ICANN New gTLD Application

i. What is the goal of your proposed gTLD in terms of areas of specialty, service levels, or reputation?

Specialty
 
Currently, there is no top-level domain dedicated to high-quality lifestyle accessories and no top-level domain dedicated to Applicant’s brand.  The goal of the TLD, in terms of specialty, is to securely provide a top-level domain dedicated to providing Products to Internet users and customers around the globe under Applicant’s and Applicant’s Affiliates’ famous and trusted brands.  Allowing Applicant to control its own Internet space for its famous brand gives it the ability to customize its domain and website names and signal to the general population of Internet users that websites within the TLD will indeed be securely controlled by Applicant without having to incorporate a non-branded, non-industry-related term such as .com, .net or .biz.  In addition the TLD will permit the Applicant and Applicant’s Affiliates to send a consistent and focused branding image to customers from all parts of the world, without the registration and operational impediments Applicant currently experiences with ccTLDs. This specialty will benefit Internet users seeking authentic online Products without the worry that they will become the next phishing or counterfeiting victim.
 
This specialization simultaneously makes it easier for Internet users who are looking for Applicant-related information and fashion information to locate this information more efficiently.  The appendage of the TLD indicates to users what they can expect to find at that website under the TLD, namely, premiere and authentic Products offered by the famous and reputable Applicant or Applicant’s Affiliates.  It also has another added benefit in that web addresses will become shorter—one impact of a dearth of ‘good’ web addresses has been for them to get longer over time.  Using the TLD not only means Applicant’s sites can benefit from having an important keyword in their web address, but it will also be much faster to type in the address.  Built into a wider process of web optimization and marketing, the inclusion of the TLD as a keyword in every domain name will likely have positive implications for specialty, security, and global promotion purposes.  This will increase traffic to these websites, promote competition, and facilitate use and trust by consumers of Products who prefer shorter domain names and want a trusted source of the specific services they seek.

Service Levels  
 
The goal of the TLD, if made public, will be to ensure the highest level of security, quality and customer service is provided to Applicant’s customers, for whom security and quality is a high priority concern in connection with Products.  Primarily, this entails ensuring that only Applicant and Applicant’s Affiliates, are able to register and control the second-level domain names in the TLD.  Regarding security and quality concerns, this entails contracting with and using industry experts to provide the highest possible quality in registry and registrar services so as to not compromise the security and quality of any information that Applicant will receive or provide through the TLD.  

Applicant will further endeavor, as it does with its current websites, to provide any outwardly-facing domain name and website in the TLD with fast and responsive customer service, available in English, during normal business hours by email and telephone seven (7) days per week to help any customer attempting to learn about or purchase Applicant’s Products.  Similarly, Applicant will provide the highest level service to trademark and other legal rights owners by providing an easily accessible point-of-contact on all outwardly-facing domain names and websites.

By focusing on the end user, Applicant will ensure that it is providing the best specialized user experience possible.  To do this, Applicant may employ testing to determine what their expectations are for an Applicant-branded Web experience and then tailoring the TLD to its end users.  For example, when designing its current websites or adding a new look to its homepage, Applicant takes care to ensure that they will ultimately serve the Internet user.  Applicant’s homepage interface in the TLD will thus be clear and simple, with pages loading promptly.  Applicant’s Products will be provided through secure websites and networks, and at high speeds.  Applicant will continue to operate under this principle when designing websites and providing high-quality Products and other ancillary services through the TLD.

Reputation  

Applicant already has a reputation for excellence and superior quality in the fashion industry, including online through its current websites and domain names.  Indeed, the type of Products that Applicant manufactures, distributes and sells are among the most vulnerable to counterfeiting and other fraudulent online activity and Applicant seeks, through the operation of the TLD, to maintain a reputation for providing a secure online environment in the industry for all Internet users to access fashion and product information more efficiently.  Applicant also has a reputation of having enhanced creative capabilities and a reputation as a producer of innovation in the fashion industry.  The goal of the TLD, if made public, is to continue to promote Applicant’s reputation for excellence, creativity and innovation.
 
The Registry will further strive to be known for ensuring only Applicant and Applicant’s Affiliates register domain names in the TLD, that those domain names are used for Applicant-related purposes at the direction of Applicant, that all customer information will be kept completely confidential, that the Whois is thick and reliable, and that the Registry is responsive to legal rights owners.  Indeed, when Internet users visit a website within the TLD, they should know that Applicant will be the entity standing behind its world-renowned Products and services, and that they can expect the highest level of online service and security.  In all, Applicant will strive to continue to be known as an exemplary and model domain name services citizen through the use of the TLD.
 
ii. What do you anticipate your proposed gTLD will add to the current space, in terms of competition, differentiation, or innovation?

Competition

The TLD will enhance competition to the current Internet space by allowing Applicant to control its own Internet space and to have the flexibility to innovate and create new online goods and services, and to reach new geographic areas with a consistent branding message – the latter is something that is presently hampered by variances in ccTLD registration and operation policies.  These innovations and consistencies in how the Applicant will provide high-quality lifestyle accessories online will incentivize existing and new top-level domains and fashion companies that operate on existing and new top-level domains to also improve the security and quality of their own online storefronts and to accelerate the introduction of new goods and services in order to continue attracting new customers.  Thus, the entry of the TLD will benefit consumers by increasing the likelihood of the successful introduction of new and innovative online goods and services from the fashion industry.

 
Differentiation

The TLD will be differentiated from all other top-level domains current available in the marketplace because it will be able to affix its famous brand to second-level domains as the TLD and indicate to Internet users the source of the TLD.  Indeed, no other existing top-level domain is similar in appearance to the TLD, none is used exclusively for high-quality lifestyle accessories, and none exclusively serves Applicant’s users and customers.  In terms of differentiated uses, Applicant will be able to customize the second-level domains within the TLD so as to signify the service offered as well as the source of the service.  Finally, unlike in existing top-level domains, only Applicant and Applicant’s Affiliates will be allowed to register or operate domain names within the TLD, allowing the TLD to become unique in that customers do not have to fear corruption, security, spam, phishing, counterfeit products or false or inaccurate information. 

Innovation

Applicant is already a recognized leader in online fashion innovation.  Indeed, technology is at the forefront of Applicant’s online fashion presence.  One of the most crucial issues of importance to Applicant’s customers is quality and legitimacy.  The TLD, if publicly used, will allow Applicant to provide information, goods and services to its customers in a more technologically-advanced way and allow Applicant to implement technical advances that may not have been capable before in the existing, less secure environment over which Applicant has less control.  

Indeed, Applicant believes that the TLD will open up new opportunities and permit Applicant to innovate and provide truly high-quality websites for Products.  With the TLD, Applicant can test and innovate both the technology behind and the public face of the TLD with consumers to facilitate their desired Web experience and to ensure it meets the highest possible security standard.  This innovation will promote competition in the Internet space and provide higher levels of service to its users and customers.  Moreover, the TLD will be innovative in that it will allow more people to have greater access to a dedicated and secure top-level domain for Applicant’s Products.  The TLD will also allow Applicant to securely work in communities where access to fashion industry information is limited and to strive to provide high-quality lifestyle accessories to more people.

iii. What goals does your proposed gTLD have in terms of user experience?

Similarly to how it operates its current domain names and websites in third-party top-level domains Applicant will strive to test, develop, and implement the TLD and its websites to satisfy its customers’ Web expectations in the most secure and user-friendly manner.  In doing so, Applicant will take great care to ensure that domain names in the TLD will ultimately serve the Internet user.  Accordingly, Applicant will rely on its consumer and security-driven testing to provide the best user experience possible for those seeking a robust, reliable and secure electronic storefront for its Products around the globe.  Because users will know that all domain names in the TLD will be owned and operated by Applicant, Applicant anticipates that the TLD will eventually provide an enhanced and secure online technological experience for those interested in obtaining more information about and purchasing Applicant’s products.  The TLD will serve to differentiate Applicant from other lifestyle accessories providers and serve to create a more stable, competitive, and active marketplace in the industry.

iv. Provide a complete description of the applicant’s intended registration policies in support of the goals listed above.

In order to support the goals listed above, only Applicant through its authorized employees will be allowed to register domain names within the TLD.  Accordingly, the general public will never be allowed to register, buy, or sell domain names in the TLD.  Applicant, however, reserves the right to sell, distribute, or transfer control or use of any registrations in the TLD to any third party than is an Affiliate of Applicant under the control of applicant for uses as specified by Applicant.  Affiliate will be defined for the purpose of this application as (i) a person or entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, the person or entity specified, and (ii) control (including the terms “controlled by” and “under common control with”) means the possession, directly or indirectly, of the power to direct or cause the direction of the management or policies of a person or entity or specific aspects of an entity, whether through the ownership of securities, as trustee or executor, by serving as an employee or a member of a board of directors or equivalent governing body, by contract, by credit arrangement or otherwise.

As stated above, Applicant intends to operate a closed registry in order to continue to offer the Products it currently offers on its branded websites in existing top-level domains.  Accordingly, policies and decisions regarding the registration and use of domain names within the TLD will continue to be provided through an internal team consisting of Applicant’s existing business, marketing and technical decision-making channels.

The TLD’s domain name policies will of course be limited by its abuse prevention and rights protection policies discussed further herein, and will strive to avoid registering domain names that are confusingly similar to third-party’s trademarks and related rights.  Obscene, explicit, and offensive domain names will not be entitled to registration.

v. Will your proposed gTLD impose any measures for protecting the privacy or confidential information of registrants or users?  If so, please describe any such measures.

Keeping customer information secure and private is of crucial importance to Applicant and other providers of Products, whose websites and goods and services are particularly vulnerable to online fraud and counterfeiting.  Initially, Applicant intends to operate a registry with limited access so as to ensure the security and privacy of the information available.  As Applicant’s use may expand, Applicant will take commercially reasonable steps to maintain the security and privacy of the information collected therein, and will remain in compliance with confidentiality and security regulations in relevant jurisdictions. For example, Applicant already has Privacy Policies in key global jurisdictions to safeguard the information of its current online customers.  See e.g. Coach, Security and Privacy, available at:

http:⁄⁄www.coach.com⁄online⁄handbags⁄genWCM-10551-10051-en-⁄Coach_US⁄SecurityAndPrivacy⁄?LOC=BN (effective as of February 3, 2010). 

If the TLD becomes publicly visible such that external users are interacting with content and information about Products accessed through the TLD, Applicant will, at a minimum, provide similar security measures and protect the privacy and confidentiality of its users according to the relevant laws in the appropriate jurisdiction.

vi. Describe whether and in what ways outreach and communications will help to achieve your projected benefits.

Outreach and communication are among Applicant’s important goals in connection with the TLD.  For example, if the TLD is publicly used, it will provide better and more secure access to Products to consumers throughout the globe.  Applicant may institute marketing and outreach efforts to inform the public about the TLD and the content and information available there.

Applicant already uses a number of different outreach and communications methods and venues to get its mission and message out to the public, including but not limited to: press releases; featured videos posted on various Internet sites; social media, including but not limited to blogs, YouTube, Twitter and Facebook; various news feeds around the globe; and paid advertising, which includes magazine and newspaper print, billboards and posters in major markets; and a variety of digital media.  If the TLD is expanded to use by the general Internet public, Applicant will be able to incorporate the outreach and communication regarding the TLD into its current branding and marketing efforts to ensure that as many customers and users as possible understand the new resources available and how to interact with them to improve their consumer experience.

23 REGISTRY SERVICES

1 CUSTOMARY REGISTRY SERVICES

COACH, INC. (Coach) has engaged Melbourne IT Limited and its affiliate entities (Melbourne IT) as a service provider to assist Coach with this application. Coach intends to engage Melbourne IT to provide Coach with assistance with the on-going management of its .coach gTLD, should this application be successful. Melbourne IT’s managed services incorporate the management and oversight of Coach’s selected backend registry services provider, Verisign Inc (Verisign), as well as other third party service providers. The parties intend to conclude definitive arrangements in relation to this support prior to the evaluation period.

Coach’s selected provider of backend registry services, Verisign, provides a comprehensive system and physical security solution that is designed to ensure a TLD is protected from unauthorized disclosure, alteration, insertion, or destruction of registry data. Verisign’s system addresses all areas of security including information and policies, security procedures, the systems development lifecycle, physical security, system hacks, break-ins, data tampering, and other disruptions to operations. Verisign’s operational environments not only meet the security criteria specified in its customer contractual agreements, thereby preventing unauthorized access to or disclosure of information or resources on the Internet by systems operating in accordance with applicable standards, but also are subject to multiple independent assessments as detailed in the response to Question 30, Security Policy. Verisign’s physical and system security methodology follows a mature, ongoing lifecycle that was developed and implemented many years before the development of the industry standards with which Verisign currently complies. Please see the response to Question 30, Security Policy, for details of the security features of Verisign’s registry services.

Verisign’s registry services fully comply with relevant standards and best current practice RFCs published by the Internet Engineering Task Force (IETF), including all successor standards, modifications, or additions relating to the DNS and name server operations including without limitation RFCs 1034, 1035, 1982, 2181, 2182, 2671, 3226, 3596, 3597, 3901, 4343, and 4472. Moreover, Verisign’s Shared Registration System (SRS) supports the following IETF Extensible Provisioning Protocol (EPP) specifications, where the Extensible Markup Language (XML) templates and XML schemas are defined in RFC 3915, 5730, 5731, 5732, 5733, and 5734. By strictly adhering to these RFCs, Verisign helps to ensure its registry services do not create a condition that adversely affects the throughput, response time, consistency, or coherence of responses to Internet servers or end systems. Besides its leadership in authoring RFCs for EPP, Domain Name System Security Extensions (DNSSEC), and other DNS services, Verisign has created and contributed to several now well-established IETF standards and is a regular and long-standing participant in key Internet standards forums.

Figure 23-1 summarizes the technical and business components of those registry services, customarily offered by a registry operator (i.e., Verisign), that support this application. These services are currently operational and support both large and small Verisign-managed registries. Customary registry services are provided in the same manner as Verisign provides these services for its existing gTLDs.

Through these established registry services, Verisign has proven its ability to operate a reliable and low-risk registry that supports millions of transactions per day. Verisign is unaware of any potential security or stability concern related to any of these services.

Registry services defined by this application are not intended to be offered in a manner unique to the new generic top-level domain (gTLD) nor are any proposed services unique to this application’s registry.

As further evidence of Verisign’s compliance with ICANN mandated security and stability requirements, Verisign allocates the applicable RFCs to each of the five customary registry services (items A – E above). For each registry service, Verisign also provides evidence in Figure 23-2of Verisign’s RFC compliance and includes relevant ICANN prior-service approval actions.

