[gnso-rds-pdp-wg] [renamed] Key early questions

James Galvin jgalvin at afilias.info
Thu May 12 11:50:10 UTC 2016 


On 11 May 2016, at 17:32, Greg Aaron wrote:

> Jim said that "If I’m unknown or inaccessible, and you don’t like 
> my Internet behavior on your Internet infrastructure, then stop 
> providing me service."
> That's not the problem as I see it.  The problem is when someone is 
> using Internet resources to perpetrate abusive or criminal acts on 
> other internet users.  That abuse usually comes from another network.  
> That's a reason why people need to know who the responsible parties 
> are.

Actually, I think my statement is still true.

I agreed with Andrew’s assertion that infrastructure elements should 
have identifiable and accessible responsible parties.  Where we got into 
a discussion is whether or not having a domain name automatically meant 
you were part of the infrastructure.

Setting that aside, I believe most of us would agree that an ISP is part 
of the infrastructure.  Therefore, if I’m being “abused” by an 
Internet element some logical distance away from, i.e., more than one 
network between us, if I can not contact that Internet element then I 
contact the network to which they are connected.  It is that network 
that will either be able to contact them or would simply remove the 
“offending” element from the Internet.

This is pretty much how it works today, assuming the ISP (or, e.g., 
registrar or registry) cooperates, which is yet another separate set of 
issues.


> SSAC stated that it believes that law enforcement and security 
> practitioners have a legitimate need to access the real identity of 
> those responsible for a domain name. (See SAC055 "Blind Man and the 
> Elephant" -- of which Jim was a co-author.)   Trying to do that 
> without a publication system (i.e. by calling up registries or 
> registrars and asking "please") is impractical in the extreme.

Well, we can have a separate discussion on how to define 
“practical”.  While I agree that volume would suggest a publication 
system is practical, that doesn’t mean the publication system should 
be freely accessible.  And then there’s the whole credential 
management issue.

I agree that law enforcement have a legitimate need to access real 
identities, but that presumes that “legitimate” has been defined and 
is managed and, perhaps more interestingly, that an identity, whether 
real or not, has been collected.

Again, the model could be that if I have a domain name and I want to 
“keep” it, then I’m going to make myself known.  If I’m willing 
to let you “take it away”, why couldn’t I make an anonymous, cash 
purchase?  That would make the job of law enforcement more difficult, 
but isn’t that how it pretty much works most of the time?

If we want to decide that domain names are infrastructure and we want to 
require that “real identities” be known and collected that’s fine. 
  But we are starting with a “clean slate” so let’s make sure we 
explore all our options.


> Jim said he believes that  "a great deal of trouble believing that an 
> RDS is required to exist in order to ensure the operational stability 
> of the Internet".  FYI, on the numbers side, the RIRs seem to 
> disagree.  For example RIPE (existing under EU data protection laws) 
> says it maintains an RDS for reasons that are both technical and 
> legal, including:
> "* Ensuring the uniqueness of Internet number resource usage through 
> registration of information related to the resources and 
> Registrants....
> * Facilitating coordination between network operators (network problem 
> resolution, outage notification etc.)....
> * Providing information about the Registrant and Maintainer of 
> Internet number resources when the resources are suspected of being 
> used for unlawful activities, to parties who are authorised under the 
> law to receive such information.
> * Providing information to parties involved in disputes over Internet 
> number resource registrations to parties who are authorised under the 
> law to receive such information."

Excellent reference, thanks.  As I said just above, we can certainly 
adopt something similar but as we’re starting with a “clean slate” 
let’s make sure we explore all our options.

