On Fri, Nov 6, 2009 at 5:55 AM, Steve Crocker <steve(_at_)shinkuro(_dot_)com>
wrote:
One of the problems of living in the US is that there is really very
little experience of long lived institutions. Let us stipulate for the
sake of argument that all the current staff are competent, what
guarantees do we have for situation 20 years from now, how about 50?
How about 500? There is a College in Oxford that is currently facing
the imminent expiry of its 499 year lease.
Yes, one of the problems of living in the U.S. is it's a young country that
is unafraid to invent, experiment and reflect on its institutions. Thus
comes the Internet, invented even though we have the oldest operating
democracy.
The US Constitution was an attempt to recreate the English
Constitution which at the time was at least 500 years old with
incremental improvements based on the best research of the day. It was
'built to last'. The founders took the time to understand the security
risks and built in checks and balances.
ICANN is not built in that fashion. It has no reall checks or
balances, just a set of people who airily dismiss the notion that they
might have a duty of accountability.
After every revolution, the plotters withdraw into a cabal and carve
up the power.
Steve, it appears that you do not understand the security concerns
that are driving the politics of DNS.
The concern that ICANN might drop the Palestine zone out of the root
is precisely the source of the Egyptian delegation concern. That is
the reason why the ex-Interim Prime Minister of the Palestinian
authority took the time to meet with Twomey, I can assure you that it
was no social call.
The concern that ICANN might drop Cuba out of the root zone is one of
the principal drivers of the Brazilian concerns.
The Russian and French delegations have no specific concerns that they
have voiced to me but they certainly understand that ICANN has power
over the communications system that is only checked by the US
government, if at all.
Some folk in the old US State department thought this situation was
just dandy. Some folk in the new administration are less than happy
with the situation. It means that all it takes to create an
international crisis is for some fool in Congress to put in a bill to
force ICANN to drop Cuba, Palestine or whatever other country they
want to grandstand against out of the root.
There is no particular secret to learning these concerns, you just
have to do some active listening.
We're pretty far afield. Conspiracy theories are easy to create.
Conspiracies happen. You are playing in the big leagues here.
Those people you dismiss as 'conspiracy theorists', they made the
events of the latter half of the 20th century happen. they spent
thirty years doing things like situating the West German TV masts in
places that intentionally creat overspill into East German areas,
developing technical standards that ensure that the East Germans can
watch.
It is easy to tell a nutty conspiracy theory from a real one, the
nutty theory will be discussed endlessly (Roswell, JFK, etc.) the real
conspiracy theories are ignored. We know for a fact that Col. Ollie
North was supplying arms to the Iranian government and using the
receipts to supply Latin American terrorists. That is an
incontrovertible fact, it was a conspiracy but we don't need to talk
about it because we all know it is true.
I have
listened to these sorts of arguments, including directly from the principals
of some of the countries. Simply not connected to reality, but definitely
understandable in terms of the broader long standing, slowly evolving
geopolitical drama.
No, that is their reality.
Like you, I have been in the meetings where cybersecurity is
discussed. I am pretty sure you know that the policy of the US State
department is and has been for some time to ensure that the Internet
is as free as possible from censorship controls as a means of
destabilizing authoritarian regimes.
These are not conspiracy 'theories', they are conspiracies that you
and I know are fact because we have been a part of them.
The Internet is the political pawn of the decade. It's
important to sort out which issues are specific to the Internet and which
are really proxies for the broader east vs west, north vs south, developing
vs developed political tensions.
No, it is not important for you to understand the reasons behind the
concern at all. What you have to do at ICANN is to deal with the
concern of your customers regardless of whether or not you consider
them to be well founded.
Whether the concerns are credible or not, they are genuine. And some
of the people who hold them have the power to ensure that DNSSEC is
not deployed in their country.
The decision whether to deploy DNSSEC within an existing ccTLD is up to that
operator. Those decisions will be based on a wide variety of factors. Some
have already deployed. Many more are in the process of doing so and will
move forward more rapidly when the root is signed. Others will delay or
choose not to, either for lack of resources, concerns over various
pragmatics, or, as you say, for political reasons. Fortunately, the benefit
of DNSSEC is incremental. The whole system doesn't unravel is some subset
of the TLDs choose not to implement it. It's a bit early to know whether
the number of zones that will be permanently unprotected will be zero, a
small number or a substantial number. Let's revisit this in a few years.
Or how about we look at the totality of the requirements now and start
fixing them now.
Let us imagine that some Florida Congressman decides to grandstand
with an amendment to force ICANN to drop Cuba out of the root. The
preparations to protect against the damage would begin the minute the
bill was published. The Internet community is pretty quick to respond
in such cases, I don't think it would take more than a day before
backup roots were ready to deploy if necessary.
Since it is pretty clear that the rest of the world would move to a
non-ICANN root regardless of the level of reliability it provides in
preference to a root that is intentionally broken by the US Congress,
the contingency planning does not need to be particularly thorough.
This is explained to the Congressman by the State department in words
of few syllables and the bill is quickly dropped.
Note the interior political dynamic here. The problem is not 'the US',
it is one egotistical member of Congress who has the power to create
an international incident through grandstanding.