1.1 CRITICAL OPERATIONS OF THE REGISTRY

i. RECEIPT OF DATA FROM REGISTRARS CONCERNING REGISTRATION OF DOMAIN NAMES AND NAME SERVERS

See Item A in Figure 23-1 and Figure 23-2.

ii. PROVISION TO REGISTRARS STATUS INFORMATION RELATING TO THE ZONE SERVERS

Verisign registry services provisions to registrars status information relating to zone servers for the TLD. The services also allow a domain name to be updated with clientHold, serverHold status, which removes the domain name server details from zone files. This ensures that DNS queries of the domain name are not resolved temporarily. When these hold statuses are removed, the name server details are written back to zone files and DNS queries are again resolved. Figure 23-3 describes the domain name status information and zone insertion indicator provided to registrars. The zone insertion indicator determines whether the name server details of the domain name exist in the zone file for a given domain name status. Verisign also has the capability to withdraw domain names from the zone file in near-real time by changing the domain name statuses upon request by customers, courts, or legal authorities as required.

iii. DISSEMINATION OF TLD ZONE FILES

See Item B in Figure 23-1 and Figure 23-2.

iv. OPERATION OF THE REGISTRY ZONE SERVERS
Verisign operates zone servers and serves DNS resolution from 76 geographically distributed resolution sites located in North America, South America, Africa, Europe, Asia, and Australia. Currently, 17 DNS locations are designated primary sites, offering greater capacity than smaller sites comprising the remainder of the Verisign constellation. Verisign also uses Anycast techniques and regional Internet resolution sites to expand coverage, accommodate emergency or surge capacity, and support system availability during maintenance procedures. Verisign operates Coach’s gTLD from a minimum of eight of its primary sites (two on the East Coast of the United States, two on the West Coast of the United States, two in Europe, and two in Asia) and expands resolution sites based on traffic volume and patterns. Further details of the geographic diversity of Verisign’s zone servers are provided in the response to Question 34, Geographic Diversity. Moreover, additional details of Verisign’s zone servers are provided in the response to Question 32, Architecture and the response to Question 35, DNS Service.

v. DISSEMINATION OF CONTACT AND OTHER INFORMATION CONCERNING DOMAIN NAME SERVER REGISTRATIONS

See Item C in Figure 23-1andFigure 23-2.

2 OTHER PRODUCTS OR SERVICES THE REGISTRY OPERATOR IS REQUIRED TO PROVIDE BECAUSE OF THE ESTABLISHMENT OF A CONSENSUS POLICY

Verisign is a proven supporter of ICANN’s consensus-driven, bottom-up policy development process whereby community members identify a problem, initiate policy discussions, and generate a solution that produces effective and sustained results. Verisign currently provides all of the products or services (collectively referred to as services) that the registry operator is required to provide because of the establishment of a Consensus Policy. For the .coach gTLD, Verisign implements these services using the same proven processes and procedures currently in-place for all registries under Verisign’s management. Furthermore, Verisign executes these services on computing platforms comparable to those of other registries under Verisign’s management. Verisign’s extensive experience with consensus policy required services and its proven processes to implement these services greatly minimize any potential risk to Internet security or stability. Details of these services are provided in the following subsections. It shall be noted that consensus policy services required of registrars (e.g., Whois Reminder, Expired Domain) are not included in this response. This exclusion is in accordance with the direction provided in the question’s Notes column to address registry operator services.

2.1 INTER-REGISTRAR TRANSFER POLICY (IRTP)

TECHNICAL COMPONENT:

In compliance with the IRTP consensus policy, Verisign has designed its registration systems to systematically restrict the transfer of domain names within 60 days of the initial create date. In addition, Verisign has implemented EPP and “AuthInfo” code functionality, which is used to further authenticate transfer requests. The registration system has been designed to enable compliance with the five-day Transfer grace period and includes the following functionality:

- Allows the losing registrar to proactively ‘ACK’ or acknowledge a transfer prior to the expiration of the five-day Transfer grace period

- Allows the losing registrar to proactively ‘NACK’ or not acknowledge a transfer prior to the expiration of the five-day Transfer grace period

- Allows the system to automatically ACK the transfer request once the five-day Transfer grace period has passed if the losing registrar has not proactively ACK’d or NACK’d the transfer request.

BUSINESS COMPONENT:

All requests to transfer a domain name to a new registrar are handled according to the procedures detailed in the IRTP. Dispute proceedings arising from a registrarʹs alleged failure to abide by this policy may be initiated by any ICANN-accredited registrar under the Transfer Dispute Resolution Policy. Coach’s compliance office serves as the first-level dispute resolution provider pursuant to the associated Transfer Dispute Resolution Policy. As needed Verisign is available to offer policy guidance as issues arise.

SECURITY AND STABILITY CONCERNS:

Verisign is unaware of any impact, caused by the service, on throughput, response time, consistency, or coherence of the responses to Internet servers or end-user systems. By implementing the IRTP in accordance with ICANN policy, security is enhanced as all transfer commands are authenticated using the AuthInfo code prior to processing.

ICANN PRIOR APPROVAL:

Verisign has been in compliance with the IRTP since November 2004 and is available to support Coach in a consulting capacity as needed.

UNIQUE TO THE TLD:

This service is not provided in a manner unique to the .coach TLD.

2.2 ADD GRACE PERIOD (AGP) LIMITS POLICY

TECHNICAL COMPONENT:

Verisign’s registry system monitors registrars’ Add grace period deletion activity and provides reporting that permits Coach to assess registration fees upon registrars that have exceeded the AGP thresholds stipulated in the AGP Limits Policy. Further, Coach accepts and evaluates all exemption requests received from registrars and determines whether the exemption request meets the exemption criteria. Coach maintains all AGP Limits Policy exemption request activity so that this material may be included within Coach’s Monthly Registry Operator Report to ICANN.

Registrars that exceed the limits established by the policy may submit exemption requests to Coach for consideration. Coach’s compliance office reviews these exemption requests in accordance with the AGP Limits Policy and renders a decision. Upon request, Coach submits associated reporting on exemption request activity to support reporting in accordance with established ICANN requirements.

BUSINESS COMPONENT:

The Add grace period (AGP) is restricted for any gTLD operator that has implemented an AGP. Specifically, for each operator:

- During any given month, an operator may not offer any refund to an ICANN-accredited registrar for any domain names deleted during the AGP that exceed (i) 10% of that registrarʹs net new registrations (calculated as the total number of net adds of one-year through ten-year registrations as defined in the monthly reporting requirement of Operator Agreements) in that month, or (ii) fifty (50) domain names, whichever is greater, unless an exemption has been granted by an operator.

- Upon the documented demonstration of extraordinary circumstances, a registrar may seek from an operator an exemption from such restrictions in a specific month. The registrar must confirm in writing to the operator how, at the time the names were deleted, these extraordinary circumstances were not known, reasonably could not have been known, and were outside the registrarʹs control. Acceptance of any exemption will be at the sole and reasonable discretion of the operator; however ʺextraordinary circumstancesʺ that reoccur regularly for the same registrar will not be deemed extraordinary.

In addition to all other reporting requirements to ICANN, Coach identifies each registrar that has sought an exemption, along with a brief description of the type of extraordinary circumstance and the action, approval, or denial that the operator took.

SECURITY AND STABILITY CONCERNS:

Verisign is unaware of any impact, caused by the policy, on throughput, response time, consistency, or coherence of the responses to Internet servers or end-user systems.

ICANN PRIOR APPROVAL:

Verisign has had experience with this policy since its implementation in April 2009 and is available, in conjunction with Melbourne IT, to support Coach in a consulting capacity as needed.

UNIQUE TO THE TLD:

This service is not provided in a manner unique to the .coach TLD.

2.3 REGISTRY SERVICES EVALUATION POLICY (RSEP)

TECHNICAL COMPONENT:

Verisign adheres to all RSEP submission requirements. Verisign has followed the process many times and is fully aware of the submission procedures, the type of documentation required, and the evaluation process that ICANN adheres to.

BUSINESS COMPONENT:

In accordance with ICANN procedures detailed on the ICANN RSEP website (http:⁄⁄www.icann.org⁄en⁄registries⁄rsep⁄), all gTLD registry operators are required to follow this policy when submitting a request for new registry services.

SECURITY AND STABILITY CONCERNS:

As part of the RSEP submission process, Verisign, Coach’s backend registry services provider, identifies any potential security and stability concerns in accordance with RSEP stability and security requirements. Verisign never launches services without satisfactory completion of the RSEP process and resulting approval.

ICANN PRIOR APPROVAL:

Not applicable.

UNIQUE TO THE TLD:

gTLD RSEP procedures are not implemented in a manner unique to the .coach TLD.

3 PRODUCTS OR SERVICES ONLY A REGISTRY OPERATOR IS CAPABLE OF PROVIDING BY REASON OF ITS DESIGNATION AS THE REGISTRY OPERATOR

Verisign has developed a Registry-Registrar Two-Factor Authentication Service that complements traditional registration and resolution registry services. In accordance with direction provided in Question 23, Verisign details below the technical and business components of the service, identifies any potential threat to registry security or stability, and lists previous interactions with ICANN to approve the operation of the service. The Two-Factor Authentication Service is currently operational, supporting multiple registries under ICANN’s purview.

Coach is unaware of any competition issue that may require the registry service(s) listed in this response to be referred to the appropriate governmental competition authority or authorities with applicable jurisdiction. ICANN previously approved the service(s), at which time it was determined that either the service(s) raised no competitive concerns or any applicable concerns related to competition were satisfactorily addressed.

3.1 TWO-FACTOR AUTHENTICATION SERVICE

TECHNICAL COMPONENT:

The Registry-Registrar Two-Factor Authentication Service is designed to improve domain name security and assist registrars in protecting the accounts they manage. As part of the service, dynamic one-time passwords augment the user names and passwords currently used to process update, transfer, and⁄or deletion requests. These one-time passwords enable transaction processing to be based on requests that are validated both by “what users know” (i.e., their user name and password) and “what users have” (i.e., a two-factor authentication credential with a one-time-password).

Registrars can use the one-time-password when communicating directly with Verisign’s Customer Service department as well as when using the registrar portal to make manual updates, transfers, and⁄or deletion transactions. The Two-Factor Authentication Service is an optional service offered to registrars that execute the Registry-Registrar Two-Factor Authentication Service Agreement.

BUSINESS COMPONENT:

There is no charge for the Registry-Registrar Two-Factor Authentication Service. It is enabled only for registrars that wish to take advantage of the added security provided by the service.

SECURITY AND STABILITY CONCERNS:

Verisign is unaware of any impact, caused by the service, on throughput, response time, consistency, or coherence of the responses to Internet servers or end-user systems. The service is intended to enhance domain name security, resulting in increased confidence and trust by registrants.

ICANN PRIOR APPROVAL:

ICANN approved the same Two-Factor Authentication Service for Verisign’s use on .com and .net on 10 July 2009 (RSEP Proposal 2009004) and for .name on 16 February 2011 (RSEP Proposal 2011001).

UNIQUE TO THE TLD:

This service is not provided in a manner unique to the .coach TLD.

24 SHARED REGISTRATION SYSTEM (SRS) PERFORMANCE

1 ROBUST PLAN FOR OPERATING A RELIABLE SRS

1.1 HIGH-LEVEL SHARED REGISTRATION SYSTEM (SRS) SYSTEM DESCRIPTION

Verisign, Coach’s selected provider of backend registry services, provides and operates a robust and reliable SRS that enables multiple registrars to provide domain name registration services in the top-level domain (TLD). Verisign’s proven reliable SRS serves approximately 915 registrars, and Verisign, as a company, has averaged more than 140 million registration transactions per day. The SRS provides a scalable, fault-tolerant platform for the delivery of gTLDs through the use of a central customer database, a web interface, a standard provisioning protocol (i.e., Extensible Provisioning Protocol, EPP), and a transport protocol (i.e., Secure Sockets Layer, SSL).

The SRS components include:

- Web Interface: Allows customers to access the authoritative database for accounts, contacts, users, authorization groups, product catalog, product subscriptions, and customer notification messages.

- EPP Interface: Provides an interface to the SRS that enables registrars to use EPP to register and manage domains, hosts, and contacts.

- Authentication Provider: A Verisign developed application, specific to the SRS, that authenticates a user based on a login name, password, and the SSL certificate common name and client IP address.

The SRS is designed to be scalable and fault tolerant by incorporating clustering in multiple tiers of the platform. New nodes can be added to a cluster within a single tier to scale a specific tier, and if one node fails within a single tier, the services will still be available. The SRS allows registrars to manage the .coach gTLD domain names in a single architecture.

To flexibly accommodate the scale of its transaction volumes, as well as new technologies, Verisign employs the following design practices:

- Scale for Growth: Scale to handle current volumes and projected growth.

- Scale for Peaks: Scale to twice base capacity to withstand “registration add attacks” from a compromised registrar system.

- Limit Database CPU Utilization: Limit utilization to no more than 50 percent during peak loads.

- Limit Database Memory Utilization: Each user’s login process that connects to the database allocates a small segment of memory to perform connection overhead, sorting, and data caching. Verisign’s standards mandate that no more than 40 percent of the total available physical memory on the database server will be allocated for these functions.

Verisign’s SRS is built upon a three-tier architecture as illustrated in Figure 24-1 and detailed here:

- Gateway Layer: The first tier, the gateway servers, uses EPP to communicate with registrars. These gateway servers then interact with application servers, which comprise the second tier.

- Application Layer: The application servers contain business logic for managing and maintaining the registry business. The business logic is particular to each TLD’s business rules and requirements. The flexible internal design of the application servers allows Verisign to easily leverage existing business rules to apply to the .coach gTLD. The application servers store Coach’s data in the registry database, which comprises the third and final tier. This simple, industry-standard design has been highly effective with other customers for whom Verisign provides backend registry services.

- Database Layer: The database is the heart of this architecture. It stores all the essential information provisioned from registrars through the gateway servers. Separate servers query the database, extract updated zone and Whois information, validate that information, and distribute it around the clock to Verisign’s worldwide domain name resolution sites.

SCALABILITY AND PERFORMANCE. Verisign, Coach’s selected backend registry services provider, implements its scalable SRS on a supportable infrastructure that achieves the availability requirements in Specification 10. Verisign employs the design patterns of simplicity and parallelism in both its software and systems, based on its experience that these factors contribute most significantly to scalability and reliable performance. Going counter to feature-rich development patterns, Verisign intentionally minimizes the number of lines of code between the end user and the data delivered. The result is a network of restorable components that provide rapid, accurate updates. Figure 24-2 depicts EPP traffic flows and local redundancy in Verisign’s SRS provisioning architecture. As detailed in the figure, local redundancy is maintained for each layer as well as each piece of equipment. This built-in redundancy enhances operational performance while enabling the future system scaling necessary to meet additional demand created by this or future registry applications.

Besides improving scalability and reliability, local SRS redundancy enables Verisign to take down individual system components for maintenance and upgrades, with little to no performance impact. With Verisign’s redundant design, Verisign can perform routine maintenance while the remainder of the system remains online and unaffected. For the .coach gTLD registry, this flexibility minimizes unplanned downtime and provides a more consistent end-user experience.

1.2 REPRESENTATIVE NETWORK DIAGRAMS

Figure 24-3 provides a summary network diagram of Coach’s selected backend registry services provider’s (Verisign’s) SRS. This configuration at both the primary and alternate-primary Verisign data centers provides a highly reliable backup capability. Data is continuously replicated between both sites to ensure failover to the alternate-primary site can be implemented expeditiously to support both planned and unplanned outages.

1.3 NUMBER OF SERVERS

As Coach’s selected provider of backend registry services, Verisign continually reviews its server deployments for all aspects of its registry service. Verisign evaluates usage based on peak performance objectives as well as current transaction volumes, which drive the quantity of servers in its implementations. Verisign’s scaling is based on the following factors:

- Server configuration is based on CPU, memory, disk IO, total disk, and network throughput projections.

- Server quantity is determined through statistical modeling to fulfill overall performance objectives as defined by both the service availability and the server configuration.

- To ensure continuity of operations for the .coach gTLD, Verisign uses a minimum of 100 dedicated servers per SRS site. These servers are virtualized to meet demand.

1.4 DESCRIPTION OF INTERCONNECTIVITY WITH OTHER REGISTRY SYSTEMS

Figure 24-4 provides a technical overview of the Coach’s selected backend registry services provider’s (Verisign’s) SRS, showing how the SRS component fits into this larger system and interconnects with other system components.