Jim




>
> All best,
> --Greg
>
>
> -----Original Message-----
> From: gnso-rds-pdp-wg-bounces at icann.org 
> [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of James Galvin
> Sent: Wednesday, May 11, 2016 3:01 PM
> To: gnso-rds-pdp-wg at icann.org
> Subject: Re: [gnso-rds-pdp-wg] [renamed] Key early questions
>
> While I have a great deal of sympathy for this point of view, I also 
> have a great deal of trouble believing that an RDS is required to 
> exist in order to ensure the operational stability of the Internet.
>
> Logically, that argument presupposes that in order to connect to the 
> Internet you are required both to identify yourself and to be 
> accessible.
>
> Well there are examples all over the place of how that is simply not 
> true.  Here’s three.
>
> 1. Enterprises routinely setup their infrastructures so that only 
> known devices can connect to them.  In addition, they also routinely 
> fail to share that detailed level of contact information with the rest 
> of the Internet.  The enterprise contact information might itself be 
> hidden behind a proxy or privacy service.
>
> 2. Access to the Internet is routinely provided to random unknown 
> devices by all sorts of Internet cafes around the world.  The Internet 
> functions more or less just fine with these devices coming and going.
>
> 3. Nation states around the world are stating that contact information 
> for Internet related elements may not be shared outside the nation 
> state.  The Internet functions just fine without this information 
> being shared.
>
> I am also deeply sympathetic to those who want to help, like when 
> Comcast wanted to help nasa.gov to use Andrew’s example from a later 
> message in this thread.  However, just because Comcast wants to help 
> is no reason to require an RDS.  If NASA can’t be contacted then 
> NASA loses.  Comcast will have to deal with its customers some other 
> way, which it ultimately did in this scenario and will likely do again 
> when other circumstances require.
>
> My point is simply, from a technical point of view, if I’m willing 
> to accept your help then I’ll make myself known and accessible.  If 
> I don’t care then I won’t.  If you want a clause in your terms of 
> service to say that I have to identify myself and be accessible to the 
> Internet in order to use your service that’s fine.  I can choose a 
> different service provider if I don’t want to abide by that service.
>
> If I’m unknown or inaccessible, and you don’t like my Internet 
> behavior on your Internet infrastructure, then stop providing me 
> service.
>
> The Internet of Things is coming, or may already be here depending on 
> your point of view.  Do you seriously think any other operational 
> model is going to work?
>
> Jim
>
>
>
>
> On 10 May 2016, at 14:16, Andrew Sullivan wrote:
>
>> Hi,
>>
>> I'm slightly concerned that we are forgetting in this discussion why
>> we _need_ an RDS in the first place.
>>
>> On Tue, May 10, 2016 at 10:59:29AM -0400, Sam Lanfranco wrote:
>>>
>>> ICANN has business interests in defining what data to collect,
>>> accessible by whom and under what conditions. It also has business
>>> interests, from within its remit, in the data relationship with its
>>> contracted parties.
>>> However, ICANN’s contracted parties reside within national
>>> jurisdictions, and the relevant data is hosted within national
>>> jurisdictions, so ICANN cannot unilaterally define what constitutes
>>> legitimate data policy within its business interests.
>>
>> All of the above is something I agree with, but there's another
>> important point.  For good, sound, plain old technical reasons, it's
>> important that operators be able to contact each other outside of the
>> Internet, so that when stuff breaks it's at least logically possible
>> that one could try to fix it.
>>
>> The key point is that this is not some peculiar business interest of
>> ICANN, but instead a fundamental interest of anyone who uses the DNS
>> (i.e. approximately anyone who uses the Internet).  It's basic to why
>> we have ICANN at all.
>>
>> None of this is an argument that _all_ the information in any
>> particular RDS policy is what ought to be in the RDS.  But at the 
>> same
>> time, it seems to me that some views about RDS treat every data field
>> as if it's a simple matter of political negotiation or something like
>> that.  They're not all that way.  As an operator of actual technical
>> infrastructure, I need to be able to contact someone who is causing
>> problems on my network, and that ability to contact had better not
>> depend on the Internet since the problem in question is likely to
>> result from some sort of interoperation failure in the first place.
>> Therefore,
>>
>>> Some will brand this as the “fracturing of the Internet”. It is 
>>> in
>>> fact other jurisdictions taking responsibility for Internet
>>> governance outside ICANN’s remit, but within their remit.
>>
>> I don't think that all of this is just about "Internet governance",
>> any more than (say) port number allocations are a matter for Internet
>> governance.  Some of it is just a fundamental part of having an
>> Internet at all.  Remember, it's an inter-net because of the network
>> of networks part.  Interoperation is a fundamental part, not 
>> something
>> you get to choose or not from a menu of available policy options.
>>
>> Best regards,
>>
>> A
>>
>> --
>> Andrew Sullivan
>> ajs at anvilwalrusden.com
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list