At 8:51 AM -0700 09/18/2003, Bill Manning wrote:
ok, what about DoC & ICANN agreements w/ VSGN giving them
the authority to continue to register in and publish
the .COM and .NET domains? That looks like an entitlment to me.
Think it from a set theory perspective for a second. They have been
given the contract to populate a set (*registered* domains in COM. and NET.)
and publish that set (through DNS, ftp-able zone files, whois, phone
calls and so on).
For this publication method, this behavior eliminates the ability to
determine whether
the item is in or out of the set. This has a couple of consequences:
1) The different publication methods are out of synch.
2) Those parts of the application infrastructure of the Internet which
have protocol processing choices depending on that set membership
response will get the protocol processing wrong.
a) In other contexts, the presence of a wildcard does not
necessarily generate
incorrect protocol processing, _because the zone maintainer has the ability
and the right to make the other adjustments necessary to keep
protocol processing
correct_.
b) In this context, Verisign does not have the information
and may not have
the right to collect the information which could possibly be used to
keep protocol
processing correct.
My personal guess is that Verisign read:
http://www.iab.org/documents/docs/icann-vgrs-response.html
which makes a strong statement about the difference between the IDN
system they attempted and wildcards and drew the wrong conclusion. Instead
of concluding "our job is to correctly populate and publish a set,
and this system
does not do that" it concluded "ah, they want us to accomplish this task using
wildcards instead of the tools we used". Since I contributed to that doc, I'll
take some blame for any lack of clarity--I, at least, was not trying
to say "wrong tool",
I was trying to say "wrong task". They have still got the wrong task.
To take something Steve Bellovin said on Nanog and elaborate it--this can be
seen as a monkey-in-the-middle attack, and the standard response to that
is to use cryptographic methods to ensure the trustworthiness of the response.
In this case, the monkey in the middle is in the business of ensuring trust,
and this means one of two things:
1) We must invent some new method of ensuring against this attack.
2) We must cease to trust assurances by this business.
I think, frankly, Versigin would be better off in the trust business than the
typo-advertising business, but this is obviously their choice.
For those who need reassurance, I am not speaking for my company, as an
Area Director, or on behalf of last year's IAB. I am speaking for myself
and only myself.
regards,
Ted Hardie