1.5 FREQUENCY OF SYNCHRONIZATION BETWEEN SERVERS

As Coach’s selected provider of backend registry services, Verisign uses synchronous replication to keep the Verisign SRS continuously in sync between the two data centers. This synchronization is performed in near-real time, thereby supporting rapid failover should a failure occur or a planned maintenance outage be required.

1.6 SYNCHRONIZATION SCHEME

Verisign uses synchronous replication to keep the Verisign SRS continuously in sync between the two data centers. Because the alternate-primary site is continuously up, and built using an identical design to the primary data center, it is classified as a “hot standby.”

2 SCALABILITY AND PERFORMANCE ARE CONSISTENT WITH THE OVERALL BUSINESS APPROACH AND PLANNED SIZE OF THE REGISTRY

Verisign is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies.

Verisign’s scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the .coach gTLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.

3 TECHNICAL PLAN THAT IS ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION

Verisign, the Coach’s selected provider of backend registry services, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services provided to Coach fully accounts for this personnel-related cost, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support SRS performance:

- Application Engineers: 19

- Database Administrators: 8

- Database Engineers: 3

- Network Administrators: 11

- Network Architects: 4

- Project Managers: 25

- Quality Assurance Engineers: 11

- SRS System Administrators: 13

- Storage Administrators: 4

- Systems Architects: 9

To implement and manage the .coach gTLD as described in this application, Verisign, Coach’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

4 EVIDENCE OF COMPLIANCE WITH SPECIFICATION 6 AND 10 TO THE REGISTRY AGREEMENT

SECTION 1.2 (EPP) OF SPECIFICATION 6, REGISTRY INTEROPERABILITY AND CONTINUITY SPECIFICATIONS.

Verisign, Coach’s selected backend registry services provider, provides these services using its SRS, which complies fully with Specification 6, Section 1.2 of the Registry Agreement. In using its SRS to provide backend registry services, Verisign implements and complies with relevant existing RFCs (i.e., 5730, 5731, 5732, 5733, 5734, and 5910) and intends to comply with RFCs that may be published in the future by the Internet Engineering Task Force (IETF), including successor standards, modifications, or additions thereto relating to the provisioning and management of domain names that use EPP. In addition, Verisign’s SRS includes a Registry Grace Period (RGP) and thus complies with RFC 3915 and its successors. Details of the Verisign SRS’ compliance with RFC SRS⁄EPP are provided in the response to Question 25, Extensible Provisioning Protocol. Verisign does not use functionality outside the base EPP RFCs, although proprietary EPP extensions are documented in Internet-Draft format following the guidelines described in RFC 3735 within the response to Question 25. Moreover, prior to deployment, Coach will provide to ICANN updated documentation of all the EPP objects and extensions supported in accordance with Specification 6, Section 1.2.

SPECIFICATION 10, EPP REGISTRY PERFORMANCE SPECIFICATIONS.

Verisign’s SRS meets all EPP Registry Performance Specifications detailed in Specification 10, Section 2. Evidence of this performance can be verified by a review of the .com and .net Registry Operator’s Monthly Reports, which Verisign files with ICANN. These reports detail Verisign’s operational status of the .com and .net registries, which use an SRS design and approach comparable to the one proposed for the .coach gTLD. These reports provide evidence of Verisign’s ability to meet registry operation service level agreements (SLAs) comparable to those detailed in Specification 10. The reports are accessible at the following URL: http:⁄⁄www.icann.org⁄en⁄tlds⁄monthly-reports⁄.

In accordance with EPP Registry Performance Specifications detailed in Specification 10, Verisignʹs SRS meets the following performance attributes:

- EPP service availability: ≤ 864 minutes of downtime (≈98%)

- EPP session-command round trip time (RTT): ≤4000 milliseconds (ms), for at least 90 percent of the commands

- EPP query-command RTT: ≤2000 ms, for at least 90 percent of the commands

- EPP transform-command RTT: ≤4000 ms, for at least 90 percent of the commands

25 EXTENSIBLE PROVISIONING PROTOCOL (EPP)


1 COMPLETE KNOWLEDGE AND UNDERSTANDING OF THIS ASPECT OF REGISTRY TECHNICAL REQUIREMENTS

Verisign, Coach’s selected backend registry services provider, has used Extensible Provisioning Protocol (EPP) since its inception and possesses complete knowledge and understanding of EPP registry systems. Its first EPP implementation— for a thick registry for the .name generic top-level domain (gTLD)—was in 2002. Since then Verisign has continued its RFC-compliant use of EPP in multiple TLDs, as detailed in Figure 25-1. 

Verisign’s understanding of EPP and its ability to implement code that complies with the applicable RFCs is unparalleled. Mr. Scott Hollenbeck, Verisign’s director of software development, authored the Extensible Provisioning Protocol and continues to be fully engaged in its refinement and enhancement (U.S. Patent Number 7299299 – Shared registration system for registering domain names). Verisign has also developed numerous new object mappings and object extensions following the guidelines in RFC 3735 (Guidelines for Extending the Extensible Provisioning Protocol). Mr. James Gould, a principal engineer at Verisign, led and co-authored the most recent EPP Domain Name System Security Extensions (DNSSEC) RFC effort (RFC 5910).

All registry systems for which Verisign is the registry operator or provides backend registry services use EPP. Upon approval of this application, Verisign will use EPP to provide the backend registry services for this gTLD. The .com, .net, and .name registries for which Verisign is the registry operator use an SRS design and approach comparable to the one proposed for this gTLD. Approximately 915 registrars use the Verisign EPP service, and the registry system performs more than 140 million EPP transactions daily without performance issues or restrictive maintenance windows. The processing time service level agreement (SLA) requirements for the Verisign-operated .net gTLD are the strictest of the current Verisign managed gTLDs. All processing times for Verisign-operated gTLDs can be found in ICANN’s Registry Operator’s Monthly Reports at http:⁄⁄www.icann.org⁄en⁄tlds⁄monthly-reports⁄. 

Verisign has also been active on the Internet Engineering Task Force (IETF) Provisioning Registry Protocol (provreg) working group and mailing list since work started on the EPP protocol in 2000. This working group provided a forum for members of the Internet community to comment on Mr. Scott Hollenbeck’s initial EPP drafts, which Mr. Hollenbeck refined based on input and discussions with representatives from registries, registrars, and other interested parties. The working group has since concluded, but the mailing list is still active to enable discussion of different aspects of EPP.



1.1 EPP INTERFACE WITH REGISTRARS

Verisign, Coach’s selected backend registry services provider,  fully supports the features defined in the EPP specifications and provides a set of software development kits (SDK) and tools to help registrars build secure and stable interfaces. Verisign’s SDKs give registrars the option of either fully writing their own EPP client software to integrate with the Shared Registration System (SRS), or using the Verisign-provided SDKs to aid them in the integration effort. Registrars can download the Verisign EPP SDKs and tools from the registrar website (http:⁄⁄www.Verisign.com⁄domain-name-services⁄current-registrars⁄epp-sdk⁄index.html). 

The EPP SDKs provide a host of features including connection pooling, Secure Sockets Layer (SSL), and a test server (stub server) to run EPP tests against. One tool—the EPP tool—provides a web interface for creating EPP Extensible Markup Language (XML) commands and sending them to a configurable set of target servers. This helps registrars in creating the template XML and testing a variety of test cases against the EPP servers. An Operational Test and Evaluation (OT&E) environment, which runs the same software as the production system so approved registrars can integrate and test their software before moving into a live production environment, is also available. 



2 TECHNICAL PLAN SCOPE⁄SCALE CONSISTENT WITH THE OVERALL BUSINESS APPROACH AND PLANNED SIZE OF THE REGISTRY

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies. 

Verisign’s scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the .coach gTLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is provided as  “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.



3 TECHNICAL PLAN THAT IS ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that  has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response. 

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings. 

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support the provisioning of EPP services:

	- Application Engineers: 19 

	- Database Engineers: 3 

	- Quality Assurance Engineers: 11 


To implement and manage the .coach gTLD as described in this application, Verisign, Coach’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area. 

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed TLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.



4 ABILITY TO COMPLY WITH RELEVANT RFCS 

Verisign, Coach’s selected backend registry services provider, incorporates design reviews, code reviews, and peer reviews into its software development lifecycle (SDLC) to ensure compliance with the relevant RFCs. Verisign’s dedicated QA team creates extensive test plans and issues internal certifications when it has confirmed the accuracy of the code in relation to the RFC requirements. Verisign’s QA organization is independent from the development team within engineering. This separation helps Verisign ensure adopted processes and procedures are followed, further ensuring that all software releases fully consider the security and stability of the TLD. 

For the .coach gTLD, the Shared Registration System (SRS) complies with the following IETF EPP specifications, where the XML templates and XML schemas are defined in the following specifications:

	- EPP RGP 3915 (http:⁄⁄www.apps.ietf.org⁄rfc⁄rfc3915.html): EPP Redemption Grace Period (RGP) Mapping specification for support of RGP statuses and support of Restore Request and Restore Report (authored by Verisign’s Scott Hollenbeck)

	- EPP 5730 (http:⁄⁄tools.ietf.org⁄html⁄rfc5730): Base EPP specification (authored by Verisign’s Scott Hollenbeck)

	- EPP Domain 5731 (http:⁄⁄tools.ietf.org⁄html⁄rfc5731): EPP Domain Name Mapping specification (authored by Verisign’s Scott Hollenbeck)

	- EPP Host 5732 (http:⁄⁄tools.ietf.org⁄html⁄rfc5732): EPP Host Mapping specification (authored by Verisign’s Scott Hollenbeck)

	- EPP Contact 5733 (http:⁄⁄tools.ietf.org⁄html⁄rfc5733): EPP Contact Mapping specification (authored by Verisign’s Scott Hollenbeck)

	- EPP TCP 5734 (http:⁄⁄tools.ietf.org⁄html⁄rfc5734): EPP Transport over Transmission Control Protocol (TCP) specification (authored by Verisign’s Scott Hollenbeck)

	- EPP DNSSEC 5910 (http:⁄⁄tools.ietf.org⁄html⁄rfc5910): EPP Domain Name System Security Extensions (DNSSEC) Mapping specification (authored by Verisign’s James Gould and Scott Hollenbeck)



5 PROPRIETARY EPP EXTENSIONS

Verisign, Coach’s selected backend registry services provider, uses its SRS to provide registry services. The SRS supports the following EPP specifications, which Verisign developed following the guidelines in RFC 3735, where the XML templates and XML schemas are defined in the specifications:

	- IDN Language Tag (http:⁄⁄www.verisigninc.com⁄assets⁄idn-language-tag.pdf): EPP internationalized domain names (IDN) language tag extension used for IDN domain name registrations

	- RGP Poll Mapping (http:⁄⁄www.verisigninc.com⁄assets⁄whois-info-extension.pdf): EPP mapping for an EPP poll message in support of Restore Request and Restore Report

	- Whois Info Extension (http:⁄⁄www.verisigninc.com⁄assets⁄whois-info-extension.pdf): EPP extension for returning additional information needed for transfers

	- EPP ConsoliDate Mapping (http:⁄⁄www.verisigninc.com⁄assets⁄consolidate-mapping.txt): EPP mapping to support a Domain Sync operation for synchronizing domain name expiration dates

	- NameStore Extension (http:⁄⁄www.verisigninc.com⁄assets⁄namestore-extension.pdf): EPP extension for routing with an EPP intelligent gateway to a pluggable set of backend products and services

	- Low Balance Mapping (http:⁄⁄www.verisigninc.com⁄assets⁄low-balance-mapping.pdf): EPP mapping to support low balance poll messages that proactively notify registrars of a low balance (available credit) condition

As part of the 2006 implementation report to bring the EPP RFC documents from Proposed Standard status to Draft Standard status, an implementation test matrix was completed. Two independently developed EPP client implementations based on the RFCs were tested against the Verisign EPP server for the domain, host, and contact transactions. No compliance-related issues were identified during this test, providing evidence that these extensions comply with RFC 3735 guidelines and further demonstrating Verisign’s ability to design, test, and deploy an RFC-compliant EPP implementation.



5.1 EPP TEMPLATES AND SCHEMAS

The EPP XML schemas are formal descriptions of the EPP XML templates. They are used to express the set of rules to which the EPP templates must conform in order to be considered valid by the schema. The EPP schemas define the building blocks of the EPP templates, describing the format of the data and the different EPP commands’ request and response formats. The current EPP implementations managed by Verisign, Coach’s selected backend registry services provider, use these EPP templates and schemas, as will the proposed TLD. For each proprietary XML template⁄schema Verisign provides a reference to the applicable template and includes the schema.



XML TEMPLATES⁄SCHEMA FOR IDNLANG-1.0

	- Template: The templates for idnLang-1.0 can be found in Chapter 3, EPP Command Mapping of the relevant EPP documentation, http:⁄⁄www.verisigninc.com⁄assets⁄idn-language-tag.pdf. 


	- Schema is set out in Figure 25-2
This schema describes the extension mapping for the IDN language tag. The mapping extends the EPP domain name mapping to provide additional features required for the provisioning of IDN domain name registrations.



XML TEMPLATES⁄SCHEMA FOR RGP-POLL-1.0

	- Template: The templates for rgp-poll-1.0 can be found in Chapter 3, EPP Command Mapping of the relevant EPP documentation, http:⁄⁄www.verisigninc.com⁄assets⁄rgp-poll-mapping.pdf.


	- Schema is set out in Figure 25-3: 
This schema describes the extension mapping for poll notifications. The mapping extends the EPP base mapping to provide additional features for registry grace period (RGP) poll notifications.



XML TEMPLATES⁄SCHEMA FOR WHOISINF-1.0

	- Template: The templates for whoisInf-1.0 can be found in Chapter 3, EPP Command Mapping of the relevant EPP documentation, http:⁄⁄www.verisigninc.com⁄assets⁄whois-info-extension.pdf.


	- Schema is set out in Figure 25-4: 
This schema describes the extension mapping for the Whois Info extension. The mapping extends the EPP domain name mapping to provide additional features for returning additional information needed for transfers.



XML TEMPLATES⁄SCHEMA FOR SYNC-1.0 (CONSOLIDATE)

	- Template: The templates for sync-1.0 can be found in Chapter 3, EPP Command Mapping of the relevant EPP documentation, http:⁄⁄www.verisigninc.com⁄assets⁄consolidate-mapping.txt.

	- Schema is set out in Figure 25-5: 
This schema describes the extension mapping for the synchronization of domain name registration period expiration dates. This service is known as ʺConsoliDate.ʺ The mapping extends the EPP domain name mapping to provide features that allow a protocol client to end a domain name registration period on a specific month and day.



XML TEMPLATES⁄SCHEMA FOR NAMESTOREEXT-1.1

	- Template: The templates for namestoreExt-1.1 can be found in Chapter 3, EPP Command Mapping of the relevant EPP documentation, http:⁄⁄www.verisigninc.com⁄assets⁄namestore-extension.pdf.


	- Schema is set out in Figure 25-6: 
This schema describes the extension mapping for the routing with an EPP intelligent gateway to a pluggable set of backend products and services. The mapping extends the EPP domain name and host mapping to provide a sub-product identifier to identify the target sub-product that the EPP operation is intended for.



XML TEMPLATES⁄SCHEMA FOR LOWBALANCE-POLL-1.0

	- Template: The templates for lowbalance-poll-1.0 can be found in Chapter 3, EPP Command Mapping of the relevant EPP documentation, http:⁄⁄www.verisigninc.com⁄assets⁄low-balance-mapping.pdf.


	- Schema is set out in Figure 25-7: 
This schema describes the extension mapping for the account low balance notification. The mapping extends the EPP base mapping so an account holder can be notified via EPP poll messages whenever the available credit for an account reaches or goes below the credit threshold.



