[gnso-rds-pdp-wg] a suggestion for "purpose in detail"

[Andrew Sullivan]

On Tue, Mar 21, 2017 at 09:16:45PM -0500, John Bambenek wrote:
> 
> I guess I am speaking of masking in a broad sense. What do we allow the consumer to mask and on what terms. 

Right.  I thought that answering that question was part of our job.
 
> I would disagree on they being separate issues. No matter what
> technology is created, some things will have to be fully public and
> some things are subject to debate here.

What to collect and what can be disclosed are obviously _related_
issues, but they are separable and I think usefully separated here.
We'll never get anywhere unless we break these things into manageable
chunks.

> For instance, if we don't make authoritative nameservers fully public without gates, we break the internet. I don't mean that as hyperbole, I mean no internet except for the savants who can us IP addresses for everything. 
>

I don't think anyone has been arguing that nameservers ought to be
private data, and they clearly need to be collected in order to feed
the DNS in order to make it work.  But that particular example isn't
really an interesting one, is it?  Indeed, as I think my lengthy email
demonstrated, I find it pretty hard to suggest that any "thin" data is
private; it all certainly needs to be collected to make the system
work at all.  The same arguments are obviously harder to make for
people's names and addresses, so there's more to do in that case.

> >> To enable third-parties to communicate directly to resolve and troubleshoot problems. 
> > 
> > I suggest that's already there.
> 
> Not in what I saw in the poll. 

We discussed this bit at some length last week, and my sense of the
room was that everyone agreed that is a purpose.

> But I am not a fair target. I work in investigations and intelligence. So you can send me an email from say citibankcreditcards.com and I'll check the address in whois to compare to a corp registry, or known good domains. I imagine the brand protection investigators could chime in here on their thoughts too. 
>

I think what you're saying is that you use the whois data as one
piece of input to heuristics that allow you to develop a view about
the legitimacy of the domain name.  I thought your original wording
was a little too positivist about the value of the data, but if it's
instead input to some heuristic mechanism I withdraw that objection.  

> X.509 certs are more maliciously pointless.

I'm certainly not going to attempt to argue that the PKI has worked as
intended.  But in terms of an ordinary user's ability to do anything
with information, they're what people really use.  (Yes, to their
peril.)

> I'd be interested in why you say that? How isn't the domain registration regime a commons? Does ICANN not contractually require certain behaviors of various parties?
> 

I think that's rather off topic here, but if you want I'll follow up
off-list.

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com