Given the importance of TLDs, perhaps the right thing to do here, for ietf, is to assume the worst-relevant-case scenario: * worst: Presume that a malevolent entity gains control of a TLD. * relevant: Assume that through litigious or regulatory or (gasp) voluntary mechanisms, the malevolent parties are subject to standards. They must operate the TLD according to approved standards (which apparently do not currently prohibit or even explicitly discourage Verisign's behavior). In other words: write RFCs with the presumption that they will have force and with the goal that they would prevent objectionable behavior (which in this case, from what I've seen on the list, is more ambiguous than one might wish). And then leave the implementation of "force" up to other entities. This is an alternative to the emerging game of "core wars" exemplified by the recent patch to BIND. For the case at hand, the ex-post-facto nature of the new standard is problematic and RFCs should explain how and why that should be taken into account. In the best case, no force is actually necessary, and entities such as Verisign will simply choose to comply voluntarily because so many people have agreed that they should. In other words: express the sin negatively as an RFC. That it is the case, list traffic suggests, other TLD custodians have performed similar acts without objection, complicates the issue, of course. -t