6 PROPRIETARY EPP EXTENSION CONSISTENCY WITH REGISTRATION LIFECYCLE 

Coach’s selected backend registry services provider’s (Verisign’s) proprietary EPP extensions, defined in Section 5 above, are consistent with the registration lifecycle documented in the response to Question 27, Registration Lifecycle.  Details of the registration lifecycle are presented in that response. As new registry features are required, Verisign develops proprietary EPP extensions to address new operational requirements. Consistent with ICANN procedures Verisign adheres to all applicable Registry Services Evaluation Process (RSEP) procedures.

26 WHOIS

1 COMPLETE KNOWLEDGE AND UNDERSTANDING OF THIS ASPECT OF REGISTRY TECHNICAL REQUIREMENTS

Verisign, Coach’s selected backend registry services provider, has operated the Whois lookup service for the gTLDs and ccTLDs it manages since 1991, and will provide these proven services for the .coach gTLD registry. In addition, it continues to work with the Internet community to improve the utility of Whois data, while thwarting its application for abusive uses.

1.1 HIGH-LEVEL WHOIS SYSTEM DESCRIPTION

Like all other components of Coach’s selected backend registry services provider’s (Verisign’s) registry service, Verisign’s Whois system is designed and built for both reliability and performance in full compliance with applicable RFCs. Verisign’s current Whois implementation has answered more than five billion Whois queries per month for the TLDs it manages, and has experienced more than 250,000 queries per minute in peak conditions. The proposed gTLD uses a Whois system design and approach that is comparable to the current implementation. Independent quality control testing ensures Verisign’s Whois service is RFC-compliant through all phases of its lifecycle. 

Verisignʹs redundant Whois databases further contribute to overall system availability and reliability. The hardware and software for its Whois service is architected to scale both horizontally (by adding more servers) and vertically (by adding more CPUs and memory to existing servers) to meet future need.

Verisign can fine-tune access to its Whois database on an individual Internet Protocol (IP) address basis, and it works with registrars to help ensure their services are not limited by any restriction placed on Whois. Verisign provides near real-time updates for Whois services for the TLDs under its management. As information is updated in the registration database, it is propagated to the Whois servers for quick publication. These updates align with the near real-time publication of Domain Name System (DNS) information as it is updated in the registration database. This capability is important for the .coach gTLD registry as it is Verisign’s experience that when DNS data is updated in near real time, so should Whois data be updated to reflect the registration specifics of those domain names.

Verisign’s Whois response time has been less than 500 milliseconds for 95 percent of all Whois queries in .com, .net, .tv, and .cc. The response time in these TLDs, combined with Verisign’s capacity, enables the Whois system to respond to up to 30,000 searches (or queries) per second for a total capacity of 2.6 billion queries per day.

The Whois software written by Verisign complies with RFC 3912. Verisign uses an advanced in-memory database technology to provide exceptional overall system performance and security. In accordance with RFC 3912, Verisign provides a website at whois.nic.〈TLD〉 that provides free public query-based access to the registration data. 

Verisign currently operates both thin and thick Whois systems. 

Verisign commits to implementing a RESTful Whois service upon finalization of agreements with the IETF (Internet Engineering Task Force).

PROVIDED FUNCTIONALITIES FOR USER INTERFACE

To use the Whois service via port 43, the user enters the applicable parameter on the command line as illustrated here:

	- For domain name: whois EXAMPLE.TLD

	- For registrar: whois ʺregistrar Example Registrar, Inc.ʺ

	- For name server: whois ʺNS1.EXAMPLE.TLDʺ or whois ʺname server (IP address)ʺ

To use the Whois service via the web-based directory service search interface:

	- Go to http:⁄⁄whois.nic.〈TLD〉

	- Click on the appropriate button (Domain, Registrar, or Name Server)

	- Enter the applicable parameter:

	- Domain name, including the TLD (e.g., EXAMPLE.TLD)

	- Full name of the registrar, including punctuation (e.g., Example Registrar, Inc.)

	- Full host name or the IP address (e.g., NS1.EXAMPLE.TLD or 198.41.3.39)

	- Click on the Submit button.

PROVISIONS TO ENSURE THAT ACCESS IS LIMITED TO LEGITIMATE AUTHORIZED USERS AND IS IN COMPLIANCE WITH APPLICABLE PRIVACY LAWS OR POLICIES

To further promote reliable and secure Whois operations, Verisign, Coach’s selected backend registry services provider, has implemented rate-limiting characteristics within the Whois service software. For example, to prevent data mining or other abusive behavior, the service can throttle a specific requestor if the query rate exceeds a configurable threshold. In addition, QoS technology enables rate limiting of queries before they reach the servers, which helps protect against denial of service (DoS) and distributed denial of service (DDoS) attacks. 

Verisign’s software also permits restrictions on search capabilities. For example, wild card searches can be disabled. If needed, it is possible to temporarily restrict and⁄or block requests coming from specific IP addresses for a configurable amount of time. Additional features that are configurable in the Whois software include help files, headers and footers for Whois query responses, statistics, and methods to memory map the database. Furthermore, Verisign is European Union (EU) Safe Harbor certified and has worked with European data protection authorities to address applicable privacy laws by developing a tiered Whois access structure that requires users who require access to more extensive data to (i) identify themselves, (ii) confirm that their use is for a specified purpose and (iii) enter into an agreement governing their use of the more extensive Whois data. 

1.2 RELEVANT NETWORK DIAGRAMS

Figure 26-1 provides a summary network diagram of the Whois service provided by Verisign, Coach’s selected backend registry services provider. The figure details the configuration with one resolution⁄Whois site. For the .coach gTLD Verisign provides Whois service from 6 of its 17 primary sites based on the proposed gTLD’s traffic volume and patterns. A functionally equivalent resolution architecture configuration exists at each Whois site. 

1.3 IT AND INFRASTRUCTURE RESOURCES

Figure 26-2 summarizes the IT and infrastructure resources that Verisign, Coach’s selected backend registry services provider, uses to provision Whois services from Verisign primary resolution sites. As needed, virtual machines are created based on actual and projected demand.

1.4 DESCRIPTION OF INTERCONNECTIVITY WITH OTHER REGISTRY SYSTEMS

Figure 26-3 provides a technical overview of the registry system provided by Verisign, Coach’s selected backend registry services provider, and shows how the Whois service component fits into this larger system and interconnects with other system components. 

1.5 FREQUENCY OF SYNCHRONIZATION BETWEEN SERVERS

Synchronization between the SRS and the geographically distributed Whois resolution sites occurs approximately every three minutes. Verisign, Coach’s selected backend registry services provider, uses a two-part Whois update process to ensure Whois data is accurate and available. Every 12 hours an initial file is distributed to each resolution site. This file is a complete copy of all Whois data fields associated with each domain name under management. As interactions with the SRS cause the Whois data to be changed, these incremental changes are distributed to the resolution sites as an incremental file update. This incremental update occurs approximately every three minutes. When the new 12-hour full update is distributed, this file includes all past incremental updates. Verisign’s approach to frequency of synchronization between servers meets the Performance Specifications defined in Specification 10 of the Registry Agreement for new gTLDs.  

2 TECHNICAL PLAN SCOPE⁄SCALE CONSISTENT WITH THE OVERALL BUSINESS APPROACH AND PLANNED SIZE OF THE REGISTRY

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies. 

Verisign’s scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the .coach gTLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.

3 TECHNICAL PLAN THAT IS ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response. 

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings. 

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support Whois services:

	- Application Engineers: 19
	- Database Engineers: 3
	- Quality Assurance Engineers: 11

To implement and manage the .coach gTLD as described in this application, Verisign, Coach’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area. 

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

4 COMPLIANCE WITH RELEVANT RFC

Coach’s selected backend registry services provider’s (Verisign’s) Whois service complies with the data formats defined in Specification 4 of the Registry Agreement. Verisign will provision Whois services for registered domain names and associated data in the top-level domain (TLD). Verisign’s Whois services are accessible over Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), via both Transmission Control Protocol (TCP) port 43 and a web-based directory service at whois.nic.〈TLD〉, which in accordance with RFC 3912, provides free public query-based access to domain name, registrar, and name server lookups. Verisign’s proposed Whois system meets all requirements as defined by ICANN for each registry under Verisign management. Evidence of this successful implementation, and thus compliance with the applicable RFCs, can be verified by a review of the .com and .net Registry Operator’s Monthly Reports that Verisign files with ICANN. These reports provide evidence of Verisign’s ability to meet registry operation service level agreements (SLAs) comparable to those detailed in Specification 10. The reports are accessible at the following URL: http:⁄⁄www.icann.org⁄en⁄tlds⁄monthly-reports⁄.  

5 COMPLIANCE WITH SPECIFICATIONS 4 AND 10 OF REGISTRY AGREEMENT

In accordance with Specification 4, Verisign, Coach’s selected backend registry services provider, provides a Whois service that is available via both port 43 in accordance with RFC 3912, and a web-based directory service at whois.nic.〈TLD〉 also in accordance with RFC 3912, thereby providing free public query-based access. Verisign acknowledges that ICANN reserves the right to specify alternative formats and protocols, and upon such specification, Verisign will implement such alternative specification as soon as reasonably practicable.

The format of the following data fields conforms to the mappings specified in Extensible Provisioning Protocol (EPP) RFCs 5730 – 5734 so the display of this information (or values returned in Whois responses) can be uniformly processed and understood: domain name status, individual and organizational names, address, street, city, state⁄province, postal code, country, telephone and fax numbers, email addresses, date, and times.

Specifications for data objects, bulk access, and lookups comply with Specification 4 and are detailed in the following subsections, provided in both bulk access and lookup modes. 

BULK ACCESS MODE. 

This data is provided on a daily schedule to a party designated from time to time in writing by ICANN. The specification of the content and format of this data, and the procedures for providing access, shall be as stated below, until revised in the ICANN Registry Agreement. 

The data is provided in three files:

	- Domain Name File: For each domain name, the file provides the domain name, server name for each name server, registrar ID, and updated date.
	- Name Server File: For each registered name server, the file provides the server name, each IP address, registrar ID, and updated date.

	- Registrar File: For each registrar, the following data elements are provided: registrar ID, registrar address, registrar telephone number, registrar email address, Whois server, referral URL, updated date, and the name, telephone number, and email address of all the registrarʹs administrative, billing, and technical contacts.

LOOKUP MODE. 

Figures 26-4 through Figure 26-6 provide the query and response format for domain name, registrar, and name server data objects.

5.1 SPECIFICATION 10, RDDS REGISTRY PERFORMANCE SPECIFICATIONS

The Whois service meets all registration data directory services (RDDS) registry performance specifications detailed in Specification 10, Section 2. Evidence of this performance can be verified by a review of the .com and .net Registry Operator’s Monthly Reports that Verisign files monthly with ICANN. These reports are accessible from the ICANN website at the following URL: http:⁄⁄www.icann.org⁄en⁄tlds⁄monthly-reports⁄.  

In accordance with RDDS registry performance specifications detailed in Specification 10, Verisignʹs Whois service meets the following proven performance attributes:

	- RDDS availability: less than or equal to 864 min of downtime (is approximately equal to 98%)

	- RDDS query RTT: less than or equal to 2000 ms, for at least 95% of the queries

	- RDDS update time: less than or equal to 60 min, for at least 95% of the probes

6 SEARCHABLE WHOIS

Verisign, Coach’s selected backend registry services provider, provides a searchable Whois service for the .coach gTLD. Verisign has experience in providing tiered access to Whois for the .name registry, and uses these methods and control structures to help reduce potential malicious use of the function. The searchable Whois system currently uses Apache’s Lucene full text search engine to index relevant Whois content with near-real time incremental updates from the provisioning system.

Features of the Verisign searchable Whois function include:

	- Provision of a web-based searchable directory service

	- Ability to perform partial match, at least, for the following data fields: domain name, contacts and registrant’s name, and contact and registrant’s postal address, including all the sub-fields described in EPP (e.g., street, city, state, or province)

	- Ability to perform exact match, at least, on the following fields: registrar ID, name server name, and name server’s IP address (only applies to IP addresses stored by the registry, i.e., glue records)

	- Ability to perform Boolean search supporting, at least, the following logical operators to join a set of search criteria: AND, OR, NOT
 
	- Search results that include domain names that match the selected search criteria

Verisign’s implementation of searchable Whois is EU Safe Harbor certified and includes appropriate access control measures that help ensure that only legitimate authorized users can use the service. Furthermore, Verisign’s compliance office monitors current ICANN policy and applicable privacy laws or policies to help ensure the solution is maintained within compliance of applicable regulations. Features of these access control measures include:
 
	- All unauthenticated searches are returned as thin results.

	- Registry system authentication is used to grant access to appropriate users for thick Whois data search results.

	- Account access is granted by the Coach’s defined .coach gTLD admin user.

POTENTIAL FORMS OF ABUSE AND RELATED RISK MITIGATION. 

Leveraging its experience providing tiered access to Whois for the .name registry and interacting with ICANN, data protection authorities, and applicable industry groups, Verisign, Coach’s selected backend registry services provider, is knowledgeable of the likely data mining forms of abuse associated with a searchable Whois service. Figure 26-7 summarizes these potential forms of abuse and Verisign’s approach to mitigate the identified risk.

27 REGISTRATION LIFECYCLE

1 COMPLETE KNOWLEDGE AND UNDERSTANDING OF REGISTRATION LIFECYCLES AND STATES

Starting with domain name registration and continuing through domain name delete operations, Coach’s selected backend registry services provider’s (Verisign’s) registry implements the full registration lifecycle for domain names supporting the operations in the Extensible Provisioning Protocol (EPP) specification. The registration lifecycle of the domain name starts with registration and traverses various states as specified in the following sections. The registry system provides options to update domain names with different server and client status codes that block operations based on the EPP specification. The system also provides different grace periods for different billable operations, where the price of the billable operation is credited back to the registrar if the billable operation is removed within the grace period. Together Figure 27-1 and Figure 27-2 define the registration states comprising the registration lifecycle and explain the trigger points that cause state-to-state transitions. States are represented as green rectangles within Figure 27-1.

1.1 REGISTRATION LIFECYCLE OF CREATE⁄UPDATE⁄DELETE

The following section details the create⁄update⁄delete processes and the related renewal process that Verisign, Coach’s selected backend registry services provider, follows. For each process, this response defines the process function and its characterization, and as appropriate provides a process flow chart.

CREATE PROCESS.

The domain name lifecycle begins with a registration or what is referred to as a Domain Name Create operation in EPP. The system fully supports the EPP Domain Name Mapping as defined by RFC 5731, where the associated objects (e.g., hosts and contacts) are created independent of the domain name.

PROCESS CHARACTERIZATION.

The Domain Name Create command is received, validated, run through a set of business rules, persisted to the database, and committed in the database if all business rules pass. The domain name is included with the data flow to the DNS and Whois resolution services. If no name servers are supplied, the domain name is not included with the data flow to the DNS. A successfully created domain name has the created date and expiration date set in the database. Creates are subject to grace periods as described in Section 1.3 of this response, Add Grace Period, Redemption Grace Period, and Notice Periods for Renewals or Transfers.

The Domain Name Create operation is detailed in Figure 27-3 and requires the following attributes:

- A domain name that meets the string restrictions.

- A domain name that does not already exist.

- The registrar is authorized to create a domain name in .coach.

- The registrar has available credit.

- A valid Authorization Information (Auth-Info) value.

- Required contacts (e.g., registrant, administrative contact, technical contact, and billing contact) are specified and exist.

