibvWUOsa 〈domain:pw⁄〉
〈⁄domain:authInfo〉
〈⁄domain:transfer〉
〈⁄transfer〉
〈extension〉
〈ext:extension xmlns:ext=ʺurn:ietf:params:xml:ns:ext-1.0ʺ xsi:schemaLocation=ʺurn:ietf:params:xml:ns:ext-1.0 ext-1.0.xsdʺ〉
〈BundleDomainName〉xn--pssw10apj2b.xn--55qx5d.xn--j6w193g 〈BundleDomainName⁄〉
〈⁄ext:extension〉
〈⁄extension〉
〈clTRID〉ABC-12345〈⁄clTRID〉
〈⁄command〉
〈⁄epp〉


Authentication and security consideration

e.g. Login and Change EPP Password

〈?xml version=“1.0” encoding=“UTF-8”?〉
〈epp xmlns=“urn:ietf:params:xml:ns:epp-1.0”
xmlns:xsi=“http:⁄⁄www.w3.org⁄2001⁄XMLSchema-instance”
xsi:schemaLocation=“urn:ietf:params:xml:ns:epp-1.0
epp-1.0.xsdʺ〉
〈command〉
〈login〉
〈clID〉ClientX〈⁄clID〉
〈pw〉foo-BAR2〈⁄pw〉
〈newPW〉bar-FOO2〈⁄newPW〉
〈options〉
〈version〉1.0〈⁄version〉
〈lang〉en〈⁄lang〉
〈⁄options〉
〈svcs〉
〈objURI〉urn:ietf:params:xml:ns:domain-1.0〈⁄objURI〉
〈objURI〉urn:ietf:params:xml:ns:contact-1.0〈⁄objURI〉
〈objURI〉urn:ietf:params:xml:ns:host-1.0〈⁄objURI〉
〈svcExtension〉
〈extURI〉urn:ietf:params:xml:ns:ext-1.0〈⁄extURI〉
〈⁄svcExtension〉
〈⁄svcs〉
〈⁄login〉
〈clTRID〉ABC-12345〈⁄clTRID〉
〈⁄command〉
〈⁄epp〉



Internalization consideration
e.g. Greeting function

〈?xml version=“1.0” encoding=“UTF-8”?〉
〈epp xmlns=“urn:ietf:params:xml:ns:epp-1.0”
xmlns:xsi=“http:⁄⁄www.w3.org⁄2001⁄XMLSchema-instance”
xsi:schemaLocation=“urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd”〉
〈hello⁄〉
〈⁄epp〉

Domain name and host name mapping

〈?xml version=“1.0” encoding=“UTF-8”?〉
〈epp xmlns=“urn:ietf:params:xml:ns:epp-1.0” xmlns:xsi=“http:⁄⁄www.w3.org⁄2001⁄XMLSchema-instance” xsi:schemaLocation=“urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsdʺ〉
〈response〉
〈result code=ʺ1000ʺ〉
〈msg〉Command completed successfully〈⁄msg〉
〈⁄result〉
〈resData〉
〈domain:infData
Xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ xsi:schemaLocation=ʺurn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsdʺ〉
〈domain:name〉example.com.hk〈⁄domain:name〉
〈domain:roid〉EXAMPLE1-EP〈⁄domain:roid〉
〈domain:status s=ʺokʺ⁄〉
〈domain:registrant〉HK80130T〈⁄domain:registrant〉
〈domain:contact type=ʺadminʺ〉HK80131T〈⁄domain:contact〉
〈domain:contact type=ʺtechʺ〉HK80132T〈⁄domain:contact〉
〈domain:contact type=ʺbillingʺ〉HK80133T〈⁄domain:contact〉
〈domain:ns〉
〈domain:hostObj〉ns1.example.com.hk〈⁄domain:hostObj〉
〈domain:hostObj〉ns1.example.net〈⁄domain:hostObj〉
〈⁄domain:ns〉
〈domain:host〉ns1.example.com.hk〈⁄domain:host〉
〈domain:host〉ns2.example.com.hk〈⁄domain:host〉
〈domain:clID〉ClientX〈⁄domain:clID〉
〈domain:crID〉ClientY〈⁄domain:crID〉
〈domain:crDate〉1999-04-03T22:00:00.0Z〈⁄domain:crDate〉
〈domain:upID〉ClientX〈⁄domain:upID〉
〈domain:upDate〉1999-12-03T09:00:00.0Z〈⁄domain:upDate〉
〈domain:exDate〉2005-04-03T22:00:00.0Z〈⁄domain:exDate〉
〈domain:trDate〉2000-04-08T09:00:00.0Z〈⁄domain:trDate〉
〈domain:authInfo〉
〈domain:pw〉[Undisclosed Information]〈⁄domain:pw〉
〈⁄domain:authInfo〉
〈⁄domain:infData〉
〈⁄resData〉

Contact mapping

〈response〉
〈result code=ʺ1000ʺ〉
〈msg〉Command completed successfully〈⁄msg〉
〈⁄result〉
〈resData〉
〈contact:infData xmlns:contact=“urn:ietf:params:xml:ns:contact-1.0”
xsi:schemaLocation=“urn:ietf:params:xml:ns:contact-1.0 contact-1.0.xsdʺ〉
〈contact:id〉HK80130T〈⁄contact:id〉
〈contact:roid〉HK80130T〈⁄contact:roid〉
〈contact:status s=ʺokʺ⁄〉
〈contact:postalInfo type=ʺintʺ〉
〈contact:name〉John〈⁄contact:name〉
〈contact:org〉Example Inc.〈⁄contact:org〉
〈contact:addr〉
〈contact:street〉123 Example Dr.〈⁄contact:street〉
〈contact:street〉Suite 100〈⁄contact:street〉
〈contact:city⁄〉
〈contact:sp⁄〉
〈contact:pc〉20166-6503〈⁄contact:pc〉
〈contact:cc〉US〈⁄contact:cc〉
〈⁄contact:addr〉
〈⁄contact:postalInfo〉
〈contact:voice x=ʺ1234ʺ〉+1.7035555555〈⁄contact:voice〉
〈contact:fax〉+1.7035555556〈⁄contact:fax〉
〈contact:email〉jdoe@example.com.hk〈⁄contact:email〉
〈contact:clID〉ClientY〈⁄contact:clID〉
〈contact:crID〉ClientX〈⁄contact:crID〉
〈contact:crDate〉1999-04-03T22:00:00.0Z〈⁄contact:crDate〉
〈contact:upID〉ClientX〈⁄contact:upID〉
〈contact:upDate〉1999-12-03T09:00:00.0Z〈⁄contact:upDate〉
〈contact:trDate〉2000-04-08T09:00:00.0Z〈⁄contact:trDate〉
〈⁄contact:infData〉
〈⁄resData〉




HKIRC’s EPP has been in production for quite some time. The below documents are provided as attachments. They are being used for HKIRC’s registrars to setup their EPP and pass the registrar accreditation test.

For information on testing the HKIRC EPP, please refer to attachment
(Q25-B_20111101_DNRS2 Registrar Operations Test Evaluation Guideline.doc)

For the programming guide for registrar’s implementation, please refer to attachment (Q25-D_20120213 HK-SDK-Prog-Guide.doc)

EPP template and schema
Please refer to attachment (Q25-C_20120203 EPP XML v1.0.6.doc)

Resourcing plans (number and description of personnel roles allocated to this area).

HKIRC will provide resources for the initial implementation of the systems, as well as the long term operation of the systems. These resource are already available as part of the Technical Team who is operating the .hk and .香港 domain.

In order to support .MTR from the point of view of initial implementation and continuous technical operation, we propose the following teams:

Initial implementation:

IT Project Manager x 1, responsible for project planning and co-ordination.
System Engineer x 2, responsible for initial project setup, system implementation and carrying out System Acceptance Test
Database Administrator x 1, initial project setup and system implementation and carrying out System Acceptance Test
Analyst Programmer x 1, will be responsible for initial system development and implementation.

