[gnso-rds-pdp-wg] On unauthenticated vs gated access (was Re: Reputation systems are not just nice to have)

Andrew Sullivan ajs at anvilwalrusden.com
Wed Oct 4 15:43:00 UTC 2017


On Wed, Oct 04, 2017 at 10:57:02AM -0400, allison nixon wrote:
> >> The problem that nobody has any idea who is collecting this data, and
> that some of it is personal data.
> 
> But without verification of identity, the data is still no good. If this is
> something that is really needed, those operating whois servers can expose
> their access logs and some analysis can be done on the ip addresses making
> the queries and what they are querying for. Maybe that should be done
> before an entire system of questionable value is built.

For someone who has already argued the value of fraudulent whois data,
that is a bizarre argument to make.  If I am a registrant I can agree
to the release of my data to people who authenticate against the
system using an open-subscription identity mechanism, on the grounds
that such a system is more auditable.  Alternatively, perhaps I prefer
only to release my data to parties whose identity has been
independently verified; for instance, law enforcement agencies (I
dunno -- Interpol or someone) could run an OAuth service that would
allow stronger claims about identity.

The point is that https, on which RDAP is based, permits a very wide
array of authentication mechanisms and differential responses.  As
Scott Hollenbeck's testbed shows, there is a lot of flexibility in
there.  The same is not true of access logs and IP addresses, which
are (first) only forensic mechanisms anyway and (second) don't
identify the user who made the query, but the network node as it was
at the time of the query.  IPs are a terrible mechanism for
identifying individuals, regardless of what various courts say
(frankly, in their ignorance) -- especially now that so many networks
are using CGN and other such tricks.

> I think everyone is in agreement that some percentage of whois queries are
> abusive and only for the purpose of sending spam, and the vast majority of
> all queries are going to be aggregators. So i dont know what specific
> questions need to be answered that arent already.

Perhaps we would be agreeing on the basis of things we actually know,
as opposed to things we believe but about which we have only indirect
evidence.  Appeal to popular belief isn't a reasonable argument for
this.  We should be able to measure it, and today we can't.

> Purchasing ICANN gtld domains is a rather specific, nonessential, and
> advanced usage of the internet that most people will not do.

I disagree with this in several dimensions.  First, anyone who wants
to operate a business of any scale today either has to have a web
site, or else has to operate some sort of storefront in Facebook.  I
think we will have reached the true dead end of the Internet where our
answer to people is that they should do everything inside a walled
garden instead of using the public infrastructure of the Internet, so
I hope that's not what we're saying.  Therefore, everyone who wants to
run most types of business needs to be able to register a domain name,
at least for a few more years.  Given the rise of the "gig economy"
and so on, more people than ever have an "operate a business" problem,
which inevitably runs up against this kind of thing.  Therefore, this
is a club that still more people have to join -- many of them in
countries with historically low participation in domain name
registrations, and probably therefore who use writing systems other
than Latin and languages other than English (a nest of problems we
haven't even begun to think about).

Second, the argument that this is a specialised use not meant for the
Internet's _hoi polloi_ strikes me as at least a little troubling.
This is Internet infrastructure, and where I come from the barriers to
participate in that infrastructure ought to go down over time, not up.

Third, I don't think it's especially advanced.  As near as I can tell,
humans are quite good at the idea of naming abstract things, and
domain names are how we do that on the Internet.

Fourth, I think that there is at least an even chance of increases in
the use of the domain name system in support of control systems for
stuff like IoT devices, and associated security policy systems, that
will need to be built.  Certainly the giant-silo arrangement that is
the current IoT plan is not going to work -- it already doesn't.
ICANN policies (particularly for gTLDs) are currently AFAICT mostly an
effort to ensure every TLD does the same thing, but that might change
(and anyway, we're already seeing businesses fail using the
everyone-the-same template, so my bet is that template will get
broken).

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com


More information about the gnso-rds-pdp-wg mailing list