[gnso-rds-pdp-wg] On unauthenticated vs gated access (was Re: Reputation systems are not just nice to have)
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Thu Oct 19 16:24:35 UTC 2017
Strenuous agreement with everything Andrew has said here. The points he
lists reflect fundamental, agreed positions of the NCSG, not just yours
truly.
Stephanie Perrin
On 2017-10-04 11:43, Andrew Sullivan wrote:
> On Wed, Oct 04, 2017 at 10:57:02AM -0400, allison nixon wrote:
>>>> The problem that nobody has any idea who is collecting this data, and
>> that some of it is personal data.
>>
>> But without verification of identity, the data is still no good. If this is
>> something that is really needed, those operating whois servers can expose
>> their access logs and some analysis can be done on the ip addresses making
>> the queries and what they are querying for. Maybe that should be done
>> before an entire system of questionable value is built.
> For someone who has already argued the value of fraudulent whois data,
> that is a bizarre argument to make. If I am a registrant I can agree
> to the release of my data to people who authenticate against the
> system using an open-subscription identity mechanism, on the grounds
> that such a system is more auditable. Alternatively, perhaps I prefer
> only to release my data to parties whose identity has been
> independently verified; for instance, law enforcement agencies (I
> dunno -- Interpol or someone) could run an OAuth service that would
> allow stronger claims about identity.
>
> The point is that https, on which RDAP is based, permits a very wide
> array of authentication mechanisms and differential responses. As
> Scott Hollenbeck's testbed shows, there is a lot of flexibility in
> there. The same is not true of access logs and IP addresses, which
> are (first) only forensic mechanisms anyway and (second) don't
> identify the user who made the query, but the network node as it was
> at the time of the query. IPs are a terrible mechanism for
> identifying individuals, regardless of what various courts say
> (frankly, in their ignorance) -- especially now that so many networks
> are using CGN and other such tricks.
>
>> I think everyone is in agreement that some percentage of whois queries are
>> abusive and only for the purpose of sending spam, and the vast majority of
>> all queries are going to be aggregators. So i dont know what specific
>> questions need to be answered that arent already.
> Perhaps we would be agreeing on the basis of things we actually know,
> as opposed to things we believe but about which we have only indirect
> evidence. Appeal to popular belief isn't a reasonable argument for
> this. We should be able to measure it, and today we can't.
>
>> Purchasing ICANN gtld domains is a rather specific, nonessential, and
>> advanced usage of the internet that most people will not do.
> I disagree with this in several dimensions. First, anyone who wants
> to operate a business of any scale today either has to have a web
> site, or else has to operate some sort of storefront in Facebook. I
> think we will have reached the true dead end of the Internet where our
> answer to people is that they should do everything inside a walled
> garden instead of using the public infrastructure of the Internet, so
> I hope that's not what we're saying. Therefore, everyone who wants to
> run most types of business needs to be able to register a domain name,
> at least for a few more years. Given the rise of the "gig economy"
> and so on, more people than ever have an "operate a business" problem,
> which inevitably runs up against this kind of thing. Therefore, this
> is a club that still more people have to join -- many of them in
> countries with historically low participation in domain name
> registrations, and probably therefore who use writing systems other
> than Latin and languages other than English (a nest of problems we
> haven't even begun to think about).
>
> Second, the argument that this is a specialised use not meant for the
> Internet's _hoi polloi_ strikes me as at least a little troubling.
> This is Internet infrastructure, and where I come from the barriers to
> participate in that infrastructure ought to go down over time, not up.
>
> Third, I don't think it's especially advanced. As near as I can tell,
> humans are quite good at the idea of naming abstract things, and
> domain names are how we do that on the Internet.
>
> Fourth, I think that there is at least an even chance of increases in
> the use of the domain name system in support of control systems for
> stuff like IoT devices, and associated security policy systems, that
> will need to be built. Certainly the giant-silo arrangement that is
> the current IoT plan is not going to work -- it already doesn't.
> ICANN policies (particularly for gTLDs) are currently AFAICT mostly an
> effort to ensure every TLD does the same thing, but that might change
> (and anyway, we're already seeing businesses fail using the
> everyone-the-same template, so my bet is that template will get
> broken).
>
> Best regards,
>
> A
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171019/c867999d/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list