Technical Operation Team:

IT Manager x 1
IT Project Manager x 1
System Engineer x 1
Database Administrator x 1

The Technical Operation Team will carry out day to day operation of the .MTR domain with typical duty including:

One IT Manager
- Who will be responsible for the overall operation of the Technical Department
- Direct the team to implement the policy, security review, audit and management processes and cycles.
- Report the status of the IT operation to the senior management

IT Project Manager:

- Lead a team of IT Specialists to manage systems and networks services
- Provide lead in technical as well as management for System & Network Team
- Ensure the team is properly skilled for the work on hand and future, through training and other mean
- Ensure the System & Network Team are properly staff for the work on hand and future
- Establish policies, guidelines and procedures for system management, system administration and operations, as well as system security.
- Regular review and update of policies, guidelines and procedures for system management, system administration and operations, as well as system security
- Ensure all users and team member are award of the above policies, guidelines and procedures for system management, system administration and operations, as well as system security.
- Ensure all member of team perform all operation according to the above policies, guidelines and procedures
- Undertake IT process review and re-engineering, service and system quality assurance, information security evaluation and risk assessment within the organization in-house and with vendors.
- Manage system⁄security projects including vendor⁄product evaluation and implementation
- Perform system and security configuration checking and documentation on various systems.
- Perform system and application vulnerability scanning and compliance testing
- Foster information security awareness within the organization
- Perform day-to-day security operations

System Engineer⁄Database Administrator:

- Perform daily system monitoring and operation tasks, assist system administration, planning and technology evolution
- Service⁄Server Performance Monitoring
- Carry out regular maintenance on system to ensure proper and efficient operation. These may include;
SSL Certificate Renewal
Regular data backup
Patch review and up-keep for all database
Database Security implementation based on the companyʹs Security Guidelines & Policy
- Carry out daily system health checks including;
Network traffic monitoring
DNS health checks
System loading check
Email health check, Public Blacklist check
Anti-virus update checks
Database System loading check
Backup system health check
Service Alert check
- Roster duty for non-office hour technical support
- Undertake system and network infrastructure enhancements in-house and with outsourced vendors
- Conduct system implementation, system testing and user acceptance testing
- Set up and conduct proof-of-concept testing and evaluation on test-beds for assessing new technology, technical standards and products
- Maintain documentation and develop reports for system implementation and infrastructure changes

All our staff has also qualified with varies certifications. These included:

- ITIL v3 Foundation
- Certified Information Systems Security Professional (CISSP)
- Certify Ethical Hacker (CEH)
- VMware Certify Professional (VCP)
- Sun Certified System Administrator (SCSA)
- Sun Certified Network Administrator (SCNA)
- Oracle Certify Professional (OCP)
- Cisco Certify Network Associate (CCNA)
- Cisco Certify Network Professional (CCNP)
- Checkpoint Certified Security Expert (CCSE)

HKIRC will utilise existing staffing so to leverage the in house expertise in the field of Internet and Domain Name registration. The current IT Operation team consists of experience project manager (more 20 years in the IT field and more than 15 years in the UNIX and Networking) and engineers (with at least 5 to 7 years in IT field, of which at least 5 or more years in UNIX, networking and database field).

HKIRC is currently providing a 24x7, all year round support and monitoring service for the .hk and . 香港 domain SRS system, either through the own staff or through external party (NOC). The systems and services are monitoring through an industry standard Infrastructure Monitoring system (Nagios and Cacti for performance monitoring), as well as custom monitoring system for specify function, e.g. VIP DIG check, GENZONE and Zone transfer alert etc. All the staff are on roster duty to provide 24x7 technical support hotline service.

The EPP specific servers program will be setup and maintained by the analyst programmer.

The daily operation of the EPP servers will be managed by the system engineer.

Attachments
Q25-A_EPP architecture.pdf

Q25-B_20111101_DNRS2 Registrar Operations Test Evaluation Guideline.pdf

Q25-C_20120203 EPP XML v1.0.6.pdf

Q25-D_20120213 HK-SDK-Prog-Guide.pdf



26. Whois

A high-level Whois system description;

There are two interfaces for public access to Whois service. One is from the web panel. Another one is via command line. Both interfaces are geographically located in two different sites for failover support. The web panel currently has 4 servers in each site with three tiers of web, application and database. The command line interface has one server in each site. Web panel can be accessed through SSL with 443 port and command line interface can be accessed through 43 port. They directly access the database through JDBC driver. The Whois system is developed by Java programming language running in J2ee server with JDK 1.6 version.

Relevant network diagram(s);

Please refer to Appendix Q26-A DNRS2 whois architecture v1.pdf

Whois: describe
- how the applicant will comply with Whois specifications for data objects, bulk access, and lookups as defined in Specifications 4 and 10 to the Registry Agreement
- how the Applicantʹs Whois service comply with RFC 3912;

The .MTR TLD will have the following Whois services through web panel and command line which is the same as what our registry operator is currently supporting to customers of .HK domain names.

To comply with specification 4, 10 and RFC3912 in registry agreement, our Whois service can currently support domain name enquiry for all domain name registered under the TLD. For the registrar contact data and name server data and searchable Whois, HKIRC will provide these features for the .MTR TLD by enhancing the current Whois function. Below is our current format of Whois result template and upcoming design for registrar contact and name server search and searchable Whois criteria.

Whois result template
1) Web (Please refer to attachment Q26-D WHOIS web result)
– Query registrar data result template (under design stage)

Registrar Name: Example Registrar, Inc.
Street: 1234 Admiralty Way
City: Marina del Rey
State⁄Province: CA
Postal Code: 90292
Country: US
Phone Number: +1.3105551212
Fax Number: +1.3105551213
NEW GTLD AGREEMENT SPECIFICATIONS
Email: registrar@example.tld
WHOIS Server: Whois.example-registrar.tld
Referral URL: http:⁄⁄www. example-registrar.tld
Admin Contact: Joe Registrar
Phone Number: +1.3105551213
Fax Number: +1.3105551213
Email: joeregistrar@example-registrar.tld
Admin Contact: Jane Registrar
Phone Number: +1.3105551214
Fax Number: +1.3105551213
Email: janeregistrar@example-registrar.tld
Technical Contact: John Geek
Phone Number: +1.3105551215
Fax Number: +1.3105551216
Email: johngeek@example-registrar.tld
〉〉〉 Last update of WHOIS database: 2009-05-29T20:15:00Z 〈〈〈



- Query Nameserver data (under design stage)

Server Name: NS1.EXAMPLE.TLD
IP Address: 192.0.2.123
IP Address: 2001:0DB8::1
Registrar: Example Registrar, Inc.
WHOIS Server: Whois.example-registrar.tld
Referral URL: http:⁄⁄www. example-registrar.tld
〉〉〉 Last update of WHOIS database: 2009-05-29T20:15:00Z 〈〈〈

- Searchable Web-based Whois (under design stage)
Criteria allowed
- Domain name
- Contacts
- Registrant’s name
- Registrant’s Contact
- Registrant’s postal address, including all the sub-fields described in EPP (e.g., street, city, state or province, etc.).



2) Command Line Whois for bulk access (Please refer to attachment Q26-E Command Line Whois for bulk access)


3) Whois protocol (Complied with RFC3912)

Our Whois server: Whois.hkirc.hk
Port:43
Format on request and reply: TEXT, Contain more than one line of Text
Terminated with ASCII CR and ASCII LF
TCP Connection close when output is finished and client can receive the request

client server at Whois.hkirc.hk
open TCP ----- (SYN) ------------------------------〉
〈---- (SYN+ACK) -------------------------
send query ---- ʺSmith〈CR〉〈LF〉ʺ --------------------〉
get answer 〈---- ʺInfo about Smith〈CR〉〈LF〉ʺ ---------
〈---- ʺMore info about Smith〈CR〉〈LF〉ʺ ----
close 〈---- (FIN) ------------------------------
----- (FIN) -----------------------------〉

The Whois user guide is provided as Attachment Q26-B for reference.

resourcing plans for the initial implementation of, and ongoing maintenance for, this aspect of the criteria (number and description of personnel roles allocated to this area).

