<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">Strenuous agreement
with everything Andrew has said here. The points he lists
reflect fundamental, agreed positions of the NCSG, not just
yours truly.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2017-10-04 11:43, Andrew Sullivan
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20171004154259.puuknn3orap44x5q@mx4.yitter.info">
<pre wrap="">On Wed, Oct 04, 2017 at 10:57:02AM -0400, allison nixon wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">The problem that nobody has any idea who is collecting this data, and
</pre>
</blockquote>
</blockquote>
<pre wrap="">that some of it is personal data.
But without verification of identity, the data is still no good. If this is
something that is really needed, those operating whois servers can expose
their access logs and some analysis can be done on the ip addresses making
the queries and what they are querying for. Maybe that should be done
before an entire system of questionable value is built.
</pre>
</blockquote>
<pre wrap="">
For someone who has already argued the value of fraudulent whois data,
that is a bizarre argument to make. If I am a registrant I can agree
to the release of my data to people who authenticate against the
system using an open-subscription identity mechanism, on the grounds
that such a system is more auditable. Alternatively, perhaps I prefer
only to release my data to parties whose identity has been
independently verified; for instance, law enforcement agencies (I
dunno -- Interpol or someone) could run an OAuth service that would
allow stronger claims about identity.
The point is that https, on which RDAP is based, permits a very wide
array of authentication mechanisms and differential responses. As
Scott Hollenbeck's testbed shows, there is a lot of flexibility in
there. The same is not true of access logs and IP addresses, which
are (first) only forensic mechanisms anyway and (second) don't
identify the user who made the query, but the network node as it was
at the time of the query. IPs are a terrible mechanism for
identifying individuals, regardless of what various courts say
(frankly, in their ignorance) -- especially now that so many networks
are using CGN and other such tricks.
</pre>
<blockquote type="cite">
<pre wrap="">I think everyone is in agreement that some percentage of whois queries are
abusive and only for the purpose of sending spam, and the vast majority of
all queries are going to be aggregators. So i dont know what specific
questions need to be answered that arent already.
</pre>
</blockquote>
<pre wrap="">
Perhaps we would be agreeing on the basis of things we actually know,
as opposed to things we believe but about which we have only indirect
evidence. Appeal to popular belief isn't a reasonable argument for
this. We should be able to measure it, and today we can't.
</pre>
<blockquote type="cite">
<pre wrap="">Purchasing ICANN gtld domains is a rather specific, nonessential, and
advanced usage of the internet that most people will not do.
</pre>
</blockquote>
<pre wrap="">
I disagree with this in several dimensions. First, anyone who wants
to operate a business of any scale today either has to have a web
site, or else has to operate some sort of storefront in Facebook. I
think we will have reached the true dead end of the Internet where our
answer to people is that they should do everything inside a walled
garden instead of using the public infrastructure of the Internet, so
I hope that's not what we're saying. Therefore, everyone who wants to
run most types of business needs to be able to register a domain name,
at least for a few more years. Given the rise of the "gig economy"
and so on, more people than ever have an "operate a business" problem,
which inevitably runs up against this kind of thing. Therefore, this
is a club that still more people have to join -- many of them in
countries with historically low participation in domain name
registrations, and probably therefore who use writing systems other
than Latin and languages other than English (a nest of problems we
haven't even begun to think about).
Second, the argument that this is a specialised use not meant for the
Internet's _hoi polloi_ strikes me as at least a little troubling.
This is Internet infrastructure, and where I come from the barriers to
participate in that infrastructure ought to go down over time, not up.
Third, I don't think it's especially advanced. As near as I can tell,
humans are quite good at the idea of naming abstract things, and
domain names are how we do that on the Internet.
Fourth, I think that there is at least an even chance of increases in
the use of the domain name system in support of control systems for
stuff like IoT devices, and associated security policy systems, that
will need to be built. Certainly the giant-silo arrangement that is
the current IoT plan is not going to work -- it already doesn't.
ICANN policies (particularly for gTLDs) are currently AFAICT mostly an
effort to ensure every TLD does the same thing, but that might change
(and anyway, we're already seeing businesses fail using the
everyone-the-same template, so my bet is that template will get
broken).
Best regards,
A
</pre>
</blockquote>
<br>
</body>
</html>