- The specified name servers (hosts) exist, and there is a maximum of 13 name servers.

- A period in units of years with a maximum value of 10 (default period is one year).

RENEWAL PROCESS.

The domain name can be renewed unless it has any form of Pending Delete, Pending Transfer, or Renew Prohibited.

A request for renewal that sets the expiry date to more than ten years in the future is denied. The registrar must pass the current expiration date (without the timestamp) to support the idempotent features of EPP, where sending the same command a second time does not cause unexpected side effects.

Automatic renewal occurs when a domain name expires. On the expiration date, the registry extends the registration period one year and debits the registrar account balance. In the case of an auto-renewal of the domain name, a separate Auto-Renew grace period applies. Renewals are subject to grace periods as described in Section 1.3 of this response, Add Grace Period, Redemption Grace Period, and Notice Periods for Renewals or Transfers.

PROCESS CHARACTERIZATION.

The Domain Name Renew command is received, validated, authorized, and run through a set of business rules. The data is updated and committed in the database if it passes all business rules. The updated domain name’s expiration date is included in the flow to the Whois resolution service.

The Domain Name Renew operation is detailed in Figure 27-4 and requires the following attributes:

- A domain name that exists and is sponsored by the requesting registrar.

- The registrar is authorized to renew a domain name in .coach.

- The registrar has available credit.

- The passed current expiration date matches the domain name’s expiration date.

- A period in units of years with a maximum value of 10 (default period is one year). A domain name expiry past ten years is not allowed.

REGISTRAR TRANSFER PROCEDURES.

A registrant may transfer his⁄her domain name from his⁄her current registrar to another registrar. The database system allows a transfer as long as the transfer is not within the initial 60 days, per industry standard, of the original registration date.
The registrar transfer process goes through many process states, which are described in detail below, unless it has any form of Pending Delete, Pending Transfer, or Transfer Prohibited.
A transfer can only be initiated when the appropriate Auth-Info is supplied. The Auth-Info for transfer is only available to the current registrar. Any other registrar requesting to initiate a transfer on behalf of a registrant must obtain the Auth-Info from the registrant.

The Auth-Info is made available to the registrant upon request. The registrant is the only party other than the current registrar that has access to the Auth-Info. Registrar transfer entails a specified extension of the expiry date for the object. The registrar transfer is a billable operation and is charged identically to a renewal for the same extension of the period. This period can be from one to ten years, in one-year increments.

Because registrar transfer involves an extension of the registration period, the rules and policies applying to how the resulting expiry date is set after transfer are based on the renewal policies on extension.

Per industry standard, a domain name cannot be transferred to another registrar within the first 60 days after registration. This restriction continues to apply if the domain name is renewed during the first 60 days. Transfer of the domain name changes the sponsoring registrar of the domain name, and also changes the child hosts (ns1.sample.xyz) of the domain name (sample .xyz).

The domain name transfer consists of five separate operations:

- Transfer Request (Figure 27-5): Executed by a non-sponsoring registrar with the valid Auth-Info provided by the registrant. The Transfer Request holds funds of the requesting registrar but does not bill the registrar until the transfer is completed. The sponsoring registrar receives a Transfer Request poll message.

- Transfer Cancel (Figure 27-6): Executed by the requesting registrar to cancel the pending transfer. The held funds of the requesting registrar are reversed. The sponsoring registrar receives a Transfer Cancel poll message.

- Transfer Approve (Figure 27-7): Executed by the sponsoring registrar to approve the Transfer Request. The requesting registrar is billed for the Transfer Request and the sponsoring registrar is credited for an applicable Auto-Renew grace period. The requesting registrar receives a Transfer Approve poll message.

- Transfer Reject (Figure 27-8): Executed by the sponsoring registrar to reject the pending transfer. The held funds of the requesting registrar are reversed. The requesting registrar receives a Transfer Reject poll message.

- Transfer Query (Figure 27-9): Executed by either the requesting registrar or the sponsoring registrar of the last transfer.

The registry auto-approves a transfer if the sponsoring registrar takes no action. The requesting registrar is billed for the Transfer Request and the sponsoring registrar is credited for an applicable Auto-Renew grace period. The requesting registrar and the sponsoring registrar receive a Transfer Auto-Approve poll message.

DELETE PROCESS.

A registrar may choose to delete the domain name at any time.

PROCESS CHARACTERIZATION.

The domain name can be deleted, unless it has any form of Pending Delete, Pending Transfer, or Delete Prohibited.

A domain name is also prohibited from deletion if it has any in-zone child hosts that are name servers for domain names. For example, the domain name “sample.xyz” cannot be deleted if an in-zone host “ns.sample.xyz” exists and is a name server for “sample2.xyz.”

If the Domain Name Delete occurs within the Add grace period, the domain name is immediately deleted and the sponsoring registrar is credited for the Domain Name Create. If the Domain Name Delete occurs outside the Add grace period, it follows the Redemption grace period (RGP) lifecycle.

UPDATE PROCESS.

The sponsoring registrar can update the following attributes of a domain name:

- Auth-Info

- Name servers

- Contacts (i.e., registrant, administrative contact, technical contact, and billing contact)

- Statuses (e.g., Client Delete Prohibited, Client Hold, Client Renew Prohibited, Client Transfer Prohibited, Client Update Prohibited)

PROCESS CHARACTERIZATION.

Updates are allowed provided that the update includes the removal of any Update Prohibited status. The Domain Name Update operation is detailed in Figure 27-10.

A domain name can be updated unless it has any form of Pending Delete, Pending Transfer, or Update Prohibited.

1.2 PENDING, LOCKED, EXPIRED, AND TRANSFERRED

Verisign, Coach’s selected backend registry services provider, handles pending, locked, expired, and transferred domain names as described here. When the domain name is deleted after the five-day Add grace period, it enters into the Pending Delete state. The registrant can return its domain name to active any time within the five-day Pending

DELETE GRACE PERIOD.

After the five-day Pending Delete grace period expires, the domain name enters the Redemption Pending state and then is deleted by the system. The registrant can restore the domain name at any time during the Redemption Pending state.

When a non-sponsoring registrar initiates the domain name transfer request, the domain name enters Pending Transfer state and a notification is mailed to the sponsoring registrar for approvals. If the sponsoring registrar doesn’t respond within five days, the Pending Transfer expires and the transfer request is automatically approved.

EPP specifies both client (registrar) and server (registry) status codes that can be used to prevent registry changes that are not intended by the registrant. Currently, many registrars use the client status codes to protect against inadvertent modifications that would affect their customers’ high-profile or valuable domain names.

Verisign’s registry service supports the following client (registrar) and server (registry) status codes:

- clientHold
- clientRenewProhibited
- clientTransferProhibited
- clientUpdateProhibited
- clientDeleteProhibited
- serverHold
- serverRenewProhibited
- serverTransferProhibited
- serverUpdateProhibited
- serverDeleteProhibited

1.3 ADD GRACE PERIOD, REDEMPTION GRACE PERIOD, AND NOTICE PERIODS FOR RENEWALS OR TRANSFERS

Verisign, Coach’s selected backend registry services provider, handles Add grace periods, Redemption grace periods, and notice periods for renewals or transfers as described here.

- Add Grace Period: The Add grace period is a specified number of days following the initial registration of the domain name. The current value of the Add grace period for all registrars is five days.

- Redemption Grace Period: If the domain name is deleted after the five-day grace period expires, it enters the Redemption grace period and then is deleted by the system. The registrant has an option to use the Restore Request command to restore the domain name within the Redemption grace period. In this scenario, the domain name goes to Pending Restore state if there is a Restore Request command within 30 days of the Redemption grace period. From the Pending Restore state, it goes either to the OK state, if there is a Restore Report Submission command within seven days of the Restore Request grace period, or a Redemption Period state if there is no Restore Report Submission command within seven days of the Restore Request grace period.

- Renew Grace Period: The Renew⁄Extend grace period is a specified number of days following the renewal⁄extension of the domain name’s registration period. The current value of the Renew⁄Extend grace period is five days.

- Auto-Renew Grace Period: All auto-renewed domain names have a grace period of 45 days.

- Transfer Grace Period: Domain names have a five-day Transfer grace period.

1.4 ASPECTS OF THE REGISTRATION LIFECYCLE NOT COVERED BY STANDARD EPP RFCS

Coach’s selected backend registry services provider’s (Verisign’s) registration lifecycle processes and code implementations adhere to the standard EPP RFCs related to the registration lifecycle. By adhering to the RFCs, Verisign’s registration lifecycle is complete and addresses each registration-related task comprising the lifecycle. No aspect of Verisign’s registration lifecycle is not covered by one of the standard EPP RFCs and thus no additional definitions are provided in this response.

2 CONSISTENCY WITH ANY SPECIFIC COMMITMENTS MADE TO REGISTRANTS AS ADAPTED TO THE OVERALL BUSINESS APPROACH FOR THE PROPOSED GTLD

The registration lifecycle described above applies to the .coach gTLD as well as other TLDs managed by Verisign, Coach’s selected backend registry services provider; thus Verisign remains consistent with commitments made to its registrants. No unique or specific registration lifecycle modifications or adaptations are required to support the overall business approach for the .coach gTLD.

To accommodate a range of registries, Verisign’s registry implementation is capable of offering both a thin and thick Whois implementation, which is also built upon Verisign’s award-winning ATLAS infrastructure.

3 COMPLIANCE WITH RELEVANT RFCS

Coach’s selected backend registry services provider’s (Verisign’s) registration lifecycle complies with applicable RFCs, specifically RFCs 5730 – 5734 and 3915. The system fully supports the EPP Domain Name Mapping as defined by RFC 5731, where the associated objects (e.g., hosts and contacts) are created independent of the domain name.

In addition, in accordance with RFCs 5732 and 5733, the Verisign registration system enforces the following domain name registration constraints:
- Uniqueness⁄Multiplicity: A second-level domain name is unique in the .coach database. Two identical second-level domain names cannot simultaneously exist in .coach. Further, a second-level domain name cannot be created if it conflicts with a reserved domain name.

- Point of Contact Associations: The domain name is associated with the following points of contact. Contacts are created and managed independently according to RFC 5733.

- Registrant

- Administrative contact

- Technical contact

- Billing contact

- Domain Name Associations: Each domain name is associated with:

- A maximum of 13 hosts, which are created and managed independently according to RFC 5732

- An Auth-Info, which is used to authorize certain operations on the object

- Status(es), which are used to describe the domain name’s status in the registry

- A created date, updated date, and expiry date

4 DEMONSTRATES THAT TECHNICAL RESOURCES REQUIRED TO CARRY THROUGH THE PLANS FOR THIS ELEMENT ARE ALREADY ON HAND OR READILY AVAILABLE

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support the registration lifecycle:

- Application Engineers: 19
- Customer Support Personnel: 36
- Database Administrators: 8
- Database Engineers: 3
- Quality Assurance Engineers: 11
- SRS System Administrators: 13

Abuse within the TLD will not be tolerated.  Coach, Inc. (“Applicant” or “Coach”) will implement very strict policies and procedures to minimize abusive registrations and other activities that have a negative impact on Internet users.  Applicant has resolved to ensure that abusive use of the .coach domain names will not be permitted nor tolerated.  The nature of such abuses creates security and stability issues for Applicant, as well as for users of the Internet in general, and particularly those who wish to interact with Applicant in a secure and reliable manner.  The nature of such abuses also inherently creates negative publicity and loss of brand integrity and goodwill and, therefore, any such abuse must be swiftly and effectively addressed, and systems must continue to evolve in accordance with evolving threats.

One of Applicant’s primary abuse prevention and mitigation strategies is to ensure that only Applicant registers and Applicant and⁄or its Affiliates (as defined in Applicant’s registration policy) use domain names in the TLD under strict guidelines as set by Applicant.  In order to ensure that Applicant does not register abusive domain names, Applicant has appointed a single group of employees as authorized to register, acquire, and⁄or monitor domain names in the TLD.

As stated elsewhere, Applicant will not allow the registration of any domain names, except for those required by ICANN and for internal business or testing purposes, for likely one (1) to five (5) years while it conducts marketing and technical studies on how to best operate the TLD.  For example, Applicant will initially register and use only two (2) domain names, namely, [NIC.COACH] and [WHOIS.COACH] to provide access to the TLD’s Whois database and its abuse policy and contact.

Anti-Abuse Policy

Applicant will implement a Domain Name Anti-Abuse Policy (“Abuse Policy”) in its internal policies and its Registrar and Registration agreements that all registered domain names in the TLD will be subject to 

The Abuse Policy will provide Applicant with broad power to suspend, cancel, or transfer domain names that violate the Abuse Policy.  Applicant will publish the Abuse Policy on its home website and clearly provide Applicant’s Abuse Point of Contact (“Abuse Contact”) and its contact information.  This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of abuse complaints, and a telephone number and mailing address for the Abuse Contact.  Applicant will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made.  In addition, with respect to inquiries from ICANN-Accredited registrars, Applicant’s registry services provider, Verisign, shall have an additional point of contact to handle requests by registrars related to abusive domain name practices.

Inquiries addressed to the Abuse Contact will be forwarded to the Registry Services Liaison(s) and, if applicable, remedy any Complaint regarding an alleged violation of the Abuse Policy as described in more detail below.  

The Abuse Policy will state, at a minimum, that Applicant reserves the right to deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status, that it deems necessary, in its discretion: (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Applicant, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or any agreement Applicant has with any party; (5) to correct mistakes made by the Applicant, registry services provider, or any registrar in connection with a domain name registration; (6) during resolution of any dispute regarding the domain; and (7) if a registrant’s pre-authorization or payment fails.

The Abuse Policy will define the abusive use of domain names to include, but not be limited to, the following activities:

• Illegal or fraudulent actions: use of the Applicant’s or Registrarʹs services to violate the laws or regulations of any country, state, or other applicable jurisdiction, or in a manner that adversely affects the legal rights of any other person;
• Spam: use of electronic messaging systems from email addresses from domains in the TLD to send unsolicited bulk messages in violation of applicable laws. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums;
• Phishing: use of counterfeit Web pages within the TLD that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;
• Pharming: redirecting of unknowing users to fraudulent Web sites or services, typically through DNS hijacking or poisoning;
• Willful distribution of malware: dissemination of software designed to infiltrate or damage a third-party computer system without the ownerʹs consent.  Examples include, without limitation, computer viruses, worms, key loggers, and trojan horses.
• Fast flux hosting: use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR;
• Botnet command and control: services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);
• Illegal Access to Other Computers or Networks: illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity);
• Non-intended Use: use of the domain name other than that which was stated during the registration, without a change of intended use accepted by Applicant;
• Cybersquatting: registration of a domain name confusingly similar to a third party’s name or trademark without any legitimate interest in the name and in bad faith;
• Domain Kiting⁄Tasting: registration of domain names to test their commercial viability before returning them during a Grace Period.

Domain Anti-Abuse Procedure

Applicant will provide a domain name anti-abuse procedure (“Abuse Procedure”) modeled after the Digital Millennium Copyright Act’s notice-and-takedown procedure.

At all times, Applicant will publish on its home website the Abuse Policy and Abuse Procedure and the contact information for the Abuse Contact.  Inquiries addressed to the Abuse Contact will be addressed to and received by Applicant’s Registry Services Liaison(s) who will review and, if applicable, remedy any Complaint regarding an alleged violation of the Abuse Policy.  

Applicant’s Registry Services Liaison(s) will first review the Complaint and give it a “quick look” to see if the Complaint reasonably falls within an abusive use as defined by the Abuse Policy.  If not, Abuse Contact will write a timely correspondence to Complainant stating that the subject of the complaint clearly does not fall within one of the delineated abusive uses as defined by the Abuse Policy and that Applicant considers the matter closed.