HKIRC will provide resources for the initial implementation of the systems, as well as the long term operation of the systems. These resource are already available as part of the Technical Team who is operating the .hk and .香港 domain.

In order to support .MTR from the point of view of initial implementation and continuous technical operation, we propose the following teams:

Initial implementation:

IT Project Manager x 1, responsible for project planning and co-ordination.
System Engineer x 2, responsible for initial project setup, system implementation and carrying out System Acceptance Test
Database Administrator x 1, initial project setup and system implementation and carrying out System Acceptance Test
Analyst Programmer x 1, will be responsible for initial system development and implementation.

Technical Operation Team:

IT Manager x 1
IT Project Manager x 1
System Engineer x 1
Database Administrator x 1

The Technical Operation Team will carry out day to day operation of the .MTR domain with typical duty including:

One IT Manager
- Who will be responsible for the overall operation of the Technical Department
- Direct the team to implement the policy, security review, audit and management processes and cycles.
- Report the status of the IT operation to the senior management

IT Project Manager:

- Lead a team of IT Specialists to manage systems and networks services
- Provide lead in technical as well as management for System & Network Team
- Ensure the team is properly skilled for the work on hand and future, through training and other mean
- Ensure the System & Network Team are properly staff for the work on hand and future
- Establish policies, guidelines and procedures for system management, system administration and operations, as well as system security.
- Regular review and update of policies, guidelines and procedures for system management, system administration and operations, as well as system security
- Ensure all users and team member are award of the above policies, guidelines and procedures for system management, system administration and operations, as well as system security.
- Ensure all member of team perform all operation according to the above policies, guidelines and procedures
- Undertake IT process review and re-engineering, service and system quality assurance, information security evaluation and risk assessment within the organization in-house and with vendors.
- Manage system⁄security projects including vendor⁄product evaluation and implementation
- Perform system and security configuration checking and documentation on various systems.
- Perform system and application vulnerability scanning and compliance testing
- Foster information security awareness within the organization
- Perform day-to-day security operations

System Engineer⁄Database Administrator:

- Perform daily system monitoring and operation tasks, assist system administration, planning and technology evolution
- Service⁄Server Performance Monitoring
- Carry out regular maintenance on system to ensure proper and efficient operation. These may include;
SSL Certificate Renewal
Regular data backup
Patch review and up-keep for all database
Database Security implementation based on the companyʹs Security Guidelines & Policy
- Carry out daily system health checks including;
Network traffic monitoring
DNS health checks
System loading check
Email health check, Public Blacklist check
Anti-virus update checks
Database System loading check
Backup system health check
Service Alert check
- Roster duty for non-office hour technical support
- Undertake system and network infrastructure enhancements in-house and with outsourced vendors
- Conduct system implementation, system testing and user acceptance testing
- Set up and conduct proof-of-concept testing and evaluation on test-beds for assessing new technology, technical standards and products
- Maintain documentation and develop reports for system implementation and infrastructure changes

All our staff has also qualified with varies certifications. These included:

- ITIL v3 Foundation
- Certified Information Systems Security Professional (CISSP)
- Certify Ethical Hacker (CEH)
- VMware Certify Professional (VCP)
- Sun Certified System Administrator (SCSA)
- Sun Certified Network Administrator (SCNA)
- Oracle Certify Professional (OCP)
- Cisco Certify Network Associate (CCNA)
- Cisco Certify Network Professional (CCNP)
- Checkpoint Certified Security Expert (CCSE)

HKIRC will utilise existing staffing so to leverage the in house expertise in the field of Internet and Domain Name registration. The current IT Operation team consists of experience project manager (more 20 years in the IT field and more than 15 years in the UNIX and Networking) and engineers (with at least 5 to 7 years in IT field, of which at least 5 or more years in UNIX, networking and database field).

HKIRC is currently providing a 24x7, all year round support and monitoring service for the .hk and . 香港 domain SRS system, either through the own staff or through external party (NOC). The systems and services are monitoring through an industry standard Infrastructure Monitoring system (Nagios and Cacti for performance monitoring), as well as custom monitoring system for specify function, e.g. VIP DIG check, GENZONE and Zone transfer alert etc. All the staff are on roster duty to provide 24x7 technical support hotline service.

The WHOIS server program will be setup and maintained by the analyst programmer.
The server daily operation will be responsible by the system engineers.

Description of interconnectivity with other registry systems:

The Whois server is interconnected to the registry database in real time, so that the server can provide real time Whois information.

Frequency of synchronization between servers:

The Whois service can access to the registry database in real time, so that the server can provide real time Whois information. The Whois servers at both sites access to the primary site’s database, but in case there is any failure in primary site, both sites can have their database connection switched to secondary site.

The data is regularly synchronised from primary site to secondary site in approximate real time by proprietary synchronisation software.

Provision for Searchable Whois capabilities:

Currently, HKIRC has no searchable Whois function but they are now planning to provide that for .MTR by enhancing the current Whois function. The estimated time will be around 5 man-days by employing 1 developer.


A description of potential forms of abuse of this feature, how these risks will be mitigated, and the basis for these descriptions:

HKIRC have adopted two measurements by using both technical and operational procedure against the Whois service abuse. Technically, the system will detect if there is any single IP accessing Whois service for more than certain limit a day (e.g. 1000), HKIRC will temporarily block them from further access and auto release it on the next day. Usually, the service partners or registrars will not use more than this limit but they can request for more quota upon the approval from HKIRC. The advantage of this is to avoid the flooding request to cause service outage by attackers or WHOIS farming from malicious users.

Another operational procedure includes regular review of Whois server logs for abnormal enquiry pattern and alerting the staff to take necessary action. The IP will be blacklisted in case suspicious IP is found.

With the web-based WHOIS, “CAPTCHA” is also used to ensure that a human user rather than a “pharming program” is using it.

To comply with Hong Kong personal data (Privacy) ordinance for Whois data disclosure, we take the following precaution

• Only disclose the necessary information for public in relation to the dispute purpose to protect public from domain registered in bad faith
• The personal data displayed in Whois is confined to contact information such as address, phone, fax, email, and complied with “Inventory of WHOIS Service Requirements - Final Report” for the Whois data requirement.

WHOIS data refers to the registration data that registrants provide and registrars or registries disclose.
The Registrar Accreditation Agreement (RAA 3.3.1) specifies the following data elements that must be
provided by registrars in response to a query:

3.3.1.1 The Registered Name;
3.3.1.2 The names of the primary nameserver and secondary nameserver(s) for the Registered Name;
3.3.1.3 The identity of Registrar (which may be provided through Registrarʹs website);
3.3.1.4 The original creation date of the registration;
3.3.1.5 The expiration date of the registration;
3.3.1.6 The name and postal address of the Registered Name Holder;
3.3.1.7 The name, postal address, e-mail address, voice telephone number, and (where available) fax
number of the technical contact for the Registered Name; and 3.3.1.8 The name, postal address, e-mail address, voice telephone number, and (where available) fax
number of the administrative contact for the Registered Name.

For details, please check “Q26_Inventory of WHOIS Service Requirements - Final Report.pdf” in the Appendix


• Domain owner can choose not to disclose the contact by unregister the domain.

Attachments
Q26-A WHOIS server diagram

Q26-B User Guide v1.0.pdf

Q26-C Inventory of WHOIS Service Requirements - Final Report.pdf

Q26-D DNRS2 whois architecture v1.pdf

Q26-E Example of Command Line WHOIS

27. Registration Life Cycle

The proposed TLD will go through a number of states to complete a domain name life cycle. Each state has its own criteria, procedures and time element that are used to change state. 

