[IANAtransition] what's the threat model?

Miles Fidelman mfidelman at meetinghouse.net
Wed Apr 23 12:52:20 UTC 2014

It occurs to me, that in all the talk about accountability and 
multistakeholder governance, I've seen very little discussion of 
anything resembling a list of what we're trying to protect against. Yes, 
those are good things, but they're awfully nebulous - they generate lots 
of discussion, but not a lot of clarity.  Which suggests that maybe we 
need to look at things from a different angle.

We're talking about a registry function - and one that's rather similar 
to other registry functions (telephone number spaces, bank card numbers, 
ethernet MAC addresses, phone number portability, trademarks, etc., 
etc.).  There are lots of registries in the world, and multiple models: 
quasi-governmental (e.g., ITU), voluntary standards organization w/ 
separate registry (e.g., ISO/ANSI for bank card identifiers), single 
voluntary organization (IEEE for lots of things) - and they all seem to 
do the job.

Which raises the question: Why do we really care?  NTIA pulls out, the 
chips will fall somewhere, things will probably keep "working," and most 
people won't notice that anything has changed.

So...  What threats are we actually worried about?  What kinds of things 
can go wrong?  Are there examples of registry failures that anyone can 
point to and say "we need to prevent <this> from happening?"

Miles Fidelman

More information about the ianatransition mailing list