If the quick look does not resolve the matter, the Registry Services Liaison(s) will timely give the Complaint a full review.  If an abusive use is determined, the Abuse Contact will alert the registry services provider to immediately suspend the resolution of the domain name.  The Registry Services Liaison(s) will then immediately notify the registrant of the suspension of the domain name, the nature of the complaint, and provide the registrant with the option to respond within a timely fashion or the domain name will be canceled.  

If the registrant responds within a timely period, its response will be further reviewed by the Registry Services Liaison(s).  If the Registry Services Liaison(s) are satisfied by the registrant’s response that the use is not abusive, the Registry Services Liaison(s) will submit a timely request to the registry services provider to unsuspend the domain name.  The Abuse Contact will then timely notify the Complainant that its complaint was ultimately denied and provide the reasons for the denial.  If the registrant does not respond within a timely fashion, the Abuse Contact will notify the registry services provider to cancel the abusive domain name.

This Abuse Procedure will not prejudice either party’s election to pursue another dispute mechanism, such as URS or UDRP.

With the assistance of its back-end registry services provider, Applicant will meet its obligations under Section 2.8 of the Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD.  Accordingly, Applicant will timely respond to legitimate law enforcement inquiries.  Any such response shall include, at a minimum, a timely acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by Applicant for a timely resolution of the request.  

In the event such request involves any of the activities which can be validated by Applicant’s Registry Services Liaison(s) and involves the type of activity set forth in the Abuse Policy, Abuse Contact will timely notify the registry services provider to either suspend or cancel the domain name.  If the Registry Services Liaison(s) determine that it is not an abusive activity, Abuse Contact will timely provide the relevant law enforcement, governmental and⁄or quasi-governmental agency a compelling argument to keep the name in the zone.

Whois Accuracy

Applicant will provide WHOIS accessibility in a reliable, consistent, and predictable fashion in order to promote Whois accuracy.  

Applicant will offer thick WHOIS services, in which all authoritative WHOIS data—including contact data—is maintained at the registry.  Through Applicant’s registrar and registry services operators, Applicant will maintain timely, unrestricted, and public access to accurate and complete WHOIS information, including all data objects as specified in Specification 4.  Moreover, prior to the release of any domain names, Applicant’s registrar will provide Applicant with an authorization code to verify eligible registrants, and Applicant will provide registrar with proper registrant contact information.  Upon registration, registrar will verify the authorization code and contact information before the prospective registrant is allowed to proceed.

In order to further promote WHOIS accuracy, Applicant will offer a mechanism whereby third parties can submit complaints directly to the Applicant’s Registry Services Liaison(s) (as opposed to ICANN or the sponsoring Registrar) about inaccurate or incomplete WHOIS data.  Such information shall be forwarded to the registrar, who shall be required to address those complaints with their registrants.  Within a reasonable time period after forwarding the complaint to the registrar, Applicant’s Registry Liaison(s) will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition.  If the registrar has failed to take any action, or it is clear that the registrant was either unwilling or unable to correct the inaccuracies, Applicant reserves the right to suspend the applicable domain name(s) until such time as the registrant is able to cure the deficiencies.

In addition, Applicant’s Registry Services Liaison(s) will at least twice per year perform a manual review of a random sampling of domain names within the applied-for TLD to test the accuracy of the WHOIS information.  Through this review, the Registry Services Liaison(s) will examine the WHOIS data for evidence of inaccurate or incomplete Whois information.  In the event that such errors or missing information exists, it shall be forwarded to the registrar, who shall be required to address such deficiencies with their registrants.  Within a reasonable time period, the Registry Services Liaison(s) will examine the current WHOIS data for names that were alleged to be inaccurate or incomplete to determine if the information was corrected, the domain name was deleted, or there was some other disposition.  If the registrar has failed to take any action, or it is clear that the registrant was either unwilling or unable to correct the inaccuracies, Applicant reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

Abuse Prevention and Mitigation – Domain Name Access

All domain name registrants will have adequate controls to ensure proper access to domain functions.  In addition to the above, all domain name registrants in the applied-for TLD will be required to name at least two (2) unique points of contact who are authorized to request and⁄or approve update, transfer, and deletion requests.  The points of contact will establish strong passwords with the registrar that must be authenticated before a point of contact will be allowed to process updates, transfer, and deletion requests.  Once a process update, transfer, or deletion request is entered, the points of contact will automatically be notified when a domain has been updated, transferred, or deleted through an automated system run by Applicant’s registrar.

Resourcing Plans.

Details related to resourcing plans for the initial implementation and ongoing maintenance of Applicant’s abuse plan are provided in Section 2 of this response.
 
ENSURING WHOIS ACCURACY

A complete and accurate Whois database promotes the prevention of identity theft, fraud and other on-line crime, promotes the public’s ability to police its rights against unlawful copyright and trademark infringement, and minimizes technical errors. Coach has a compelling interest in accounting to itself and the public for the use of Applicant assets, and in ensuring those assets are only used by persons or entities authorized by Coach.  That interest is especially strong with respect to the .coach and all domain names registered or used therein, since it is a core component of Coach’s online branding and technological platform.

Coach will enforce the Whois data accuracy provisions in ICANN’s Registry Agreement, Registrar Accreditation Agreement and all relevant Consensus Policies.  Those agreements generally require all registrants to provide accurate and reliable contact details and promptly update any changes made during the registration term. Coach’s registrars must present to the registrant the current Whois information, and remind the registrant that provision of false Whois information can be grounds for cancellation of the domain name registration. Coach and⁄or its affiliates (as defined in this response) will be listed as the sole registrant of all domains within the .coach.  Coach’s clear written policy which requires the relevant corporate authorisation and approvals to be procured and evidenced for any .coach domain name to be registered for Coach’s use, and the subsequent verification through a registrar will ensure thorough pre-verification of all Whois data. Therefore, all Whois information will be complete and accurate at the time of registration.  In the event of any change in the Whois contact information for a domain name, that change will be promptly updated in the Whois database.

Verisign, Applicant’s selected backend registry services provider, has established policies and procedures to encourage registrar compliance with ICANN’s Whois accuracy requirements. Verisign provides the following services to Applicant for incorporation into its full-service registry operations.
1) Registrar self-certification.  
The self-certification program consists, in part, of evaluations applied equally to all operational ICANN accredited registrars and conducted from time to time throughout the year. Process steps are as follows:
Verisign sends an email notification to the ICANN primary registrar contact, requesting that the contact go to a designated URL, log in with his⁄her Web ID and password, and complete and submit the online form. The contact must submit the form within 15 business days of receipt of the notification. 
When the form is submitted, Verisign sends the registrar an automated email confirming that the form was successfully submitted.
Verisign reviews the submitted form to ensure the certifications are compliant.
Verisign sends the registrar an email notification if the registrar is found to be compliant in all areas. 
If a review of the response indicates that the registrar is out of compliance or if Verisign has follow-up questions, the registrar has 10 days to respond to the inquiry.
If the registrar does not respond within 15 business days of receiving the original notification, or if it does not respond to the request for additional information, Verisign sends the registrar a Breach Notice and gives the registrar 30 days to cure the breach.
If the registrar does not cure the breach, Verisign terminates the Registry-Registrar Agreement (RRA). 

2) Whois data reminder process. Verisign regularly reminds registrars of their obligation to comply with ICANN’s Whois Data Reminder Policy, which was adopted by ICANN as a consensus policy on 27 March 2003 (http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm). Verisign sends a notice to all registrars once a year reminding them of their obligation to be diligent in validating the Whois information provided during the registration process, to investigate claims of fraudulent Whois information, and to cancel domain name registrations for which Whois information is determined to be invalid. 
Resource Planning Specific to Backend Registry Activities.
Coach has effectively mitigated the risk of abuse in the gTLD and foresees dedicating a member of staff to act as the primary points of contact for handling inquiries relating to malicious or abusive conduct in the TLD. Coach is committed to ensuring that sufficient resources are made available at all times. Coach may engage its third party registrar(s) and its selected back end registry services provider, Verisign, to perform some or all of the tasks associated with abuse issues.  This will ensure that highly skilled, specialized and scalable resources are on hand to address any possible abuse issues both during the startup phase of the TLD and continually during operations of the TLD.

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is included in the registry services provider costs in Section I.K “Outsourcing Operating Costs” within the Question 46 financial projections response. 

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support abuse prevention and mitigation:

- Application Engineers: 19
- Business Continuity Personnel: 3
- Customer Affairs Organization: 9
- Customer Support Personnel: 36
- Information Security Engineers: 11
- Network Administrators: 11
- Network Architects: 4
- Network Operations Center (NOC) Engineers: 33
- Project Managers: 25
- Quality Assurance Engineers: 11
- Systems Architects: 9

To implement and manage the .coach gTLD as described in this application, Verisign, Coach’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area. 

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.
SCANNING TO IDENTIFY MALICIOUS OR ABUSIVE BEHAVIOR
 [Coach currently invests in and utilizes third party anti-phishing and abuse solutions to monitor potentially malicious conduct over the Internet, against Coach’s websites, brands and other online business areas.  Coach fully intends to continue its support and deployment of these solutions to monitor the .coach domain on an on-going basis.  These solutions include:

- All computer systems accessible through .coach shall be continually executing approved virus-scanning software with a current virus database, unless overridden by departmental or group policy for legitimate business reason;  
- Coach will conduct automated and regular scanning for malware of all computer systems accessible via domain names in the Registry through its selected back end Registry services provider, Verisign. Registrants are often unknowing victims of malware exploits. Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names. Verisign’s malware scanning service helps prevent websites from infecting other websites by scanning web pages for embedded malicious content that will infect visitors’ websites. Verisign’s malware scanning technology uses a combination of in-depth malware behavioral analysis, anti-virus results, detailed malware patterns, and network analysis to discover known exploits for the particular scanned zone. If malware is detected, the service sends the registrar a report that contains the number of malicious domains found and details about malicious content within its TLD zones. Reports with remediation instructions are provided to help registrars and registrants eliminate the identified malware from the registrant’s website; 
- Coach will establish and act upon the results of a regular poll against one or more trusted databases for phishing sites operating (in second level or subordinate domain names) within the TLD.
ADDITIONAL PROCESSES TO ADDRESS ABUSIVE USE OF REGISTERED DOMAIN NAMES

SUSPENSION PROCESSES CONDUCTED BY BACKEND REGISTRY SERVICES PROVIDER.  In the case of domain name abuse, Coach or Coach’s approved registrar(s) will determine whether to take down the subject domain name. Verisign, Coach’s selected backend registry services provider, will follow the auditable processes to comply with the suspension request as set out in Diagram 1 of the Attachment.

VERISIGN SUSPENSION NOTIFICATION.  Coach or Coach’s approved registrar(s) submits the suspension request to Verisign for processing, documented by:
- Threat domain name
- Registry incident number 
- Incident narrative, threat analytics, screen shots to depict abuse, and⁄or other evidence
- Threat classification 
- Threat urgency description
- Recommended timeframe for suspension⁄takedown 
- Technical details (e.g., Whois records, IP addresses, hash values, anti-virus detection results⁄nomenclature, name servers, domain name status that are relevant to the suspension) 
- Incident response, including surge capacity 

VERISIGN NOTIFICATION VERIFICATION.  When Verisign receives a suspension request from Coach or Coach’s approved registrar(s), it performs the following verification procedures:
- Validate that all the required data appears in the notification
- Validate that the request for suspension is for a registered domain name
- Return a case number for tracking purposes

SUSPENSION REJECTION. - If required data is missing from the suspension request, or the domain name is not registered, the request will be rejected and returned to Coach or Coach’s approved registrar(s) with the following information:
- Threat domain name
- Registry incident number 
- Verisign case number
- Error reason

Coach will notify the registrar of record in relation to a complaint.

CONCLUSION

The approach outlined in this answer clearly shows that the risk of abuse in the .coach TLD has been extensively mitigated and as a direct result is very low.  Applicant is committed to ensuring that abuse will not be tolerated. The proposed policies and methods for addressing any abuse exceed the standard outline in the gTLD Applicant Guidebook and is more than commensurate with the risks identified, Applicant is, therefore, entitled to a score of two points for its response to Question 28.

Use of domain names that infringe upon the legal rights of others in the TLD will not be tolerated and preventing abusive registrations is a core objective of Coach, Inc. (“Applicant” or “Coach”).  The nature of such uses creates security and stability issues for the registry, registrars, and registrants, as well as for users of the Internet in general.  Primarily, Applicant will prevent abusive registrations by allowing only Applicant to register and Applicant and⁄or its Affiliates (as defined in Applicant’s Registration Policy) to use domain names in the registry under strict internal registration, anti-abuse and rights protection guidelines as defined in its Abuse Policy.  In order to identify and address the abusive use of registered names on an ongoing basis, Applicant promises to additionally incorporate and abide by the following Rights Protection Mechanisms and all other rights protection mechanisms as specified in Specification 7 of the Registry Agreement and as adopted by the ICANN Board of Directors as ICANN Consensus Policies.

Anti-Abuse Policy

Applicant will implement in its internal policies and its Registrar and Registration agreements that all registered domain names in the TLD will be subject to a Domain Name Anti-Abuse Policy (“Abuse Policy”).

The Abuse Policy will provide Applicant with broad power to suspend, cancel, or transfer domain names that violate the Abuse Policy.  Applicant will publish the Abuse Policy on its home website and clearly provide Applicant’s Abuse Point of Contact (“Abuse Contact”) and its contact information.  This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of abuse complaints, and a telephone number and mailing address for the Abuse Contact.  Applicant will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made.  In addition, with respect to inquiries from ICANN-Accredited registrars, Applicant’s registry services provider, Verisign, shall have an additional point of contact to handle requests by registrars related to abusive domain name practices.

Inquiries addressed to the Abuse Contact will be forwarded to Applicant’s Registry Services Liaison and if applicable remedy any Complaint regarding an alleged violation of the Abuse Policy as described in more detail below.  

The Abuse Policy will state, at a minimum, that Applicant reserves the right to deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status, that it deems necessary, in its discretion: (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Applicant, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or any agreement Applicant has with any party; (5) to correct mistakes made by the Applicant, registry services provider, or any registrar in connection with a domain name registration; (6) during resolution of any dispute regarding the domain; and (7) if a registrant’s pre-authorization or payment fails.

The Abuse Policy will define the abusive use of domain names to include, but not be limited to, the following activities:

• Illegal or fraudulent actions: use of the Applicant’s or Registrarʹs services to violate the laws or regulations of any country, state, or other applicable jurisdiction, or in a manner that adversely affects the legal rights of any other person;
• Spam: use of electronic messaging systems from email addresses from domains in the TLD to send unsolicited bulk messages in violation of applicable laws. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums;
• Phishing: use of counterfeit Web pages within the TLD that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;
• Pharming: redirecting of unknowing users to fraudulent Web sites or services, typically through DNS hijacking or poisoning;
• Willful distribution of malware: dissemination of software designed to infiltrate or damage a third-party computer system without the ownerʹs consent.  Examples include, without limitation, computer viruses, worms, key loggers, and trojan horses.
• Fast flux hosting: use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR;
• Botnet command and control: services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);
• Illegal Access to Other Computers or Networks: illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity);
• Non-intended Use: use of the domain name other than that which was stated during the registration, without a change of intended use accepted by Applicant;
• Cybersquatting: registration of a domain name confusingly similar to a third party’s name or trademark without any legitimate interest in the name and in bad faith;
• Domain Kiting⁄Tasting: registration of domain names to test their commercial viability before returning them during a Grace Period.