There are 5 different states in the life cycle, (1) Application State (when the new domain name is applied for), (2) Active State (when the domain name is registered and active), (3) Expiry State (when the domain name has expired), (4) Blackout State (when the domain name is not renewed and is suspended) and (5) Release State (when the domain name is not renewed and be made available for registration again). Detailed description of each state is provided below. In addition, Attachment 1 includes a high level diagram 27.1 illustrating an overview of the 5 states. Attachment 2 illustrates 6 different requests (types of transaction) (Diagram 27.2-27.7) of domain name service that will trigger the change of states.

1. Application State
This is the stage where the applicant chooses a domain name, inputs its registration information onto the domain name system, makes payment and sends document (to prove its legal status) to the registrar within a 24-day window. A pending application is thus created after the domain name system has received such request. If the applicant sends payment and document within the 24-day to the registrar’s satisfaction, the registrar will activate the domain name and add zone record to the DNS within the same day. The WHOIS data is also created and published. If payment and document could not be satisfactorily received by the registrar within the 24-day, the application will be rejected. The domain name will be made available for registration by other eligible applicant. The left hand side of Diagram 27.2 shows the new domain application state as described. The middle part of Diagram 27.2 indicates that if the domain name is pending for receiving payment and document during the 24-day, the domain name is still in the Application State in the life cycle. If payment is made and document is checked satisfactorily by the registrar, the domain name will enter Active State in the domain name life cycle. The right side of Diagram 27.2 indicates that when the domain name is in Active State, record will be put into the zone so the DNS state is becoming Active.

Registrar will also send notification to the domain applicant in the form of email. The notifications include:
(a) Notification of sending payment and document and its reminder (〉1 email notification)
(b) Notification of the rejection of domain name application if no payment and ⁄ or document are satisfactorily received.
(c) Notification of domain name activation if the registrar satisfies the payment and document sent and that the domain name is activated and is entered into the Active State.

2. Active State
After payment and document are satisfactorily received by the registrar, the domain name will be activated. The domain name record is thus entered into the zone. The domain name is in its Active State in the domain name life cycle. In this state, name server information and domain name contact information for the registered names can be modified freely. Domain name holding right can be freely transferred; domain name holder can also freely transfer the name to a different registrar (if there is more than one registrar) or delete the domain name registration. Diagram 27.3 to 27.6 shows these different actions that could take place during the Active Stage in the domain name life cycle. Details of these actions are as below:
2.1 Modification of Name Server or Domain Name Information – (Diagram 27.3) the action will be taking place immediately after the registrant requests such change and that the registrar passes the information to the registry operator. This could be performed in Active, Expiry and Blackout States in the domain name life cycle (however when the domain name is in its Blackout States, new record will not be updated into the DNS until the domain name is changed to Active State). After the registrar passes the information to the registry operator via EPP, old record will be replaced by new record in the DNS. For domain information modifications that involve the changes of email address, email notification would be sent to both the new and old email addresses stating all the changes made and providing channel for objection. Likewise, for modification of domain name server, email notification will be sent to all the domain name contacts informing them of the changes and providing channel for objection.
2.2 Domain Name Deletion – (Diagram 27.4) the action will take place 7 days after the registrant requests such change. The request will become a pending request within these 7 days. Registrar will send email notifying the registrant of receiving the deletion request and providing channel for objection. If no objection is received during the 7-day, the domain name will be deleted and go to blackout state. Zone record will also be removed. The domain name will become inactive and will go through the subsequent state in the domain name life cycle including 60-day blackout. It will then enter the Release State where the domain name will be made available for registration by other eligible applicant. If the registrant objects the deletion and that the objection is proved to be valid, the registrar will cancel the deletion request. The domain name life cycle status and DNS status will remain in Active State.
2.3 Transfer of domain name holding right – (Diagram 27.5) this transfer request includes inputting information of the transferee onto the domain name system and also to provide the transfer agreement letter to the registrar for checking. This is to protect the domain name holder right and avoid any illegitimate transfer taking place. When the registrar receives the transfer request, a pending transfer application is created. Transfer application shall only be taking place during the Active and Expiry state in the domain name life cycle. The application is pending for receipt of document and payment for 44 days at most. During the pending period, applicants shall make payment and provide transfer letters that can satisfy the registrar. If they are provided within the 44 days, the registrar will change the record in zone. As a result, the transferee will become the registrant of the domain name. WHOIS data will also be updated. In terms of the new expiry date, the unused period will be enjoyed by the transferee. Transferee can also add longer term in addition to it by making payment.

Registrar will also send notifications to the transferor and transferee in the form of email including:
(a) Notification of payment and transfer letter and their reminders (〉1 email notification)
(b) Notification of the rejection of domain name application if no payment and ⁄ or document are satisfactorily received within the 44 days.
(c) Notification of the successful transfer if the registrar satisfies with the payment and document sent and that the domain name is being transferred to the transferee.

As the .MTR TLD is for internal use, the above transfer procedure can be simplified as deemed appropriate.

2.4 Domain Transfer between registrars – (Diagram 27.6) the action will take place within 1-hour after the registry operator receives the request. The request includes the provision of an authorisation code, which shall only be received and kept by the registrant, and the transfer request. Right after the registrant has submitted the transfer request, the application will become a pending application for 1 hour. During the time, email will be sent to both the new and old registrars, and also to the registrant. However, it does not mean that the losing registrar can object. The change would be subject to the wish of the registrant, and not the registrar. If we do not receive any objection within the one-hour pending period, the application will be approved. Record on the zone and WHOIS will be updated. This transfer request could be conducted during the Active, Expiry or Blackout state in the domain name life cycle.

Since the .MTR TLD is for internal use, there may not be a need for more than one registrar. We shall decide on the appropriate arrangement at a later stage.

3. Expiry State
When the domain expires (Diagram 27.7), it will not be suspended right away. There is a 30-day grace period for the registrant to make payment and to renew the domain name. This is the Expiry State. If renewal payment is received during the Expiry State, the domain name will be renewed and go back to the Active Stage. If the domain name is not renewed after the end of thee Expiry State, the domain name will enter into the Blackout State. During the Blackout State, domain name service will be suspended. Zone record will be removed. Domain name renewal can be performed in 3 months’ time before the expiry date during the whole Expiry State and Blackout State. However if the renewal is performed during the Blackout State, an additional late charge will be needed in addition to the renewal fee.

Registrar will also send notification to the registrant in the form of email including:
(a) Notification of domain name renewal and its reminder (the first one sent 30 days before the expiry day. There will be not less than 3 emails sent during the period of 30-day before expiry date and 30 days after the expiry day)
(b) Notification of successful renewal (when renewal payment is received)
(c) Notification of domain name suspension (when the domain name is not renewed and entered the Blackout State).

4. Blackout State
If the domain name is not renewed at the end of the Expiry State (Diagram 27.7), the domain name will enter into the Blackout State for 60 days. During the Blackout State, all domain name service will be suspended. Zone record will be removed. At that time, if the registrant renews the domain name, late charge is levied in addition to the renewal fee. If payment is made, the domain name will enter into Active State again. Zone record will be put back to the DNS. If the domain name is not renewed during this 60-day of Blackout Period, the domain name will be released for registration again after the end of the Blackout Period. It will enter into Release State in the domain name life cycle.

Registrar will also send notification to the registrant in the form of email including:
(a) Notification of domain suspension (this will be sent right after the domain name entering the blackout state)
(b) Email to remind the status of the domain and that the registrant can still renew in order to activate the domain again.

5. Release State
If the domain name is not renewed during the 60-day Blackout Period (Diagram 27.7), the domain name will be released for registration again. It enters the Release State in the domain name life cycle. When an eligible applicant applies for the domain name, it will go back to the Application State.


Resources Plan allocating to this area
The life cycle of different applications will be controlled by a domain name registration system. Notification will be handled by the registrar(s). As the number of domain names registered will be handful, since in this case the TLD will only be used internally, the administration will only call for 1 to 2 staff. The designated staff will also maintain and monitor the system functions. The cost will be covered by the yearly registry operations cost.

28. Abuse Prevention and Mitigation

Abuse of domain name includes abusive registration and abusive use of domain name. Abusive registration may result in using the domain name in bad faith or even maliciously. Though a high percentage of domain names used for malicious purposes were registered using abusive means, we also understand that many domain names put to abusive uses were registered normally by legitimate registrants. The policy and procedure we formulated encompasses both scenarios. The below is provided despite the fact that this is a brand TLD for internal use by the MTR only

Our plan will include the procedure and policies, as below, to minimise the possibilities of abusive registration and any other activities that have a negative impact on Internet users:

Procedure for handling reports on abusive use of domain names
When the registrar receive a report of abuse, the registrar shall liaise with HKCERT (Hong Kong Computer Emergency Response Team), or law enforcement agencies (depending its nature) to confirm if the report is valid. If it is valid, the registrar shall send notification to the domain name holder (Annex A in attachment 1) for the immediate suspension. The registrar shall suspend the domain in the zone. The registry operator shall remove its orphan glue records. This procedure shall be checked by at least 2 staff who are from different departments in the registrar and registry operator. This is to minimize the possibility of wrongly taking down domain name.

Document is required for domain name application – at the time the applicant applied for a domain name, the applicant shall provide document that can prove the eligibility for vetting. The domain name registration will be accepted only if the vetting result satisfied the registrar. This requirement of document vetting will be stated in the Registry-Registrar agreement. Manpower shall be arranged to vet the document before activating the domain registration. This can also help to enhance WHOIS accuracy.

Domain name pattern warning – If the domain name to be applied contains pattern in the string that may connote that the registrant has authority from the local government, or the pattern contains the words ‘bank’, ‘insurance’ etc. We would either send the request to the government to verify the application, or require the applicant to provide consent letter issued by the relevant authority to prove that the applicant is authorised to use the specific pattern of domain name.

Random verification of domain name registration – random verification is conducted periodically. If the registrant is a company, we will check the government or company record to see whether the applicant is still live and solvent. If it is not, we will inform the registrant for the deletion of the domain name. For any outdated information, e.g. change of company name, the registrar shall confirm with the registrant and update WHOIS information. If it is found that the registrant no longer exists, the domain name shall be recovered by the registrar. This is also the measure to enhance WHOIS accuracy.

Periodic reminder for WHOIS accuracy
Registrar shall send reminders to all the registrants periodically to remind them to update WHOIS record if there are changes. This is a measure to promote WHOIS accuracy.

Recognition of “trustworthy” registrar – the registry will conduct audit check by picking samples every quarter. Registrars are awarded the recognition of “Trustworthy Registrar” if they did well on abuse prevention and mitigation. The recognition may include having a trusted logo on their website etc.

Rapid suspension of domain name if its use is illegal – In the registration policies, which the registrar has to obtain the registrant’s agreement and acceptance, we will state clearly that the registrar shall monitor status of domain names registered and shall at its own initiative or on receipt of any complaint, conduct checks and verify if any domain name is being used for phishing, spam advertising or any other unlawful or illegitimate purpose. The registrar shall delete or suspend a domain name if so directed by the registry, upon registry’s request, or upon receipt of any notice from any government or law enforcement authority (including without limitation the HKSAR Police Force, or the Office of Telecommunications Authority) that the use of the domain name or the website referenced by the domain name is in breach of any laws, directives, guidelines, codes of practice or regulations issued by such local authorities, is used for or in connection with illegal activities The registrar or the registry has the right to suspend and delete the domain name immediately. The registry operator shall also remove the orphan glue records. The letter in Annex A in Attachment 1 will be sent to the domain name holder telling the immediate deletion of domain name registration right before the action.

Provide a contact point to report abuse case – a contact point (including a dedicated email address and the provision of phone no.) is provided for the reporting of abuse case. This contact information will also be indicated on the website of the registrars and registry. The searchable WHOIS information also contains registrar contact information. A service pledge of responding to the report within a specific time e.g. one working day will also be set up. If the registrar is having resellers, the registrar shall also require the reseller to provide the single abuse report contact point and publish this contact information on their website for abuse matters related to this new gTLD.

Set up specific contact channel with CERT and law enforcement agencies – special contact channel is set up. When receiving report of abuse that the registrar ⁄ registry may not be able to identify, the case will be sent to CERT or law enforcement agency for investigation. When the investigation result has been received from the law enforcement agency who also requests the registrar ⁄ registry to cancel the domain name registration, the registrar ⁄ registry shall do so within one day. In case the registrar has not taken the action to suspend ⁄ delete the domain name, the registry shall have the right to suspend ⁄ delete the domain name.

Cooperate with the industry to combat abuse – registrars and registry shall share the information, in a way not breaching any laws, of abusive case to the independent, non commercial association e.g. CERT or Anti-Phishing Working Group. This would help the industry identify abusive cases easily and in a timely manner.

Requiring unique point of contact for requesting and approving requests – besides using password to do online request, any other request made via off line shall be from a dedicated person and be confirmed by the dedicated person too. This arrangement applies to some critical transactions like update of domain name information and name server, transfer of domain name holding right, transfer of registrar and the deletion of domain name.

Password Management - password is needed for the registrant to login to manage the domain name.
a) Reminders will be sent out periodically to the registrants reminding them to change their password periodically.
b) Password setting shall be strong. The password shall contain upper and lower case, English letter, Arabic number and punctuation mark.
c) When there are 5 incorrect attempts of login, subsequent login attempts will be blocked. Registrant has to wait for some hours before they can try to login again. Or the registrant shall contact the registrar to release the suspension.
d) When the registrant reset the password, the registrar will send him⁄her a temporary password that will expire in 2-day. The registrant has to login with the temporary password to set the permanent password.
e) If there is a change of email address that the password is sent to, the registrant has to fill out a form of request and to provide document that can prove the legal existence of the registrant in order for the registrar to send the password to the specified email address.

Monitoring of abnormal activities – a daily report will be served to the registrar ⁄ registry reporting which domain name is having 〉7 modification of name server attempts within one day (the number of time may changes as needed). This will help the registrar ⁄ registry to identify if the domain name was hacked by somebody.

Notification of change – notification will be sent for any changes of service e.g. for the change of email address, the notification of change will be sent to both the new and old email addresses. For the transfer of domain name holding right, the notification will be sent to both the transferor and the transferee. For the deletion of domain name, notification will be sent to the registrant 7 days before the deletion day and inviting the registrant to object. If no objection is received, the domain name will be deleted 7 days afterwards.

Policies to handle complaint and objection regarding dispute – Policies shall be formulated to handle complaint regarding dispute in a fairly and timely way. This includes a turnaround time to the complainant of 1 working day after receiving complaint, the internal checking and approval procedure by different staff in different department to avoid wrong decision being made, the availability of objection policy (attachment 2) is also important to let victim provide proof to prove their innocent. The same as other complaint, we will use a continuous development approach to handle complaint i.e. we will review what areas we can put more effort on to enhance the abuse prevention and mitigation (Attachment 1)

Information Security Policies
The registry operator has set up an Information Security Management System (ISMS) according to the international standard ISO-27001 to the proposed new gTLD operations. The registry operator will conduct security audits by independent parties every two years. The process of the information technology security policy used is based on the PDCA model i.e. Plan, Do, Check and Act. The process approach emphasises the importance of (a) understanding an organisation’s information security requirements and the need to establish policy and objectives for information security, (b) implementing and operating controls to manage an organization’s information security risks in the context of the organisation’s overall business risks, (c) monitoring and reviewing the performance and effectiveness of the ISMS, and (d) continual improvement based on objective measurement.

