[itipanel] for your consideration; non-DNS based identifiers

[Desiree]

Dear all

Greetings and congratulations to all for accepting to serve on this important panel.

I very much, like many others in the community, look forward to learning more about your work and how you would structure this panel and receive input or liaise with other groups already looking at these issues, within the IETF, ISOC, W3C, open source communities, etc. Once complete your output will hopefully be enlightening to a wider audience.

I hope that you will be able to address some of user's trust and security concerns when looking at solutions and the roadmap for a future with other than DNS identifiers. This brings me to my core comment. As it has been noted before, the security re-build has to take place at many levels within the protocol stack and non-DNS-based identifiers must be part of that bigger picture.

Bearing in mind recent revelations, I'd say that one might not be too far off the mark if one were to conclude that there’s a perception that most if not all CAs have been compromised.

What does that have to do with non-DNS-based identifiers you may ask.

IMHO in order to deal with the aftermaths of the devastating existing and potential future forthcoming revelations of governments pervasive monitoring, surveillance and other general skullduggery there needs to be serious effort to combat the loss of trust among internet users world-wide. This loss of trust manifests itself front-and-center amongst the Internet's infrastructure and existing identifier system. Coupling this to the focus on all aspects of possible changes of Internet governance structures (a new framework for more operational transparency with respect to some centralised IANA functions), the panel has to address these many security concerns and build new structures. IMHO this should include a new set of global identifiers that would enhance privacy and help limit exposure of user's content over the network and limit exposure of identifiers and metadata and/or strengthen the existing sets of identifiers.

I preface the above claim with the a basic assumption. If the implementation of DNSSEC and DANE does not become the default in all TLDs and domains world-wide along with ubiquitous and strong end-user implementation of these protocols - which I think is unlikely to happen soon -  then we still need to take care of users that do not use domain names or browse the web. We need to look outside the core DNS system.

It seems to me that there is a need for a set of encryption-based identifiers e.g. shortened cryptographic URIs (even private and public CAs) and a need for a registry that would host those identifiers as well as perhaps a need for a new non-compromisable CA that may hold them. I currently have no opinion if those should be based within or outside IANA but one cannot go to a commercial entity such as Google, Microsoft, Twitter, Baidu, etc and ask them to build one.

I hope this email encourages the panel to look at the broader picture and scope.

Best regards

Desiree Miloshevic
--