[NCAP-Discuss] why enhanced controlled interruption - not legal

Danny McPherson danny at tcb.net
Fri Feb 25 20:17:22 UTC 2022 

On 2022-02-25 14:40, Matt Larson wrote:

> 
> I’m concerned that some in this group have been talking for a long
> time about proposing ECI but have not actually described its behavior
> in any detail. Matt and Warren are describing two implementations with
> significant differences.
> 
> The details matter because different solutions would allow more
> sensitive data to be exfiltrated and would cause varying degrees of
> disruption to client applications. For TCP-based protocols, silently
> dropping the SYN vs. actively refusing the connection vs. providing a
> minimal protocol interaction all produce potentially very different
> client behavior.

I agree Matt.

I'm not sure anyone that wants to solve the problems cares enough 
anymore (there's a lot of fatigue on all sides around the whole thing), 
and JS has some fair points but they're certainly not the only ones -- 
and I'll note that if you don't do ECI and only do CI and it doesn't 
work (which I can't really tell either way) then that sensitive 
information ECI-haters are concerned about handling will certainly be 
vulnerable when those domains are controlled by a registrant.

IMO, as demonstrated, for most strings you can significantly move the 
needle without ECI but with active outreach based on just observed 
queries at the root, it just takes work.  I don't think you can do much 
better than that at scale, but that has been proven to work.  Of course, 
as discussed here the efficacy of that is decreasing every day as well 
(e.g. local root, caching, qname min, etc.).

> A proposal for ECI without specifying technically how it would work
> cannot be properly evaluated by the Board.

That's fair.


-danny


> 
> Matt (L.)
> _______________________________________________
> NCAP-Discuss mailing list
> NCAP-Discuss at icann.org
> https://mm.icann.org/mailman/listinfo/ncap-discuss
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of
> your personal data for purposes of subscribing to this mailing list
> accordance with the ICANN Privacy Policy
> (https://www.icann.org/privacy/policy) and the website Terms of
> Service (https://www.icann.org/privacy/tos). You can visit the Mailman
> link above to change your membership status or configuration,
> including unsubscribing, setting digest-style delivery or disabling
> delivery altogether (e.g., for a vacation), and so on.

More information about the NCAP-Discuss mailing list