[gnso-rds-pdp-wg] Authenticating users we don't know (was Re: Why the thin data is necessary)

Andrew Sullivan ajs at anvilwalrusden.com
Wed Jun 7 12:41:52 UTC 2017 

Hi,

On Wed, Jun 07, 2017 at 10:17:39AM +0200, Volker Greimann wrote:
> 
> Is there a harm in asking the entity requesting this data from identifying
> themselves and stating a purpose for the access?

This depends on what you mean by "harm".

The first thing to recall is the point I was making about distributed
operation and not having pre-existing contractual relationships.  To
authenticate someone this way, there are only two possibilities:

    1.  Everyone who needs the data for their technical purposes needs
    also to create some sort of authentication token in order to
    perform the activity.  But this, of course, is not distributed
    operation and management at all: it creates a central point of
    administration in the middle of the transaction.

    Moreover, it is either impossible or unwise to do this in advance
    -- there's no way for an ISP's help desk to know which domains are
    likely to have trouble or which registrars or registries they need
    to contact.  If the idea is instead that everyone is supposed to
    have a login with ICANN, who will authenticate everyone using
    OAuth or something, I'm sceptical of the wisdom of having ICANN be
    a central policing body with login credentials for (potentially)
    everyone on the Internet.

    It is moreover useless to do this "in real time", because setting
    up the credentials would be a time sink at the very moment when
    troubleshooting needs to happen.  So, this approach of having some
    kind of authentication token is harmful to the operational needs
    and creates technical threats to the workings of the Internet.  It
    is therefore harmful.

    2.  Any sort of authentication token is not needed, but people
    must provide their email address (or some other identifier) and a
    reason before proceeding.  This isn't harmful so much as useless:
    anyone who wanted to abuse the system could, and it creates a
    burden on people who have a legtimate use for the data without
    providing any real benefit.  It would be "identification theatre",
    with apologies to Bruce Schneier.

Moreover, there is a kind of assumption in your question that there is
a human on the other end of the transaction.  But there need not be.
For instance, many mail anti-abuse systems today use RDDS data to
inform other mail systems about the age of the domain.  That age data
is but one factor in a scoring algorithm that then determines whether
some other end system will accept mail from the domain in question.  I
believe that operators of such scoring systems would quite happily
authenticate themselves in order to get access to a reliable source of
the data, but they're not exactly in a position to state what the
"purpose" is, since the ultimate decision of what to do with the data
is made by some other system on the basis of other factors, not all of
which will be available at the time the query is made.

I hope this shows why the dates must be, for practical purposes, part
of the data set that needs to be accessible without restriction.

Best regards,

A


-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the gnso-rds-pdp-wg mailing list