Resources Plan – As the .MTR TLD is for internal use only with only 10 or less domain name registrations, 1 to 2 HKIRC staff (multifunctional) shall be arranged to handle the following including the initial set-up and on-going maintenance with cost included in the finance of the registry operations:
i) warning pattern alert and handling
ii) document vetting
iii) random verification
iv) handle abuse report
v) audit the registrars’ compliance
vi) liaise with CERT and law enforcement agencies for the abuse case and its follow up.
vii) handle password changes
viii) notification of applications


WHOIS accuracy
WHOIS accuracy is very important. Enhancing WHOIS accuracy would reduce abusive registration. Also law enforcement agencies could more easily identify, locate and arrest offender. In order to maintain WHOIS accuracy, we will:
a) authenticate registrant information at the time of domain name application. The applicant shall provide document to prove its eligibility that can satisfy the registrar before the domain is accepted by the registrar. Registrar is required to do this vetting which would be stated in the Registry Registrar Agreement.
b) Random checking periodically should be conducted by the registrar. If the registrant is a company, we will check the government or company record to see whether the applicant is still live and solvent. If it is not, we will inform the registrant for the deletion of the domain name. For any outdated information, e.g. change of company name, the registrar shall confirm with the registrant and update WHOIS information. If it is found that the registrant is no longer in existence, the domain name shall be recovered by the registrar. This is also the measure to enhance WHOIS accuracy.
c) Recognition of “trustworthy” registrar - the registry will conduct audit check by picking samples every quarter. Registrars are awarded the recognition if they did well on abuse prevention and mitigation. The award may include having a trusted logo on their website etc.
d) Periodical reminders to registrants – registrar shall send periodically reminders to registrants reminding them to keep the WHOIS data update.
e) Audit the registrars’ compliance by the registry operator – the registry operator will send people to the registrar periodically to audit the compliance of document vetting, random checking, sending reminders to registrants to keep WHOIS data update.

29. Rights Protection Mechanisms

Our registry will put Rights Protection as a core objective. It will comply with policies and practices that minimise abusive registrations and other activities that affect the legal rights of others. The registry shall comply fully with the mandate of Rights Protection Mechanisms set by ICANN from time to time such as the Dispute Resolution Policy that is based upon the Uniform Dispute Resolution Policy (UDRP), the provision of searchable WHOIS information for the use by the public. The ICANN mandatory requirements shall also be indicated in the Registry-Registrar Agreement which all the registrars shall agree and accept so before becoming the registrars. Besides, the registry shall impose additional mechanism for the rights protection (RPM):

Pre-Launch of domain name
Providing Sunrise Period before Official Launch of domain
If the .MTR TLD is opened to other people apart from internal use, our registry will provide a Sunrise Period before fully opening the domain registration to all eligible applicants. This is to ensure systematic and coordinated implementation of the domain name. During the Sunrise Period, the domain application will not be processed on a first-come-first-served basis, but pursuant to the specific Sunrise Period Rules

The registry will formulate policies with Rights Protection as major consideration. The policy may consider the below metrics for entitling priority of registration:
(i) Registered Trade Mark – the registry may use a trademark clearinghouse to vet the trademark or liaise with the local trademark registry for the official way of verifying trademarks. If there is more than one domain applicant holding the same trademark from different registries, the registry will consider the age of the trademark holding. The older the ownership, the higher priority the trademark owner will get.
(ii) Company Name or legal name (if the applicant is a person) of the domain name applicant
(iii) Random Draw – when no applicants are holding any trademarks or with the same legal name, random draw will be conducted as a fair allocation.

Post Launch of Domain Name
The Provision of Document before accepting a domain name registration
During any period, an applicant shall provide document to prove its eligibility before the registrar can accept the domain name application. This will minimise the risk of bogus party registering domain names for malicious or abusive purpose.

Random Verification Process
Random verification process will be conducted periodically to check if a registrant is still part of the corporation. If any dissolution of the registrant’s status is found, registrar can recovery the domain name and make it available for registration again. This kind of requirement will be stated on the registration agreement where the registrant shall agree to and accept when applying for a domain name.

Proactive detection of risky websites
Our registry operator will scan all the websites under .MTR once every quarter and identify any domain names that are having risky website e.g. due to malware injection etc. The registry operator will alert the registrars and requested the relevant registrar to look into the issue by checking if the use of the domain name is of malicious purpose or the website is just compromised by someone else. Registrar shall inform the registrant to fix the problem, or in the case of malicious use, the registrar shall cancel the domain name registration.

Recognition of “trustworthy” registrars – the registry will conduct audit check by picking samples every quarter. Registrars are awarded the “trusted registrar” recognition if they did well on abuse prevention and mitigation. The award may include having a trusted logo on their website etc.

Thick WHOIS
Registry operator shall receive and keep all the WHOIS contact information for all the domain names of .MTR. Registry operator can therefore be aware of any abusive registration of the domain name.

Dispute Resolution Policy (DRP)
By applying to register a Domain Name, or by asking the registrar to maintain or renew a Domain Name registration, the registrant shall represent and warrant to the Registrar and the registry that: (a) the statements that the registrant made in the Registration Agreement or provided to the registrar in the course of processing the domain name application are complete and accurate; (b) to the best of the registrant’s knowledge and belief, the domain name the registrant is applying for will not infringe or otherwise violate the legal rights of any third party; (c) the registrant intends to use the domain name; (d) the registrant’s use of the domain name shall be bona fide for the registrant’s own benefit and shall be for lawful purposes; (e) the registrant will not knowingly use the domain name in violation of any applicable laws and regulations; (f) all information of the Registrant, or any agent the registrant provides to the registrar and the registry, including further additions or alterations to such information, is complete and accurate; and (g) in the event that the registrant receives notification of any claim, action or demand arising out of or related to the registration or use of the Domain Name, the registrant will immediately send to the registrar a written notice notifying the registrar of such claim, action or demand, and the registrar shall notify the registry. It is the registrant’s responsibility to determine whether the registrant’s domain name registration infringes or violates someone else’s rights.

The registrant shall also agree to and accept the dispute resolution policies (it is formulated based on the Uniform Domain Name Dispute Resolution Policy UDRP). Everyone from the public can file a complaint to the dispute resolution service provider (an independent professional body). The proceeding will be arbitration where the result rendered will be final and binding. The complainant, when filing a complaint shall provide evidence showing that:
(i) the registrant’s domain name is identical or confusingly similar to a trademark or service mark in Hong Kong in which the complainant has rights, and
(ii) the registrant has no rights or legitimate interests in respect of the domain name, and
(iii) the registrant’s domain name has been registered and is being used in bad faith, and
(iv) if the domain name is registered by an individual person, the registrant does not meet the registration requirements for the individual category of domain name.

The decision of DRP will include cancellation of the domain name registration, transfer of the domain name to the complainant or the denial of the complaint so the domain name will be registered by the current registrant.

Uniform Rapid Suspension System (URS)
The registry operator shall also implement an ongoing policy of URS. Trademark holder can have a quick and low-cost procedure to take down infringing websites. The time needed to shorter than choosing UDRP. The domain name will not be deleted or transferred to the trademark holder if it is in a favourable decision for the complainant. It will result in the suspension of the domain name and that the domain name will be pointed to a mandatory placeholder page for the remaining registration period.

Termination of domain name if Name Server is not operating for a period of time
By applying for the domain name, the domain name applicant shall agree to and accept the registration policies. The registration policies state that the domain name can be cancelled by the registrar if the name servers listed in the registrant’s application are not fully set up, operational or connected to the Internet within thirty (30) calendar days after the activation date or if the name servers persistently do not respond to the queries in relation to the domain name. This kind of cancellation arrangement is to minimise the possibility that the domain name is used in bad faith or the applicant registering a domain in order to disallow other party to use the domain name.

