[CWG-Stewardship] Several questions for DT-F

Milton L Mueller mueller at syr.edu
Fri Apr 17 15:08:40 UTC 2015 

Hmmm, I thought this conversation was taking place in DT-F. now I see it is here, too.
So this is what I wrote to DT-F on this topic:

Let me make it clear why I am insisting on a better articulation of the purpose of the separation [between IANA and the RZ Maintainer].
I actually support the idea intuitively, but feel that unless we clearly state the purpose of the separation we are not providing clear instructions on how to do it, and we could easily fail to achieve our goals.

As an example, there are people in the US who support the separation because they want a U.S. company under U.S. legal jurisdiction to have some control over what goes into the RZF, and to serve as a check should ICANN “escape” California.

There may also be people who support the separation (as Jordan partially does below) because they don’t think ICANN or a legally separated IANA affiliate would have the operational capability to run the primary RZ as reliably as Verisign.

In contrast, David Conrad has repeatedly suggested that the separation is a kind of two-factor authentication that can provide a means of preventing errors and abuses of power, both.

Others also see it as a check on concentration of power.

Those three rationales above point to completely different requirements for the type of separation we would ask for.

Let me focus on David’s rationale, as I think it is the one that has the most support.
If separation between RZM and IANA RZ editing is intended to provide two-factor authentication, then it implies a certain level of autonomy among the parties, does it not? RZM cannot be a passive recipient of IANA instructions that are automatically implemented – can they? Or is there some way to automate the exchange between IANA and VRSN that still allows some kind of additional error or security check or some way to filter out of policy abuses?

--MM


From: cwg-stewardship-bounces at icann.org [mailto:cwg-stewardship-bounces at icann.org] On Behalf Of Greg Shatan
Sent: Friday, April 17, 2015 11:02 AM
To: David Conrad
Cc: cwg-stewardship at icann.org
Subject: Re: [CWG-Stewardship] Several questions for DT-F

Earlier, Jordan said:

In the operation of the IANA functions and their stewardship, through to the root zone, there are currently three significant parties: the NTIA, ICANN and Verisign.

With the end of the IANA Functions Contract and the CWG's emerging proposal to assign the stewardship responsibility to ICANN, this will reduce the parties involved to two.

I believe this is not immediately true, though it may become so.  It is my understanding that the Verisign Cooperative Agreement will stay in place for the time being, with amendments made to account for the ending of the IANA Functions Contract.  I recognize that statements were made that the Cooperative Agreement/relationship would be the subject of a related, parallel transaction.  However, it is my sense that this transition may well be "serial," rather than "parallel."

Greg

On Fri, Apr 17, 2015 at 10:44 AM, David Conrad <david.conrad at icann.org<mailto:david.conrad at icann.org>> wrote:
Hi,

I won't bother arguing whether or not ICANN has the "skills and
experience, the resources, and the need, to deliver the [Root Zone
Maintainer] function" (hint: it isn't rocket science and ICANN already
does). I will simply note that in many (most?) situations in which an
operational infrastructure is considered important, there is a requirement
for a "Two Person Rule" (http://en.wikipedia.org/wiki/Two-man_rule). For
example, it would be cheaper, easier, and far simpler if there was a
single person in nuclear missile silos able to launch the missiles, yet
there is a requirement for two people with two keys to enable launch.

Further, if you have two party controls (and you assume a base level of
competence), it does not matter who performs the functions as long as they
are different: the two parties provide checks to minimize the risk that
either party has the ability to unilaterally either accidentally or
maliciously "do the bad thing".

It is true that it is not technically essential to have two party
controls, nor is it the most efficient way of operating, however I
personally believe it is appropriate in the context of the root zone.  How
that is actually implemented should be a topic for future discussion.

Regards,
-drc


-----Original Message-----
From: CW Lists <lists at christopherwilkinson.eu<mailto:lists at christopherwilkinson.eu>>
Date: Friday, April 17, 2015 at 5:11 AM
To: Alan Greenberg <alan.greenberg at mcgill.ca<mailto:alan.greenberg at mcgill.ca>>
Cc: CWG Mailing List <cwg-stewardship at icann.org<mailto:cwg-stewardship at icann.org>>
Subject: Re: [CWG-Stewardship] Several questions for DT-F
>Dear Alan, Dear CWG  colleagues:
>
>1.     I think that it is not technically essential to have separate IANA and
>RZM operators. It is visually preferable and in certain limiting cases
>more secure, provided that an appropriately independent RZM operator can
>be identified.
>
>       In any event, absent the NTIA contract,  it would be entirely
>inappropriate for any Registry or Registrar with a corporate interest in
>the content of the Root Zone to become or remain RZM operator.
>
>2.     I agree with Alan's question. I have also been perplexed as to the
>motives for the explicit and implicit attacks on IANA performance in the
>CWG. If it not evidence-based, then Why?
>
>CW
>
>
>
>On 17 Apr 2015, at 04:01, Alan Greenberg <alan.greenberg at mcgill.ca<mailto:alan.greenberg at mcgill.ca>> wrote:
>
>> 1.
>>
>> Milton has asked (several times) WHY we want to ensure that the IANA
>>Functions Operator and Root Zone Maintainer must be separate entities.
>>The answers I have heard to date do not (in my mind, or presumably
>>Milton's) really explain why the two-party solution is better. With the
>>current architecture, most or all errors that Verisign could catch would
>>also be catchable in a single-party implementation.
>>
>> Can anyone provide either a general answer or specific scenarios where
>>the two-party solution is better.
>>
>>
>> 2.
>>
>> 1.c.1 Says that we need to consider increasing robustness WITHIN IANA
>>prior to the CWG proposal being submitted.
>>
>> 1.c.2 Says we need to consider robustness everywhere (including within
>>IANA) post transition.
>>
>> I am not aware of the justification for 1.c.1 other than it was sort of
>>implied by the transfer of tasks from DT-D. But since NTIA did not
>>refuse authorizations and there are no known problems, it is not clear
>>that this is an urgent matter.
>>
>> Moreover I find it highly unlikely that a proper job of this could be
>>done prior to transition if it occurs in 2015 or early 2016.
>>
>> Do we want to keep it?
>>
>> Alan<DT-F_Rec-v07.pdf>_______________________________________________
>> CWG-Stewardship mailing list
>> CWG-Stewardship at icann.org<mailto:CWG-Stewardship at icann.org>
>> https://mm.icann.org/mailman/listinfo/cwg-stewardship
>
>_______________________________________________
>CWG-Stewardship mailing list
>CWG-Stewardship at icann.org<mailto:CWG-Stewardship at icann.org>
>https://mm.icann.org/mailman/listinfo/cwg-stewardship

_______________________________________________
CWG-Stewardship mailing list
CWG-Stewardship at icann.org<mailto:CWG-Stewardship at icann.org>
https://mm.icann.org/mailman/listinfo/cwg-stewardship

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cwg-stewardship/attachments/20150417/153bb7e5/attachment-0001.html>

More information about the CWG-Stewardship mailing list