[gnso-rds-pdp-wg] On "authoritative" (was: Off the Simplicity Wall or Simply Off the Wall)

Wed Apr 26 17:19:49 UTC 2017

+1 Gomez.. very informative for me.

Le mer. 26 avr. 2017 à 14:50, Gomes, Chuck via gnso-rds-pdp-wg <
gnso-rds-pdp-wg at icann.org> a écrit :

> Very helpful in my opinion Andrew.  Thanks.
>
> Chuck
>
> -----Original Message-----
> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:
> gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Andrew Sullivan
> Sent: Tuesday, April 25, 2017 11:22 PM
> To: gnso-rds-pdp-wg at icann.org
> Subject: [EXTERNAL] [gnso-rds-pdp-wg] On "authoritative" (was: Off the
> Simplicity Wall or Simply Off the Wall)
>
> Hi,
>
> If I've done this right, this will be a new thread in the mailing list;
> but I'm still responding to something below and trying to pull out one new
> topic.
>
> TL;DR: we need some other term than "authoritative data".  (There are some
> ideas for what they should be, but I'm waiting for David Cake's message to
> post mine.)  The basic idea is that we need to capture the sense of "data
> from the source repository" somehow.  Reasons below.
>
> On Tue, Apr 25, 2017 at 04:36:43PM -0400, Sam Lanfranco wrote:
>
> > Might there be some merit in defining “authoritative data” simply as:
> > verified (as best the registrar can); at a designated repository; and
> > with defined terms of access (Open, Gated, Closed).
>
> No, or at least that's not what we were trying to do with the previous
> discussion.  But your list is quite helpful.
>
> The little sub-group that was working on "authoritative" foundered on the
> basic problem that the data-theoretic sense of "authoritative data" is
> quite clear, but unfortunately overloaded in the legal sense of the same
> term.  In data-theoretic terms, "authoritative data" means approximately
> "the data from a source that is an official repository for that data".  The
> Ministry of Transportation of Ontario is the authoritative source for my
> driver's license status.  There are specific DNS servers that can tell you
> the correct IP address for mx4.yitter.info.  And the registry operated by
> CIRA is authoritative for the data associated with crankycanuck.ca.
> (Yes, those are both domains that I control.  Geeks!)
>
> The problem, I am informed, is that for lawyers "authoritative" also means
> something close to "true fact".  The idea here is that authoritative data
> is not only the data from some official repository, but _also_ that it is
> somehow the correct data with respect to the world.
>
> In the data-theoretic sense, we can distinguish among three things.
> One is the _authoritative_ data -- that is, that data that comes from the
> data authority (the relevant database or whatever).  When you get the thin
> data from the Verisign whois servers today, you are getting this kind of
> data, and when you get the results of
>
>     dig @ns4.p13.dynect.net -t NS internetcarrot.org
>
> you are also getting this kind of data.
>
> The second thing is _provably authentic_ data.  This is data that you can
> be sure you may use even if you can't ask the authoritative source.  For
> instance, if you issue
>
>     dig @ns4.p13.dynect.net -t NS internetcarrot.org +dnssec
>
> you get that kind of data.  In the whois today we do not have this, and
> RDAP does not have by default mechanisms for this (but I suppose
> -- not "think", please note! -- it'd be fairly easy to add it).
>
> The third thing is _verified_ data.  This is data that has undergone some
> sort of additional check to make sure not only that the data is correct in
> the source repository, but that the data actually represents some state of
> affairs somewhere.  The MTO's information about my driver's license is not
> only about whether it is valid: it also ensures that I actually am the
> person pictured.  Note that it is not impossible to fake this sort of
> thing, but it is harder than simply entering bad data into the
> authoritative repository.  On the Internet, we often see efforts along
> these lines in the so-called "Extended Validation" X.509 certificate that
> is used on certain TLS
> ("SSL") websites.  In theory, it provides additional evidence that the
> X.509 certificate is in fact controlled by the legal entity that controls
> the domain name.  As a matter of practice, EV certificates have a somewhat
> inglorious history, but they are still an example of "verified data" even
> in the cases where the verification has failed.
>
> I think what we were looking for in the Copenhagen meeting is the above
> sense(s) of "authoritative" and maybe "provably authentic".
> Separate from that is the question of verified data, which I think
> everyone agrees is important but that I, at least, think should not be
> balled up with the other two issues.
>
> I hope this helps make that issue a little clearer.
>
> Best regards,
>
> A
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- 
Regards
@__f_f__

PhD Candidate, Universität der Bundeswehr München
Computer Security | Internet of Things
about.me/farell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170426/211533f7/attachment.html>