Rapid Suspension Policy
By applying for the domain name, the domain name applicant shall agree to and accept the registration policies. The registration policies state in relation to rights protection of the domain name, that under the below situation, the registrar can delete the domain name registration immediately:
(i) if the registrant uses or allows the Domain Name to be used, or acquiesces to the Domain Name being used, in any manner or for any purpose which is illegal or which otherwise violates any law, rule, regulation, order or other legal instrument in force in Hong Kong, or if there are reasonable grounds to believe that the Registrant has done or is doing so;
(ii) if the registry or the registrar believe, on reasonable grounds, that allowing the registration of the Domain Name to continue is likely to put the registry or the registrar in conflict with any statutory obligations or the terms of a local court order;
(iii) the registrant breaches any of the terms of these registration Policies; or
(iv) in the registry’s or the registrar’s determination, fraud was committed in the registration process for the Domain Name, any information provided by the registrant is false or misleading, or any information which is material to the decision to register the domain name or to continue to provide the registrant with domain name registration services has been concealed or omitted; or

Provide a contact point to report abuse case – a contact point (including a dedicated email address and the provision of phone no.) is provided for the reporting of abuse cases. This contact information will also be indicated on the website of the registrars and registry. The searchable WHOIS information also contains registrar contact information. A service pledge of responding to the report within a specific time e.g. one day will also be set up.

Minimise abuse in the application process
(1) Not providing domain name tasting
Our registry will not provide domain name tasting service understanding that this arrangement may be abused by registrants to test the popularity of the domain name. As a consequence, the domain name may be made available for sales at a higher price to the trademark holder.

(2) Control of repeated applications
Domain name applicants might abuse the window of document submission period for holding up the domain name from others. The registry will ban the domain name from being registered online if there is a certain number of consecutive failed domain applications within a period of time by the same applicant. Any party wishes to apply for the domain name shall send to the registrar the document and payment before they can apply for the domain name.

(3) Will not provide information of newly released domain name
Some registries providing that a list of newly released names were challenged by the public because people could abuse this arrangement by registering the newly released domain name, then solicit to sell name at an unreasonably higher price to the previous domain registrant (whose forgot to renew their domain name). As right protection is our core objective, we do not intend to provide this service to the public.

Prevent abusive registration
We have several measures to prevent abusive registration, including:

(a) Providing sunrise period before official launch of domain name - If the .MTR TLD is opened to other people apart from internal use, our registry will provide a Sunrise Period before fully opening the domain registration to all eligible applicants. This is to ensure systematic and coordinated implementation of the domain name. During the Sunrise Period, the domain application will not be processed on a first-come-first-served basis, but pursuant to the specific Sunrise Period Rules. Paragraph 2 above describes this in details.
(b) Random verification process - Random verification process will be conducted periodically to check if a registrant is still in existence. If any dissolution of the registrant’s status is found, registrar can recovery the domain name and make it available for registration again. This kind of requirement will be stated on the registration agreement where the registrant shall agree to and accept when applying for a domain name.
(c) Proactive detection of risky website - Our registry operator will scan all the websites under our gTLD once every quarter and identify any domain names that are having risky website e.g. due to malware injection etc. The registry operator will alert the registrars and requested the relevant registrar to look into the issue by checking if the use of the domain name is of malicious purpose or the website is just compromised by someone else. Registrar shall inform the registrant to fix the problem, or in the case of malicious use, the registrar shall cancel the domain name registration.
(d) Recognition of “trustworthy” registrars - the registry will conduct audit check by picking samples every quarter. Registrars are awarded if they did well on abuse prevention and mitigation. The award may include having a trusted logo on their website etc.
(e) Not providing domain name tasting - Our registry will not provide domain name tasting service understanding that this arrangement may be abused by registrants to test the popularity of the domain name. As a consequence, the domain name may be made available for sales at a higher price to the trademark holder.
(f) Control of repeated applications - Domain name applicants might abuse the window of document submission period for holding up the domain name from others. The registry will ban the domain name from being registered online if there is a certain number of consecutive failed domain applications within a period of time by the same applicant. Any party wishes to apply for the domain name shall send to the registrar the document and payment before they can apply for the domain name.
(g) Will not provide information of newly released domain name - Some registries providing that a list of newly released names were challenged by the public because people could abuse this arrangement by registering the newly released domain name, then solicit to sell name at an unreasonably higher price to the previous domain registrant (whose forgot to renew their domain name). As right protection is our core objective, we do not intend to provide this service to the public.
(h) Thick WHOIS - Registry operator shall receive and keep all the WHOIS contact information for all the domain names of this gTLD. Registry operator can therefore be aware of any abusive registration of the domain name.



Identify and address the abusive use of domain name in an ongoing basis
We have ways to identify and address the abusive use of domain name, including:
(a) The implementation of Dispute Resolution Policy – any third parties can identify the domain name that has been used in bad faith by filing a complaint to the dispute resolution service provider. Dispute resolution policy and its rules of procedure stipulates the way to identify and resolve the dispute.
(b) The implementation of Uniform Rapid Suspension System – it provides a simpler way for trademark holder to resolve the dispute issue. The time needed to shorter than choosing UDRP. The domain name will not be deleted or transferred to the trademark holder if it is in a favourable decision for the complainant. It will result in the suspension of the domain name and that the domain name will be pointed to a mandatory placeholder page for the remaining registration period.
(c) Termination of domain name if name server is not operating for a period of time – this is also a way we can identify any registration of domain name that they were not using the domain name but may holding the domain name for some other purpose. The registrar can have the right to cancel the domain name registration.
(d) Rapid suspension policy –By applying for the domain name, the domain name applicant shall agree to and accept the registration policies. The registration policies state in relation to right protection of the domain name, that under the below situation, the registrar can delete the domain name registration immediately. This is the way the registrar can address and resolve the identified cases.
(e) Provide a contact point to report abuse case – a contact point (including a dedicated email address and the provision of phone no.) is provided for the reporting of abuse case. This helps to identify any abusive use of the domain name. This contact information will also be indicated on the website of the registrars and registry. The searchable WHOIS information also contains registrar contact information. A service pledge of responding to the report within a specific time e.g. one day will also be set up.


Resources Plan
As this new gTLD is for internal use, there will only be 〈10 domain names registered 1 to 2 staff (multifunctional) will be allocated by the registry operator. The cost would be covered by the registry operations yearly fee. The staff will work on:
Set Up
The experienced registry operator will prepare the registration policies. It includes drafting of registry-registrar agreement and its policies, dispute resolution policies, uniform rapid suspension system and its rules of procedure and the operational policies, mandatory provisions etc., internal procedure formulation, liaison with the registrars for the procedure.
Operations
Operations are also conducted by the registry operator. Their work will include:
(a) monitoring of the registrar completion of document vetting includes new registration and random verification
(b) handling of abuse email and its follow up
(c) monitoring of registrars handling of the communication and execution of the dispute case
(d) monitoring of the registration pattern and decide if additional measure is required when new abusive pattern is found.
(e) regular liaison with dispute resolution service providers, CERT and law enforcement agencies to identify trend of abuse and prevention.
(f) monitoring of the registrars’ compliance and award the registrars who stick to the process.
(g) arranging of scanning of risky website using public tools.

30(a). Security Policy: Summary of the security policy for the proposed registry

Our registry operator HKIRC has set up an Information Security Management Systems (ISMS) according to the international standard ISO-27001. With this information security framework, HKIRC is able to design, implement and maintain a coherent suite of processes and systems for effectively managing information security and minimising information security risks. 
HKIRC conducts security audits by independent parties every two years. Independent assessments reports are produced, they are approved by an audit committee formed by the broad of directors. Risks and threats found will be prioritised and followed up with actions plans and reviewed by regular management cycle.
A summary of HKIRC’s security policy is given below.

PURPOSE
This document constitutes a summary of an Information Technology (IT) Security Policy that internal and related external parties of the Organisation shall observe and follow. For the purposes of this Policy the process used is based on the PDCA model shown in Figure 1 (attached).