Trademark Clearinghouse

The first mandatory rights protection mechanism (“RPM”) required to be implemented by each new gTLD Registry is support for, and interaction with, the Trademark Clearinghouse.  The Trademark Clearinghouse is intended to serve as a central repository for information to be authenticated, stored, and disseminated pertaining to the rights of trademark holders.  The data maintained in the clearinghouse will support and facilitate other RPMs, including the mandatory Sunrise Period and Trademark Claims service.  Although many of the details of how the Trademark Clearinghouse will interact with each registry operator and registrars are still being developed by ICANN, Applicant is actively monitoring the developments of the Implementation Assistance Group (“IAG”) designed to assist ICANN staff in refining and finalizing the rules and procedures associated with the policies and technical requirements for the Trademark Clearinghouse.  In addition, Applicant’s back-end registry services provider is actively participating in the IAG to ensure that the protections afforded by the Clearinghouse and associated RPMs are feasible and implementable.

Utilizing the Trademark Clearinghouse, all operators of new gTLDs must offer: (i) a Sunrise registration service for at least 30 days during the pre-launch phase giving eligible trademark owners an early opportunity to register second-level domains in new gTLDs; and (ii) a Trademark Claims service for at least the first 60 days that second-level registrations are open. The Trademark Claims service is intended to provide clear notice to a potential registrant of the rights of a trademark owner whose trademark is registered in the clearinghouse.

Sunrise Period

All domain names registered during the Sunrise Period will be subject to Applicant’s domain name registration policy, namely, that all registrants be Applicant.  Applicant will offer a Sunrise Period of sixty (60) days for owners of trademarks listed in the Trademark Clearinghouse that also meet applicant’s domain name registration requirements to register domain names that consist of an identical match of their listed trademarks.  Applicant’s Registry Services Liaison will receive and authenticate all Sunrise Registrations.   

Applicant’s registrar will ensure that all Sunrise Registrants meet sunrise eligibility requirements (SERs), which will be verified by Clearinghouse data.  The proposed SERs include: (i) ownership of a mark that is (a) nationally or regionally registered and for which proof of use, such as a declaration and a single specimen of current use – was submitted to, and validated by, the Trademark Clearinghouse; or (b) that have been court-validated; or (c) that are specifically protected by a statute or treaty currently in effect and that was in effect on or before 26 June 2008, (ii) optional registry elected requirements re: international class of goods or services covered by registration; (iii) representation that all provided information is true and correct; and (iv) provision of data sufficient to document rights in the trademark.  

Upon submission of all of the required information and documentation, registrar will forward the information to Applicant’s Registry Services Liaison for authentication.  The Registry Services Liaison will review the information and documentation and verify the trademark information and registration eligibility, and notify the potential registrant of any deficiencies.  If a registrant does not cure any deficiencies and⁄or respond by the means listed within a timely matter, Applicant’s Registry Services Liaison will notify its registrar and the domain name will be released for registration.  

Applicant will incorporate a Sunrise Dispute Resolution Policy (SDRP).  The SRDP will allow challenges to Sunrise Registrations by third parties for a ten-day period after acceptance of the registration based on the following four grounds: (i) at time the challenged domain name was registered, the registrant did not hold a trademark registration of national effect (or regional effect) or the trademark had not been court-validated or protected by statute or treaty; (ii) the domain name is not identical to the mark on which the registrant based its Sunrise registration; (iii) the trademark registration on which the registrant based its Sunrise registration is not of national or regional effect or the trademark had not been court-validated or protected by statute or treaty; or (iv) the trademark registration on which the domain name registrant based its Sunrise registration did not issue on or before the effective date of the Registry Agreement and was not applied for on or before ICANN announced the applications received.

After receiving a Sunrise Complaint, the Registry Services Liaison will review the Complaint to see if the Complaint reasonably asserts a legitimate challenge as defined by the SDRP.  If not, the Registry Services Liaison will timely send an email to the Complainant that the subject of the complaint clearly does not fall within one of the delineated grounds as defined by the SDRP and that Applicant considers the matter closed.

If the domain name is not found to have adequately met the SERs, the Registry Services Liaison will alert the registrar and registry services provider to immediately suspend the resolution of the domain name.  Thereafter, the Registry Services Liaison will immediately notify the Sunrise Registrant of the suspension of the domain name, the nature of the complaint, and provide the registrant with the option to timely cure the SER deficiencies or the domain name will be canceled.  

If the registrant timely responds, its response will be reviewed by the Registry Services Liaison to determine if the SERs are met.  If the Registry Services Liaison is satisfied by the registrant’s response, the Registry Services Liaison will timely submit a request to the registrar and the registry services provider to unsuspend the domain name.  If registrant does not timely respond, the Registry Services Liaison will then timely notify the Complainant that its complaint was ultimately denied and provide the reasons for the denial.

Trademark Claims Service

Applicant will offer a Trademark Claims Service during the first one hundred and twenty (120) days of general registration.  The Trademark Claims Service will be monitored by the Registry Services Liaison.  Applicant’s registrar will be required to review all domain names requested to be registered during the Trademark Claims period to determine if they are an identical match of a trademark that has been filed with the Trademark Clearinghouse and they meet Applicant’s domain name registration requirements.  A domain name will be considered an identical match when the domain name consists of the complete and identical textual elements of the mark, and includes domain names where (a) spaces contained within a mark that are either replaced by hyphens (and vice versa) or omitted; (b) certain special characters contained within a trademark are spelled out with appropriate words describing it (e.g., @ and &); and (c) punctuation or special characters contained within a mark that are unable to be used in a second-level domain name are either (i) omitted or (ii) replaced by spaces, hyphens or underscores.  Domain names that are plural forms of a mark or that merely contain a mark will not qualify as an identical match.

If the registrar determines that a prospective domain name registration is identical to a mark registered in the Trademark Clearinghouse, the registrar will be required to ensure that a “Trademark Claims Notice” (“Notice”) in English is sent to the protective registrant of the domain name and blind copy the Registry Services Liaison on all such correspondence.  The Notice will provide the prospective registrant information regarding the trademark referenced in the Trademark Claims Notice to enhance understanding of the Trademark rights being claimed by the trademark holder.  The Notice will be provided in real time without cost to the prospective registrant. 

After sending the Notice, the registrar will be required to require that the prospective registrant specifically warrant within five (5) days that: (i) the prospective registrant has received notification that the mark(s) is included in the Clearinghouse; (ii) the prospective registrant has received and understood the notice; and (iii) to the best of the prospective registrant’s knowledge that the registration and use of the requested domain name will not infringe on the rights that are the subject of the notice.  If the warranty satisfies these requirements, the registrar will be required to effectuate the registration and notify the Registry Services Liaison.  

After the effectuation of a registration that is identical to a mark listed in the Trademark Clearinghouse, the registrar will be required to then ensure that a clear notice to the trademark owner of the trademark consisting of the domain name that has been registered and will blind copy the Registry Services Liaison confirming that it has done so.  The trademark owner then has the option of filing a Complaint under the Uniform Domain Name Dispute Resolution Policy (UDRP) and the Uniform Rapid Suspension System (URS) against the domain name, as the Applicant will require in its domain name registration agreements that the registry, registrar, and registrant all submit to the Uniform Domain Name Dispute Resolution Policy (UDRP) and the Uniform Rapid Suspension (URS) system.  Applicant will require its registrar and registry service operators to abide by decisions rendered under the UDRP and URS in a timely and ongoing basis.

Uniform Rapid Suspension System (URS)

Applicant will specify in its Registry-Registrar and Registration Agreements used in connection with the TLD that all parties will timely abide by all decisions made by panels in accordance with the Uniform Rapid Suspension System (URS).  On Applicant’s home website, Applicant will designate a Rights Protection Contact (“Rights Contact”) that will receive all URS Complaints verified by the URS Provider and provide its contact information.  This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of rights protection complaints, and a telephone number and mailing address for the Rights Contact.  Applicant will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made. 

Within 24 hours of receipt of the Notice of Complaint from the URS Provider, the Rights Contact shall notify its registry operator to “lock” the domain, meaning the registry shall restrict all changes to the registration data, including transfer and deletion of the domain names, but the name will continue to resolve.  The Rights Contact will notify the URS Provider immediately upon locking the domain name (”Notice of Lock”).  

Immediately upon receipt of a Determination in the Complainant’s favor, Rights Contact will notify the registry operator to suspend the domain name, which shall remain suspended for the balance of the registration period and will not resolve to the original web site.  The nameservers shall be redirected to an informational web page provided by the URS Provider about the URS.  The Whois for the domain name shall continue to display all of the information of the original Registrant except for the redirection of the nameservers.  In addition, the Whois shall reflect that the domain name will not be able to be transferred, deleted or modified for the life of the registration.  Finally, Applicant will be sure to abide by any timely requests by Complainant to extend the registration period for one additional year at commercial rates.  

Immediately upon receipt of a Determination in registrant’s favor, Rights Contact will notify the registry operator to unlock the domain name.

Uniform Domain Name Dispute Resolution Policy (UDRP)

Applicant will specify in its Registry-Registrar and Registration Agreements used in connection with the TLD that all parties will timely abide by all decisions made by panels in accordance with the Uniform Domain Name Dispute Resolution Policy (UDRP).  Applicant’s Rights Contact will receive all UDRP Complaints and decisions, temporarily lock any domain names as required, and will notify its registrar to timely cancel or transfer all registrations determined to by a UDRP panel to be infringing.  

Trademark Post-Delegation Dispute Resolution Procedure (Trademark PDDRP)

Applicant will participate in all post-delegation procedures, including the Trademark Post-Delegation Dispute Resolution Procedure (Trademark PDDRP), and will timely abide by any Determinations of any PDDRP Provider after exhaustion of all appeals and⁄or times to appeal or other determination challenges.

Registry Restrictions Dispute Resolution Procedure (RRDRP)

Because the application is not community-based, Applicant is not required to participate in the RRDRP and will not be bound by any Determinations of a RRDRP Provider.

Proven Registrars

Applicant intends that only Applicant will be permitted to register domain names in the TLD for its own exclusive use.  Hence, Applicant is exempt from the Registry Operator Code of Conduct (“ROCC”) as detailed in Specification 9 of the Registry Agreement with ICANN.  Thus, as Applicant is not required to grant access to the TLD to all registrars, and in order to reduce abusive registrations and other activities that affect the legal rights of others, Applicant will only contract with one ICANN-accredited registrar that has proven capable of providing adequate defenses against abusive registrations and superior response capabilities.  The registrar, according to the Registry-Registrar agreement, will not be able to register any domain names, thus eliminating the possibility of front-running.  The Registrar will also agree not to submit fake renewal notices.  Any evidence of abusive behavior on the part of the Registrar will be promptly reported to ICANN Compliance.

Pre-Authorization and Authentication

Prior to the release of any domain names, Applicant will designate that only designated employees will be authorized to register domain names within the TLD under strict domain name registration guidelines.  Also, Applicant’s registrar will provide Applicant with an authorization code to provide when registering domain names, and Applicant’s authorized employees will provide registrar with authorized registrant contact information to verify upon the attempted registration of any domain names.  Upon registration, registrar will verify the authorization code and contact information before the prospective registrant is allowed to proceed.  

A variety of automated and manual procedures will be utilized for verification by the registrar as specified below:

• Applicant’s registrar’s automated authentication process will authenticate that the prospective registrant has provided an authorization code as created by registrar;
• Applicant’s registrar’s automated authentication process will authenticate that the registrant’s email is from Applicant based on a list of pre-approved email extensions from authorized related companies;
• If authenticated, the authentication process will send a unique HTML link to the registrant’s email of record;
• If the automatic verification process does not provide verification, the request will be referred to Applicant’s Registry Services Liaison, which will attempt to verify the registrant manually based on the pre-approved list of Applicant or Related Companies;
• After pre-approval, Registrant must represent and warrant - in both the registration agreement and again as part of the WHOIS verification process - that neither the registration of the desired domain name, nor the manner in which the registration will be used, infringes the legal rights of third parties;
• Registrant must sign and provide a statement declaring that they will use the domain name for the promotion of, providing public awareness of, and⁄or offering Applicant’s goods and services.

In addition, Applicant’s Registry Services Liaison will at least twice per year perform a manual review of a random sampling of domain names within the applied-for TLD to test the accuracy and authenticity of the WHOIS information.  Through this review, the Registry Services Liaison will examine the WHOIS data for evidence of inaccurate or incomplete Whois information.  In the event that such errors or missing information exists, it shall be forwarded to the registrar, who shall be required to address such deficiencies with their registrants.  Within a reasonable time period, the Registry Services Liaison will examine the current WHOIS data for names that were alleged to be inaccurate or incomplete to determine if the information was corrected, the domain name was deleted, or there was some other disposition.  If the registrar has failed to take any action, or it is clear that the registrant was either unwilling or unable to correct the inaccuracies, Applicant reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

Thick Whois

Applicant will include a thick WHOIS database as required in Specification 4 of the Registry agreement.  A thick WHOIS provides numerous advantages including a centralized location of registrant information, the ability to more easily manage and control the accuracy of data, and a consistent user experience.  

Grace Period

Applicant will not allow a grace period for any domain name during the life of the TLD.  [Get more information from registrar and registrations].

Takedown Procedure

Applicant will provide a Rights Protection Takedown Procedure (“Takedown Procedure”) modeled after the Digital Millennium Copyright Act’s notice-and-takedown procedure.

At all times, Applicant will publish on its home website contact information for receiving rights protection complaints (Complaints) from rights holders.  At all times, Applicant will publish on its website the Takedown Procedure and the contact information for the Rights Contact.  

Inquiries addressed to the Rights Contact will be forwarded to Applicant’s Registry Services Liaison who will remedy or deny any Complaint regarding an alleged violation of the rights of the Complainant.  During the review of any Complaint, the Registry Services Liaison will first give the Complaint a “quick look” to see if the Complaint reasonably alleges the infringement of any legal right.  If not, the Rights Contact will write a timely correspondence to Complainant stating that the subject of the complaint clearly does not violate its rights.

If the quick look does not resolve the matter, the Registry Services Liaison will timely give the Complaint a full review.  If a rights infringement is determined, the Rights Contact will alert the registry services provider to immediately suspend the resolution of the domain name.  The Registry Services Liaison will then immediately notify the registrant of the suspension of the domain name, the nature of the complaint, and provide the registrant with the option to respond or take down the infringing content within a timely fashion or the domain name will be canceled.  

If the registrant responds within a timely period, its response will be further reviewed by the Registry Services Liaison.  If the Registry Services Liaison is satisfied by the registrant’s response that no rights have been infringed, the Registry Services Liaison will submit a timely request to the registry services provider to unsuspend the domain name.  The Rights Contact will then timely notify the Complainant that its complaint was ultimately denied and provide the reasons for the denial.  If the registrant does not respond within a timely fashion, the Rights Contact will notify the registry services provider to cancel the abusive domain name.

This Takedown Procedure will not prejudice either party’s election to pursue another dispute mechanism, such as URS or UDRP.

With the assistance of its back-end registry services provider, Applicant will meet its obligations under Section 2.8 of the Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD.  Applicant will accordingly timely respond to legitimate law enforcement inquiries.  Any such response shall include, at a minimum, an acknowledgement of receipt of the request, questions, or comments concerning the request, and an outline of the next steps to be taken by Applicant for a timely resolution of the request.  
In the event such request involves any infringing activity which can be validated by Applicant’s Registry Services Liaison, Rights Contact will timely notify the registry services provider to either suspend the domain name until the infringing activity is cured or cancel the domain name.  If the Registry Services Liaison determines that it is not an infringing activity, Rights Contact will timely provide the relevant law enforcement, governmental and⁄or quasi-governmental agency a compelling argument to keep the name in the zone.

