[gnso-rds-pdp-wg] What does "accreditation" mean here? (was Re: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc)

[Andrew Sullivan]

On Thu, Feb 15, 2018 at 01:28:50PM -0800, Rod Rasmussen wrote:
> 
> Agree with you here personally, but that said, we use ISO country
> codes for example since they are well established, published, and
> nearly universally accepted in many fields.

I think we use them because Jon Postel said so in RFC 1591, with the
explicit reasoning, "The IANA is not in the business of deciding what
is and what is not a country."  The same RFC says that the selection
was made knowing that there is a procedure, but without any comment on
whether the procedure is any good.  I think, in fact, that ICANN gets
itself in trouble when it deviates from the principle, "Let someone
else make that decision."  We see this, for instance, in the rather
tortured handling of IDN ccTLDs, which do not follow any particular
standard and which have given the community a certain amount of
(sometimes poorly-informed) grief as a result.

> that decision that we’ve just followed ever since).  I think
> Stephanie is looking at some fields as not having similarly accepted
> standards which would be applicable.  I don’t think she’s advocating

I can certainly imagine fields where we'll have that problem
("Internet security professional" comes to mind, for instance: just
about nobody competent in the area is going to accept the
accdreditation rules likely to be invented by international
treaties).  But there are plenty of cases where there are bodies who
seem to be treated by the affected parties as legitmate.  All I am
trying to argue is that we should have a strong preference for
flipping each hot potato onto anyone who seems likely to catch it,
without coming up with a lot of rules for whether they get to play in
the game.  

> becomes a matter of ensuring that those fit, and someone has to make
> that evaluation in the end.

No, I am claiming quite explicitly that ICANN _should not_ make that
evaluation.  That's what RFC 1591 quite explicitly does not do.
"Someone else has a rule, and it seems to be accepted, so we'll use
that."

And we don't even have the problem that 1591 had, which was that you
needed exactly one authority.  Maybe you have _two_ bodies who each
claim to represent fly fishers, and their interests in the RDS.  Each
seems to have a critical mass, and neither seems to be overwhelmingly
preferred.  They both have criteria for membership.  So, they both get
to run a credential service for fly fishers, and the Fly Fishers'
Association and the New Association of Fly Fishers each can run an
OAuth service and accredit their members.  They'll get whatever
special treatment fly fishers are supposed to get (I hope none).

Maybe -- maybe -- I can see an argument for requiring stronger
consensus around the legitimacy of these credentialling bodies as the
quantity of data thereby exposed gets greater.  But I am sceptical
that the ICANN community is in any position to develop realistic
criteria here: we can't even come to any kind of conclusion in a
reasonable time about something we do know about (RDS), so the
potential to come to any kind of conclusion about accreditation
criteria seems pretty low to me.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com