<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr"><br></div><div dir="ltr">Thanks for sharing Matt.</div><div dir="ltr"><br></div><div dir="ltr">TL;DR — meh.</div><div dir="ltr"><br></div><div dir="ltr">I’ll state the obvious that the very existence of this workgroup, as well as SSAC’s support of this effort, and the ICANN Board actions related to this, and ICANN resource allocation here, and oCTO’s leadership, efforts, and resourcing all suggest there’s work to be done .. and cataloging _actual *peer-reviewed* work (as opposed to what JAS produced), available datasets, and interest in this topic — where there is much in contrast to Jeff’s statement, along with the other phase one work seems the most prudent place to start.</div><div dir="ltr"><br></div><div dir="ltr">I’m not sure there’s new ‘analysis methodology’ work to do beyond phase one but that’ll sort itself out — however, it’s clear there’s something useful that needs to be done here.</div><div dir="ltr"><br></div><div dir="ltr">The one observation related to his note I’ll address is that many of the most virulent attack vectors here (e.g., MITM) are simply not within this groups observation space yet we’ve seen attackers publish blueprints on how to exploit them (and how they did so) in the very context which SSAC and others were concerned and if JAS suggests they’re ‘not serious’ even though they likely have no visibility I’d hope that informs future RFP vendor selection on this and other SST topics.</div><div dir="ltr"><br></div><div dir="ltr">Finally, registration of domains that have expired, whether on drop or waaaay later (it makes no technical difference), by new registrants is a red herring here. Move along please....</div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">-danny </div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br>On Sep 3, 2019, at 12:47 PM, Matt Larson <<a href="mailto:matt.larson@icann.org">matt.larson@icann.org</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Dear colleagues,
<div class=""><br class="">
</div>
<div class="">David Conrad and I thought the email below from Jeff Schmidt (who is known to most of you based on his firm's previous work on name collisions) was worth forwarding to this group, which we are doing with Jeff's permission.</div>
<div class=""><br class="">
</div>
<div class="">Matt</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">From:
</b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Jeff Schmidt <<a href="mailto:jschmidt@jasadvisors.com" class="">jschmidt@jasadvisors.com</a>><br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">Subject:
</b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">[Ext] JAS no-bid on NCAP Study 1</b><br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">Date:
</b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">August 27, 2019 at 11:25:49 AM EDT<br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">
<span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);" class=""><b class="">To:
</b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Roy Arends <<a href="mailto:roy.arends@icann.org" class="">roy.arends@icann.org</a>>, Matt Larson <<a href="mailto:matt.larson@icann.org" class="">matt.larson@icann.org</a>>,
David Conrad <<a href="mailto:david.conrad@icann.org" class="">david.conrad@icann.org</a>><br class="">
</span></div>
<br class="">
<div class="">
<div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: HelveticaNeue; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">Hello Team ICANN!<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">JAS elected not to bid on the NCAP Study 1; thank you for the invitation and please keep us in mind for Study 2 if such a study occurs.<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">Our primary rationale for not bidding on Study 1 is simply that we don’t believe we have anything useful to add to the discussion given the limited scope of Study 1. We believe that at this point DNS namespace collisions
are well understood (albeit by a relatively small technical community) and that any further work product from JAS would largely be a restatement of our October 2015 Final Report. In the three years since our Final Report, our conclusions have been shown to
be largely correct and the mitigation strategy we proposed (“Controlled Interruption”) has had the desired effects. Many TLDs have been delegated and used in a variety of fashions at this point and – as we suggested – the few problems that surfaced were isolated
and not serious. Our definition of DNS namespace collisions and the causes/etiology as described in Sections 4 and 5 of our report still hold. At the end of the day, we can’t take your money if we don’t believe we have anything useful to add. ;-)<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">The one glaring failure and our great disappointment is that the IETF has refused to take-up our Recommendation #1 to clearly create an RFC 1918-like protected namespace for local use. Until this happens, DNS namespace
collisions will continue to occur; however, increased awareness should reduce the risk of widespread serious future problems (with the “corp-like” exception noted below). Given the lack of clarity of RFC 6762 (including errata), this issue will persist until
folks are told unambiguously the *<b class="">right</b>* way to do this.<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">We believe the datasets available to research collisions are also fairly well known – the DNS-OARC DITL data, data that may be made available from large recursive operators, and authoritative data acquired by acquiring/hosting
known colliding domains (the 30+ such domains JAS owns, Mike O’Connor’s<span class="Apple-converted-space"> </span><a href="http://corp.com/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">corp.com</a>, etc). While these datasets have
been available for years, extremely limited research interest (essentially zero) has been shown in collision-related topics. <span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">JAS remains concerned about the security implications of a small number of “special” domains – like .corp – including the ones that have not yet been discovered. The special nature of the string “corp” was not predictable
a-priori and highly esoteric; all future TLD application rounds should contain steps to identify potential corp-like “special” strings requiring exceptional treatment. JAS also remains concerned about the practice of “drop catching” which is essentially the
intentional discovery and monetization of DNS namespace collisions and referenced this practice in our Final report and in Recommendation #14. We would very much appreciate the opportunity to assist with these issues at some future point.<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">Happy to chat further feel free to reach out of course; just wanted to make sure I closed the loop since you invited a bid from us. Please do let whomever you select to perform Study 1 know that we’re happy to chat with
them and provide whatever historical information/assistance we can.<o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class=""><o:p class=""> </o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 11pt;" class="">Thank you!<br class="">
Jeff</span></div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>NCAP-Discuss mailing list</span><br><span><a href="mailto:NCAP-Discuss@icann.org">NCAP-Discuss@icann.org</a></span><br><span><a href="https://mm.icann.org/mailman/listinfo/ncap-discuss">https://mm.icann.org/mailman/listinfo/ncap-discuss</a></span><br><span></span><br><span>_______________________________________________</span><br><span>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</span></div></blockquote></body></html>