Additional Measures Specific to Rights Protection. Applicant provides additional measures against potentially abusive registrations. These measures help mitigate phishing, pharming, and other Internet security threats. The measures exceed the minimum requirements for RPMs defined by Specification 7 of the Registry Agreement and are available at the time of registration. These measures include:

• Rapid Takedown or Suspension Based on Court Orders: Applicant complies promptly with any order from a court of competent jurisdiction that directs it to take any action on a domain name that is within its technical capabilities as a TLD registry. These orders may be issued when abusive content, such as child pornography, counterfeit goods, or illegal pharmaceuticals, is associated with the domain name.
• Anti-Abuse Process: Applicant implements an anti-abuse process that is executed based on the type of domain name takedown requested. The anti-abuse process is for malicious exploitation of the DNS infrastructure, such as phishing, botnets, and malware.  
• Authentication Procedures: Verisign, Applicant’s selected backend registry services provider, uses two-factor authentication to augment security protocols for telephone, email, and chat communications.
• Malware Code Identification: This safeguard reduces opportunities for abusive behaviors that use registered domain names in the gTLD. Registrants are often unknowing victims of malware exploits. As Applicant’s backend registry services provider, Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names.
• DNSSEC Signing Service: Domain Name System Security Extensions (DNSSEC) helps mitigate pharming attacks that use cache poisoning to redirect unsuspecting users to fraudulent websites or addresses. It uses public key cryptography to digitally sign DNS data when it comes into the system and then validate it at its destination. The TLD is DNSSEC-enabled as part of Verisign’s core backend registry services.

Lastly, Coach will also ensure in all cases that its approved Registrar(s) will adopt appropriate anti-abuse mechanisms, respond to abuse processes and third party rights protection mechanisms and processes, in dealing with any domain name registrations, renewals and use, on behalf of Coach. This will ensure that highly skilled, specialized and scalable resources are on hand to address any possible rights protection issues both during the startup phase of the TLD and continually during operations of the TLD.  Coach will ensure that Registrar(s) are contractually bound to provide high quality and responsive management of rights protection queries. 
Resource Planning Specific to Backend Registry Activities
Verisign, Applicant’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to Applicant fully accounts for cost related to this infrastructure, which is provided as Line IIb.G, Total Critical Registry Function Cash Outflows, within the Question 46 financial projections response.
Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings. 
Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry,  to support the implementation of RPMs:
• Customer Affairs Organization: 9
• Customer Support Personnel: 36
• Information Security Engineers: 11

To implement and manage the .coach gTLD as described in this application, Verisign, Coach’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area. 

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

CONCLUSION
The approach outlined in this answer clearly shows that the risk of abuse in the .coach TLD has been extensively mitigated and as a direct result is very low. Coach is committed to ensuring that abuse will not be tolerated. The proposed policies and methods for addressing any abuse exceed the standard outlined in the gTLD Applicant Guidebook and is more than commensurate with the risks identified, Coach is, therefore, entitled to a score of two points for its response to Question 29.

30A SECURITY POLICY – PART A

1 DETAILED DESCRIPTION OF PROCESSES AND SOLUTIONS DEPLOYED TO MANAGE LOGICAL SECURITY ACROSS INFRASTRUCTURE AND SYSTEMS, MONITORING AND DETECTING THREATS AND SECURITY VULNERABILITIES AND TAKING APPROPRIATE STEPS TO RESOLVE THEM

As advised previously, Coach has engaged the services of Verisign as its selected backend registry services provider for .coach. Accordingly, the responses to both Questions 30a and 30b mostly describe the security policies and regime deployed by Verisign, as Coach’s backend registry services provider. Further attachments have been provided as evidence of, and testimony to, independent third party validation of Verisign’s compliance with these requirements. Whilst Coach does have a company-wide security policy in place, it was not provided here as it has much wider scope beyond the current application for the proposed operation of .coach gTLD. Coach will likewise ensure equivalent security policies and controls are adhered for by its other third party services providers, including registrars.

Coach’s selected backend registry services provider’s (Verisign’s) comprehensive security policy has evolved over the years as part of managing some of the world’s most critical TLDs. Verisign’s Information Security Policy is the primary guideline that sets the baseline for all other policies, procedures, and standards that Verisign follows. This security policy addresses all of the critical components for the management of backend registry services, including architecture, engineering, and operations.

Verisign’s general security policies and standards with respect to these areas are provided as follows:

ARCHITECTURE:

- Information Security Architecture Standard: This standard establishes the Verisign standard for application and network architecture. The document explains the methods for segmenting application tiers, using authentication mechanisms, and implementing application functions.

- Information Security Secure Linux Standard: This standard establishes the information security requirements for all systems that run Linux throughout the Verisign organization.

- Information Security Secure Oracle Standard: This standard establishes the information security requirements for all systems that run Oracle throughout the Verisign organization.

- Information Security Remote Access Standard: This standard establishes the information security requirements for remote access to terminal services throughout the Verisign organization.

- Information Security SSH Standard: This standard establishes the information security requirements for the application of Secure Shell (SSH) on all systems throughout the Verisign organization.

ENGINEERING:

- Secure SSL⁄TLS Configuration Standard: This standard establishes the information security requirements for the configuration of Secure Sockets Layer⁄Transport Layer Security (SSL⁄TLS) for all systems throughout the Verisign organization.

- Information Security C++ Standards: These standards explain how to use and implement the functions and application programming interfaces (APIs) within C++. The document also describes how to perform logging, authentication, and database connectivity.

- Information Security Java Standards: These standards explain how to use and implement the functions and APIs within Java. The document also describes how to perform logging, authentication, and database connectivity.

OPERATIONS:

- Information Security DNS Standard: This standard establishes the information security requirements for all systems that run DNS systems throughout the Verisign organization.

- Information Security Cryptographic Key Management Standard: This standard provides detailed information on both technology and processes for the use of encryption on Verisign information security systems.

- Secure Apache Standard: Verisign has a multitude of Apache web servers, which are used in both production and development environments on the Verisign intranet and on the Internet. They provide a centralized, dynamic, and extensible interface to various other systems that deliver information to the end user. Because of their exposure and the confidential nature of the data that these systems host, adequate security measures must be in place. The Secure Apache Standard establishes the information security requirements for all systems that run Apache web servers throughout the Verisign organization.

- Secure Sendmail Standard: Verisign uses sendmail servers in both the production and development environments on the Verisign intranet and on the Internet. Sendmail allows users to communicate with one another via email. The Secure Sendmail Standard establishes the information security requirements for all systems that run sendmail servers throughout the Verisign organization.

- Secure Logging Standard: This standard establishes the information security logging requirements for all systems and applications throughout the Verisign organization. Where specific standards documents have been created for operating systems or applications, the logging standards have been detailed. This document covers all technologies.

- Patch Management Standard: This standard establishes the information security patch and upgrade management requirements for all systems and applications throughout Verisign.

GENERAL:

- Secure Password Standard: Because passwords are the most popular and, in many cases, the sole mechanism for authenticating a user to a system, great care must be taken to help ensure that passwords are “strong” and secure. The Secure Password Standard details requirements for the use and implementation of passwords.
- Secure Anti-Virus Standard: Verisign must be protected continuously from computer viruses and other forms of malicious code. These threats can cause significant damage to the overall operation and security of the Verisign network. The Secure Anti-Virus Standard describes the requirements for minimizing the occurrence and impact of these incidents.

Security processes and solutions for the .coach TLD are based on the standards defined above, each of which is derived from Verisign’s experience and industry best practice. These standards comprise the framework for the overall security solution and applicable processes implemented across all products under Verisign’s management. The security solution and applicable processes include, but are not limited to:

- System and network access control (e.g., monitoring, logging, and backup)

- Independent assessment and periodic independent assessment reports

- Denial of service (DoS) and distributed denial of service (DDoS) attack mitigation

- Computer and network incident response policies, plans, and processes

- Minimization of risk of unauthorized access to systems or tampering with registry data

- Intrusion detection mechanisms, threat analysis, defenses, and updates

- Auditing of network access

- Physical security

Further details of these processes and solutions are provided in Part B of this response.

1.1 SECURITY POLICY AND PROCEDURES FOR THE PROPOSED REGISTRY

Specific security policy related details, requested as the bulleted items of Question 30 – Part A, are provided here.

INDEPENDENT ASSESSMENT AND PERIODIC INDEPENDENT ASSESSMENT REPORTS.

To help ensure effective security controls are in place, Coach, through its selected backend registry services provider, Verisign, conducts a yearly American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) SAS 70 audit on all of its data centers, hosted systems, and applications. During these SAS 70 audits, security controls at the operational, technical, and human level are rigorously tested. These audits are conducted by a certified and accredited third party and help ensure that Verisign in-place environments meet the security criteria specified in Verisign’s customer contractual agreements and are in accordance with commercially accepted security controls and practices. Verisign also performs numerous audits throughout the year to verify its security processes and activities. These audits cover many different environments and technologies and validate Verisign’s capability to protect its registry and DNS resolution environments. Figure 30A -1 lists a subset of the audits that Verisign conducts. For each audit program or certification listed in Figure 30A-1, Verisign has included, as attachments to the Part B component of this response, copies of the assessment reports conducted by the listed third-party auditor. From Verisign’s experience operating registries, it has determined that together these audit programs and certifications provide a reliable means to ensure effective security controls are in place and that these controls are sufficient to meet ICANN security requirements and therefore are commensurate with the guidelines defined by ISO 27001.

AUGMENTED SECURITY LEVELS OR CAPABILITIES.

See Section 5 of this response.

COMMITMENTS MADE TO REGISTRANTS CONCERNING SECURITY LEVELS.

See Section 4 of this response.

2 SECURITY CAPABILITIES ARE CONSISTENT WITH THE OVERALL BUSINESS APPROACH AND PLANNED SIZE OF THE REGISTRY

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies.

3 TECHNICAL PLAN ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION

Verisign projects it will use the following personnel role, which is described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support its security policy:

- Information Security Engineers: 11

4 SECURITY MEASURES ARE CONSISTENT WITH ANY COMMITMENTS MADE TO REGISTRANTS REGARDING SECURITY LEVELS

Verisign is Coach’s selected backend registry services provider. For the .coach gTLD, no unique security measures or commitments must be made by Verisign or Coach to any registrant.

5 SECURITY MEASURES ARE APPROPRIATE FOR THE APPLIED-FOR GTLD STRING (FOR EXAMPLE, APPLICATIONS FOR STRINGS WITH UNIQUE TRUST IMPLICATIONS, SUCH AS FINANCIAL SERVICES-ORIENTED STRINGS, WOULD BE EXPECTED TO PROVIDE A COMMENSURATE LEVEL OF SECURITY)

No unique security measures are necessary to implement the .coach gTLD. As defined in Section 1 of this response, Verisign, Coach’s selected backend registry services provider, commits to providing backend registry services in accordance with the following international and relevant security standards:

- American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) SAS 70

- WebTrust⁄SysTrust for Certification Authorities (CA)

Gary Loveman	Outside Director
Irene Miller	Outside Director
Ivan Menezes	Outside Director
Jide Zeitlin	Outside Director
Lew Frankfort	Chairman and Chief Executive Officer
Mike Murphy	Outside Director
Susan Kropf	Outside Director

Jane Nielsen	Executive Vice President and Chief Financial Officer
Jerry Stritzke	President and Chief Operating Officer
Mike Tucci	President, Retail Division - North America
Reed Krakoff	President, Executive Creative Director
Sarah Dunn	Executive Vice President, Human Resources
Todd Kahn	Executive Vice President, General Counsel and Secretary
Tom Britt	Chief Information Officer

New gTLD Application Submitted to ICANN by: Coach, Inc.

String: COACH

Originally Posted: 13 June 2012

Application ID: 1-1880-48905

Applicant Information

1. Full legal name

2. Address of the principal place of business

3. Phone number

4. Fax number

5. If applicable, website or URL

Primary Contact

6(a). Name

6(b). Title

6(c). Address

6(d). Phone Number

6(e). Fax Number

6(f). Email Address

Secondary Contact

7(a). Name

7(b). Title

7(c). Address

7(d). Phone Number

7(e). Fax Number

7(f). Email Address

Proof of Legal Establishment

8(a). Legal form of the Applicant

8(b). State the specific national or other jursidiction that defines the type of entity identified in 8(a).

8(c). Attach evidence of the applicant's establishment.

9(a). If applying company is publicly traded, provide the exchange and symbol.

9(b). If the applying entity is a subsidiary, provide the parent company.

9(c). If the applying entity is a joint venture, list all joint venture partners.

Applicant Background

11(a). Name(s) and position(s) of all directors

11(b). Name(s) and position(s) of all officers and partners

11(c). Name(s) and position(s) of all shareholders holding at least 15% of shares

11(d). For an applying entity that does not have directors, officers, partners, or shareholders: Name(s) and position(s) of all individuals having legal or executive responsibility

Applied-for gTLD string

13. Provide the applied-for gTLD string. If an IDN, provide the U-label.

14(a). If an IDN, provide the A-label (beginning with "xn--").

14(b). If an IDN, provide the meaning or restatement of the string in English, that is, a description of the literal meaning of the string in the opinion of the applicant.

14(c). If an IDN, provide the language of the label (in English).

14(c). If an IDN, provide the language of the label (as referenced by ISO-639-1).

14(d). If an IDN, provide the script of the label (in English).

14(d). If an IDN, provide the script of the label (as referenced by ISO 15924).

14(e). If an IDN, list all code points contained in the U-label according to Unicode form.

15(a). If an IDN, Attach IDN Tables for the proposed registry.

15(b). Describe the process used for development of the IDN tables submitted, including consultations and sources used.

15(c). List any variant strings to the applied-for gTLD string according to the relevant IDN tables.

16. Describe the applicant's efforts to ensure that there are no known operational or rendering problems concerning the applied-for gTLD string. If such issues are known, describe steps that will be taken to mitigate these issues in software and other applications.

17. (OPTIONAL) Provide a representation of the label according to the International Phonetic Alphabet (http://www.langsci.ucl.ac.uk/ipa/).

Mission/Purpose

18(a). Describe the mission/purpose of your proposed gTLD.

18(b). How do you expect that your proposed gTLD will benefit registrants, Internet users, and others?

18(c). What operating rules will you adopt to eliminate or minimize social costs?

Community-based Designation

19. Is the application for a community-based TLD?

20(a). Provide the name and full description of the community that the applicant is committing to serve.

20(b). Explain the applicant's relationship to the community identified in 20(a).

20(c). Provide a description of the community-based purpose of the applied-for gTLD.

20(d). Explain the relationship between the applied-for gTLD string and the community identified in 20(a).

20(e). Provide a description of the applicant's intended registration policies in support of the community-based purpose of the applied-for gTLD.

20(f). Attach any written endorsements from institutions/groups representative of the community identified in 20(a).

Geographic Names

21(a). Is the application for a geographic name?

Protection of Geographic Names

22. Describe proposed measures for protection of geographic names at the second and other levels in the applied-for gTLD.

Registry Services

23. Provide name and full description of all the Registry Services to be provided.

Demonstration of Technical & Operational Capability

24. Shared Registration System (SRS) Performance

25. Extensible Provisioning Protocol (EPP)

26. Whois

27. Registration Life Cycle

28. Abuse Prevention and Mitigation

29. Rights Protection Mechanisms

30(a). Security Policy: Summary of the security policy for the proposed registry

© Internet Corporation For Assigned Names and Numbers.