PDCA Model applied to ISMS processes:
Plan (establish the ISMS) - Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organisation’s overall policies and objectives.
Do (implement and operate the ISMS) - Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS) - Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act (maintain and improve the ISMS) - Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

The process approach for information security management in this Policy encourages its users to emphasise the importance of:
a) understanding an organisation’s information security requirements and the need to establish policy and objectives for information security;
b) implementing and operating controls to manage an organisationʹs information security risks in the context of the organisation’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement based on objective measurement.
SCOPE
This document addresses security considerations in the following areas:
a) Organisation of Information Security
b) Management Responsibilities
c) Risk Assessment and Treatment
d) Asset Management
e) Human Resources Security
f) Physical and Environmental Security
g) Communications and Operations Management
h) Access Control
i) Information Systems Acquisition, Development and Maintenance
j) Information Security Incident Management
k) Business Continuity Management
l) Compliance
Reference, definitions and conventions
STANDARDS AND GUIDELINES
a) ISO27001:2005 “Information technology — Security techniques — Information security management systems — Requirements”
b) ISO17799:2005 “Information technology — Security techniques — Code of practice for information security management”
c) AS⁄NZS 4360:2004 “Risk Management”
Risk Assessment, Audit and Management Review
RISK ASSESSMENT
Security objective: To identify and evaluate risks of the information and information systems of the Organisation.
AUDIT
Security objective: To review the effectiveness of the security controls.
Audit shall be conducted at planned intervals to determine whether controls objectives, controls, processes and procedures of its Information Security Management System:
a) conform to the identified information security requirements;
b) are effectively implemented and maintained; and
c) performed as expected.
An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined.
The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.
MANAGEMENT REVIEW OF THE ISMS
Management shall review the organisation’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
The Management review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained.
ISMS IMPROVEMENT
The organisation shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review.
The organisation shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence.
The organisation shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems.
The organisation shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks. The priority of preventive actions shall be determined based on the results of the risk assessment.
Information Security Management Framework
Security objective: To establish a framework for the management of Information Security within Organisation to initiate and control the implementation of Information Security within Organisation.
The attached diagram (Figure 2) describes the IT Security organisational framework of the Organisation:
SENIOR MANAGEMENT
Management shall commit to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by:
a) establishing an ISMS policy;
b) ensuring that ISMS objectives and plans are established;
c) establishing roles and responsibilities for information security;
d) communicating to the organisation the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement;
e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS;
f) deciding the criteria for accepting risks and the acceptable levels of risk;
g) ensuring that ISMS audits are conducted; and
h) conducting management reviews of the ISMS.
INFORMATION SECURITY MANAGEMENT COMMITTEE (ISMC)
The Organisation shall establish an Information Security Management Committee (ISMC) to oversee the IT security within the whole Organisation. The committee meets on a regular basis to:
a) Review and endorse changes to the IT security related policies and guidelines;
b) Review and endorse the criteria for accepting risks and the acceptable levels of risk;
c) Define specific roles and responsibilities relating to IT security; and
d) Provide guidance and assistance to departments in the enforcement of IT security related policies.
The core members of ISMC comprise representatives from:
a) Senior staff(s) from user departments.
b) Information Security Officer.
Representative(s) from other departments will be co-opted into the Committee on a need basis, in relation to specific subject matters.
INFORMATION SECURITY OFFICER (ISO)
The Organisation shall appoint Information Security Officer (ISO) to be responsible for IT security. The roles and responsibilities of ISO shall be clearly defined which include but are not limited to the following:
a) Establish and maintain an information protection program to assist all employees in the protection of the information they use;
b) Lead in the establishment, maintenance and implementation of information security policies, standards, guidelines and procedures;
c) Coordinate with other organisations on IT security issues;
d) Disseminate security alerts on impending and actual threats within the Organisation;
e) Ensure information security risk assessments are performed as necessary;
f) Initiate investigations and rectification in case of breach of security.
g) Monitor the compliance with the IT Security Policy; and
h) Promote IT security awareness within the Organisation.
INFORMATION SECURITY INCIDENT RESPONSE TEAM (ISIRT) COMMANDER
The ISIRT is the central focal point for coordinating the handling of information security incidents occurring within the Organisation. The Management should designate an officer from the senior management to be the ISIRT Commander. The ISIRT Commander should have the authority to appoint core team members for the ISIRT.
a)
INFORMATION SECURITY ADMINISTRATORS
Information Security Administrators are responsible for providing security and risk management related support services. They assist in identifying system vulnerabilities and performing security administrative work of the system.
INFORMATION OWNERS
Information Owners are the collators and the owners of information stored in databases and data files.
NETWORK ⁄ SYSTEM ADMINISTRATORS
Network ⁄ System Administrators are responsible for the day-to-day administration, operation and configuration of the computer systems and network in, whereas Internet System Administrators are responsible for the related tasks for their Internet-facing Information Systems.
APPLICATION DEVELOPMENT & MAINTENANCE TEAM
The Application Development & Maintenance Team is responsible for producing the quality systems in the use of quality procedures, techniques and tools.
USERS OF INFORMATION SYSTEMS
Users of Information Systems are the staff who actually use the information and shall be accountable for all their activities on the Information Systems.
Asset Management
RESPONSIBILITY FOR ASSETS
Security objective: To achieve and maintain appropriate protection of organisational assets.
INFORMATION CLASSIFICATION
Security objective: To ensure that information receives an appropriate level of protection.
Human Resources Security
HUMAN RESOURCES SECURITY
Security objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

DURING EMPLOYMENT
Security objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error.
TERMINATION OR CHANGE OF EMPLOYMENT
Security objective: To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner.
Physical and Environmental Security
SECURE AREAS
Security objective: To prevent unauthorised physical access, damage and interference to the organisation’s premises and information.
EQUIPMENT SECURITY
Security objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s activities.
Communications and operations management
OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Security objective: To ensure the correct and secure operation of information processing facilities.
THIRD PARTY SERVICE DELIVERY MANAGEMENT
Security objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
SYSTEM PLANNING AND ACCEPTANCE
Security objective: To minimise the risk of systems failures.
PROTECTION AGAINST MALICIOUS AND MOBILE CODE
Security objective: To protect the integrity of software and information.
BACK-UP
Security objective: To maintain the integrity and availability of information and information processing facilities.
NETWORK SECURITY MANAGEMENT
Security objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
MEDIA HANDLING
Security objective: To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities.
EXCHANGE OF INFORMATION
Security objective: To maintain the security of information and software exchanged within an organisation and with any external entity.
ELECTRONIC COMMERCE SERVICES
Security objective: To ensure the security of electronic commerce services, and their secure use.
MONITORING
Security objective: To detect unauthorised information processing activities.
Access control
BUSINESS REQUIREMENT FOR ACCESS CONTROL
Security objective: To control access to information.
USER ACCESS MANAGEMENT
Security objective: To ensure authorised user access and to prevent unauthorised access to information systems.
USER RESPONSIBILITIES
Security objective: To prevent unauthorised user access, and compromise or theft of information and information processing facilities.
NETWORK ACCESS CONTROL
Security objective: To prevent unauthorised access to networked services.
OPERATING SYSTEM ACCESS CONTROL
Security objective: To prevent unauthorised access to operating systems.
APPLICATION AND INFORMATION ACCESS CONTROL
Security objective: To prevent unauthorised access to information held in application systems.
MOBILE COMPUTING AND TELE-WORKING
Security objective: To ensure information security when using mobile computing and tele-working facilities.
Information systems acquisition, development and maintenance
SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
Security objective: To ensure that security is an integral part of information systems.
CORRECT PROCESSING IN APPLICATIONS
Security objective: To prevent errors, loss, unauthorised modification or misuse of information in applications.
CRYPTOGRAPHIC CONTROLS
Security objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
SECURITY OF SYSTEM FILES
Security objective: To ensure the security of system files.
SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
Security objective: To maintain the security of application system software and information.
TECHNICAL VULNERABILITY MANAGEMENT
Security objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
Information security incident management
REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES
Security objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS
Security objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
Business continuity management
INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
Security objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
Compliance
COMPLIANCE WITH LEGAL REQUIREMENTS
Security objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE
Security objective: To ensure compliance of systems with organisational security policies and standards.
INFORMATION SYSTEMS AUDIT CONSIDERATIONS
Security objective: To maximize the effectiveness of and to minimize interference to⁄from the information systems audit process.

Appendix
Appendix A, FIGURE 1 and FIGURE 2



© Internet Corporation For Assigned Names and Numbers.