You're inventing a scenario and choosing your inferences. Good plot for
pulp fiction.
No, I am setting out a realistic scenario that illustrates a valid
class of attack and you are choosing to attack it with ridicule rather
than taking it seriously.
I do have the standing in the community to demand a response here. At
the moment I am arguing here in the IETF forum, but there are other
forums open to me. I am speaking on this at RSA next year. The press
will be present. And I regard this entire conversation to be on the
record and official.
DNSSEC completely disrupts that delicate balance of interests. If the
DNSSEC root of roots is widely deployed in embedded devices according
to current plans, a defection by ICANN becomes a real risk. At that
point there is no certainty that the plan to drop out Cuba will fail.
Most importantly, the State department now has to spend real political
capital to ensure that the bill is dropped - if it chooses to do so.
Perhaps the President prefers having their vote for Health Care or
whatever.
ICANN is accountable and transparent. You're creating a conspiracy scenario
that really doesn't have a basis in fact or even in possibility.
Precisely what part of the scenario do you consider implausible?
Take a look at the grandstanding that the GOP and the Cubanista
community took part in during the Elian Gonzalez affair. Do you really
think that it is beyond belief that the people who exploited a seven
year old kid to further their political careers would not stoop to
creating this type of crisis if they got the idea?
And whatever you think is the case, do you imagine that it is worth
trying to persuade the rest of us that it is not.
Now you have two approaches that you can take here. The first is that
you can continue to ignore an issue that has created real concern
outside the US, or you can look at minor modifications to the DNSSEC
architecture that allow the concerned parties to be co-opted.
Discussion of architectural changes to DNSSEC belong in the DNSEXT WG.
No, this is a policy issue.
The DNSEXT working group has consistently taken the approach that it
has taken so long to get to this point that it is going to ignore all
new requirements, including deployment requirements until deployment
is complete. It has taken fifteen years to get to this point so the
only thing to do is to stop asking why.
Such groups are unlikely to solve the problem.
It is your job at ICANN to determine what the deployment requirements
are for DNS Security and communicate them to the relevant parties.
Simply passively waiting for the IETF to think up the requirements of
its own accord is not going to work. It certainly has not worked to
date. It will be another fifteen years before you have deployment at
this rate.
The real political problem here is that the Internet does not provide
enough important jobs for everyone to feel included. So a technical
architecture that provides more jobs for people to do, provides a
means of co-opting those parties.
Discussion of political problems related to lack of employment seems pretty
far afield for an IETF discussion list.
Discussing the issues of inclusion are something that the IETF list
spends a very great deal of time doing.
With due respect, we're well into an entirely different set of topics from
yesterday. I'm breaking off at this point.
So you break off at the point I suggest a solution, nice one.
If you look at the original Web of Trust paper by Phil Z. you will
note that his original plan had an option for quorate voting to
establish trust relationships, an idea later implemented in SDSI. A
mechanism that allowed for multiple root signers would give the
Brazilian, French and Russian delegations something to take home to
their governments and say 'this is how we can address the
concentration of US interest'.
We have 13 root servers, we should plan to have at least 13 apex
roots. In fact we should allow anyone who wants to do so to become an
apex root signatory and relying parties should have the option to
choose whoever they please as and whatever voting criteria they
please.
The nice thing about this approach is that it re-establishes the
previous situation where the risk of defection is controlled by
removing the expectation of success rather than through the
traditional approach of making defection difficult. No single apex
signatory would be universally trusted so there is no risk of
universal failure. And each relying party chooses multiple apex
signers to trust so defection by a single signer does not even result
in a local failure. If there is no expectation of failure there is no
reason to default. So the only failures that might occur at an apex
signatory would be through mistake rather than malice.
This situation is considerably better for ICANN as well, if we replace
'Cuba' with 'Palestine', the CEO and staff of ICANN are suddenly on
the front line of an irredentist dispute. What do people fight over in
irredentist disputes? They fight over symbols, the WTC was attacked in
9/11 because its owners had set themselves up as a symbol of the
capitalist system.
Now as I said earlier, you can continue to ignore such security issues
and tell everyone that they should not be at all worried by your
friends. But lets face it, DNSSEC has been 'about to' deploy for the
past ten years and has been 'expected soon' ever since I first met you
almost fifteen years ago.
You cannot deploy an infrastructure change by designing to the 80:20
rule. You can't even do it by addressing the concerns raised in the
working group. You have to go out there and look under the rocks and
find out what is lurking there.
Again, DNSSEC is a security protocol, your intended early adopter
audience is made up of people who are unreasonable and paranoid. So
don't complain when we say that we do not trust ICANN.
o There's no basis at all for saying anything at all about what strings
ICANN would attach to support for the root operators. The root operators
aren't asking for support, so the question simply hasn't come up.
But that overlooks the fact that only four of the root servers
survived the great DDoS attack. And two of those are run by VeriSign.
So ICANN's failure to recompense the root operators for their services
further deepens the vendor capture issue that is the reason that
Twomey really was never worth three quarters of a million bucks a
year.
--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
--
--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf