[gnso-rds-pdp-wg] On unauthenticated vs gated access (was Re: Reputation systems are not just nice to have)

[allison nixon]

>> For someone who has already argued the value of fraudulent whois data,
>> that is a bizarre argument to make.

That's because fake data used for domains are attached to persistent
infrastructure that is actively doing something bad and we want to
associate it with other probably-bad infrastructure. Fake data in WHOIS
query logs will be attached to nothing, with no clues as to whether it's
abusive or not.

WHOIS data isn't uniquely watermarked, so if a WHOIS record is abused it's
impossible to tell which requestor did it. Also, if you wanted to identify
WHOIS abuse, you just need to register a domain and look at your spam.
WHOIS abuse just isn't that interesting or damaging compared to almost
every other type of abuse or spam out there.

tl;dr not all fake data is created equal, trash is only treasure with the
right context, also who cares.

If my statements above aren't clear please let me know where the confusion
lies and i will clarify. but i do not think this stance is inconsistent.

>> If I am a registrant I can agree
>> to the release of my data to people who authenticate against the
>> system using an open-subscription identity mechanism, on the grounds
>> that such a system is more auditable.  Alternatively, perhaps I prefer
>> only to release my data to parties whose identity has been
>> independently verified; for instance, law enforcement agencies (I
>> dunno -- Interpol or someone) could run an OAuth service that would
>> allow stronger claims about identity.

Such a system would require some DRM style control over small pieces of
text and mandate putting all aggregators out of business. If the movie
industry couldn't stop movie pirating, how will ICANN prevent sharing of
small pieces of text. Maybe the authentication mechanism could take the
requestor's credit card so they could impose a 20 million euro fine in the
event of unauthorized sharing.

>> Perhaps we would be agreeing on the basis of things we actually know,
>> as opposed to things we believe but about which we have only indirect
>> evidence.  Appeal to popular belief isn't a reasonable argument for
>> this.  We should be able to measure it, and today we can't.

IP addresses may be a bad indicator of identity, but we can determine if
the IP addresses making whois queries are open proxies, tor nodes, VPN
endpoints (all examples of identity masking or getting past rate-limiting),
or if they are coming from IP ranges that belong to security companies, or
if they are coming from residential ISP, or datacenters. Whois occurs over
TCP, so the IP addresses can't be faked. So we actually can use existing
data to figure some things out.

So if you really do want to mine this data, a good dataset already exists.
Anyone want to turn over their access logs?

>> I disagree with this in several dimensions.  First, anyone who wants
>> to operate a business of any scale today either has to have a web
>> site, or else has to operate some sort of storefront in Facebook.  I
>> think we will have reached the true dead end of the Internet where our
>> answer to people is that they should do everything inside a walled
>> garden instead of using the public infrastructure of the Internet, so
>> I hope that's not what we're saying.

Well it is, and we can thank abuse and hacking for that. If someone sets up
their own server, buys their own domain, and hosts their blog there, it's
going to get hacked. So this regular person has to understand arcane
anti-hacking protections and the Facebook page is genuinely better because
not everyone is a huge nerd.

Not only are gTLDs a terrible product for regular users, it's also terrible
for privacy conscious users. Those users should be using domains that don't
involve any payment, such as .onion domains with privacy AND anonymity
designed into the protocol from the start, not badly tacked on like how
gTLDs do whois privacy.

This is the dead end. Traditional infrastructure is replaced by safer,
cheaper things. Walled gardens proactively prevent abuse. In direct
contrast to the "negative externalities are not my problem" attitude of
registrars, hosting providers, certain certificate providers, etc. They
aren't technically breaking the law, but it's obnoxious and the
environmental pollution they allow is finally catching up with them.

Don't blame the walled gardens. Blame what they replaced. Users are
ignorant but not stupid.

>> Second, the argument that this is a specialised use not meant for the
>> Internet's _hoi polloi_ strikes me as at least a little troubling.
>> This is Internet infrastructure, and where I come from the barriers to
>> participate in that infrastructure ought to go down over time, not up.

I have been arguing from the beginning that user education needs to be
improved. I was responding to your statement that user education is
pointless. I think you should pick one or the other. If users cannot learn,
then they need Facebook pages. They don't need to set up servers that
become hazards and then be impossible for us to contact thanks to no WHOIS.

Also, it's not about looking down on the "hoi polloi". It's about
recommending the best thing for a person's needs. It is unethical for me to
recommend to someone incapable of understanding WHOIS that they set up
domain infrastructure where they need to learn technical skills to prevent
hacking. They need a Facebook page.

Abuse raised the barrier to entry. Not the walled gardens, not WHOIS.
Removing WHOIS without fixing the "polluting the Internet isn't technically
illegal so I don't care" attitude of the domain+hosting industry will only
accelerate their replacement by the walled gardens. Even more so when new
registrants find themselves blocked by default by an increasing number of
networks. I'm okay with that though, because that is "not my problem" and
for some operators, could better be described as "the solution to my
problem".

>> Fourth, I think that there is at least an even chance of increases in
>> the use of the domain name system in support of control systems for
>> stuff like IoT devices, and associated security policy systems, that
>> will need to be built.

The gTLD system has nothing to offer them. IoT devices have used dynamic
DNS for decade(s?), and are moving towards the walled garden approach
thanks to hacking. They aren't interested in a product that is more
expensive and more dangerous.


On Wed, Oct 4, 2017 at 11:43 AM, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:

> On Wed, Oct 04, 2017 at 10:57:02AM -0400, allison nixon wrote:
> > >> The problem that nobody has any idea who is collecting this data, and
> > that some of it is personal data.
> >
> > But without verification of identity, the data is still no good. If this
> is
> > something that is really needed, those operating whois servers can expose
> > their access logs and some analysis can be done on the ip addresses
> making
> > the queries and what they are querying for. Maybe that should be done
> > before an entire system of questionable value is built.
>
> For someone who has already argued the value of fraudulent whois data,
> that is a bizarre argument to make.  If I am a registrant I can agree
> to the release of my data to people who authenticate against the
> system using an open-subscription identity mechanism, on the grounds
> that such a system is more auditable.  Alternatively, perhaps I prefer
> only to release my data to parties whose identity has been
> independently verified; for instance, law enforcement agencies (I
> dunno -- Interpol or someone) could run an OAuth service that would
> allow stronger claims about identity.
>
> The point is that https, on which RDAP is based, permits a very wide
> array of authentication mechanisms and differential responses.  As
> Scott Hollenbeck's testbed shows, there is a lot of flexibility in
> there.  The same is not true of access logs and IP addresses, which
> are (first) only forensic mechanisms anyway and (second) don't
> identify the user who made the query, but the network node as it was
> at the time of the query.  IPs are a terrible mechanism for
> identifying individuals, regardless of what various courts say
> (frankly, in their ignorance) -- especially now that so many networks
> are using CGN and other such tricks.
>
> > I think everyone is in agreement that some percentage of whois queries
> are
> > abusive and only for the purpose of sending spam, and the vast majority
> of
> > all queries are going to be aggregators. So i dont know what specific
> > questions need to be answered that arent already.
>
> Perhaps we would be agreeing on the basis of things we actually know,
> as opposed to things we believe but about which we have only indirect
> evidence.  Appeal to popular belief isn't a reasonable argument for
> this.  We should be able to measure it, and today we can't.
>
> > Purchasing ICANN gtld domains is a rather specific, nonessential, and
> > advanced usage of the internet that most people will not do.
>
> I disagree with this in several dimensions.  First, anyone who wants
> to operate a business of any scale today either has to have a web
> site, or else has to operate some sort of storefront in Facebook.  I
> think we will have reached the true dead end of the Internet where our
> answer to people is that they should do everything inside a walled
> garden instead of using the public infrastructure of the Internet, so
> I hope that's not what we're saying.  Therefore, everyone who wants to
> run most types of business needs to be able to register a domain name,
> at least for a few more years.  Given the rise of the "gig economy"
> and so on, more people than ever have an "operate a business" problem,
> which inevitably runs up against this kind of thing.  Therefore, this
> is a club that still more people have to join -- many of them in
> countries with historically low participation in domain name
> registrations, and probably therefore who use writing systems other
> than Latin and languages other than English (a nest of problems we
> haven't even begun to think about).
>
> Second, the argument that this is a specialised use not meant for the
> Internet's _hoi polloi_ strikes me as at least a little troubling.
> This is Internet infrastructure, and where I come from the barriers to
> participate in that infrastructure ought to go down over time, not up.
>
> Third, I don't think it's especially advanced.  As near as I can tell,
> humans are quite good at the idea of naming abstract things, and
> domain names are how we do that on the Internet.
>
> Fourth, I think that there is at least an even chance of increases in
> the use of the domain name system in support of control systems for
> stuff like IoT devices, and associated security policy systems, that
> will need to be built.  Certainly the giant-silo arrangement that is
> the current IoT plan is not going to work -- it already doesn't.
> ICANN policies (particularly for gTLDs) are currently AFAICT mostly an
> effort to ensure every TLD does the same thing, but that might change
> (and anyway, we're already seeing businesses fail using the
> everyone-the-same template, so my bet is that template will get
> broken).
>
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171004/fb0b0ea5/attachment.html>