Re: Circle of Fifths


On Nov 5, 2009, at 11:39 PM, Phillip Hallam-Baker wrote:

On Thu, Nov 5, 2009 at 5:44 PM, Steve Crocker <steve(_at_)shinkuro(_dot_)com>wrote:
Full disclosure: I serve on the ICANN board of directors, and I chair
ICANN's Security and Stability Advisory Committee (SSAC). Both ofthese arevolunteer, i.e. unpaid, positions, but ICANN does pay my travelexpenses for
meetings.

It's mildly amusing to see how this thread has drifted from where it
started.  Also annoying.  See inline for responses.

On Nov 5, 2009, at 12:53 PM, John Levine wrote:
As near as I can make out, ICANN collects bucketloads of cashwithoutreally having any idea why. The only rationale seemed to be topay a
rather surprising large salary to the CEO.
Agreed, except for the surprise part.  The whole staff is paid
impressively large amounts and has been as long as I've beenwatching
ICANN.  They seem to feel that their peer organizations for
compensation purposes are investment banks rather than other
non-profits.
I don't have access to the salaries of individual employees, and Idoubt youdo either. In general, ICANN pays its staff competitively in ordertoattract and retain skilled people. A very large number of peoplealsoparticipate in ICANN as volunteers, similar to the way the IETF,ISOC and
other organizations work.
$722,079 for the services of Twomey was far more than he could have
expected in any other role and far more than his performance in the
job justified.

In response to John,: I think that prior to his appointment all of us
would be very surprised to know what Twomey would be making in a few
years time.

Beckstrom can clearly demand a very substantial salary in other roles.
That is why I used the past tense.
Instead they are currently looking to raise even more money through
the sale of TLDs but last time I heard were curiouslyuninterested in
providing any material support to the root operators who would be
bearing the expense of supporting these new domains.
If I were a root server operator, it would take an implausibly large
amount of money to be worth the strings that ICANN would attach.  A
key reason that the DNS still works is that there's no root server
contract, so the root operators can individually or jointly tellICANN
to pound sand if they don't care for the root zone that ICANN offers
them. Hence ICANN is very cautions about changes.
This is multiple pieces of nonsense:
o ICANN is very cautious about changes to the root because that'sthe right
thing to do.  A huge amount of work goes into vetting each and every
requested change. To suggest they are cautious only because of therootoperators is both factually wrong and insulting. It's really timeto stopbashing the ICANN staff. When they make a mistake, they'll admitit and fixit. The competence level inside ICANN is surely as good as in theIETF and
other organizations.
One of the problems of living in the US is that there is really very
little experience of long lived institutions. Let us stipulate for the
sake of argument that all the current staff are competent, what
guarantees do we have for situation 20 years from now, how about 50?
How about 500? There is a College in Oxford that is currently facing
the imminent expiry of its 499 year lease.

Yes, one of the problems of living in the U.S. is it's a young countrythat is unafraid to invent, experiment and reflect on itsinstitutions. Thus comes the Internet, invented even though we havethe oldest operating democracy.

I really don't think that this degree of thinking is evident in the
design of ICANN.

Rather more than you're giving us credit for. But there's a lot ofground to cover before we get to the 50 or 500 year mark. We're justover one decade into this process.

The type of situation that we can end up in is illustrated by the
French recording rights society, which U2 withdrew their songs from
after receiving a pittance (I seem to rememer it was less than $100)
while the President of the organization proudly unveiled the grandiose
multi-hundred million dollar building on which the money collected on
behalf of U2 and the other artists had been spent.

Yup, that's why we spend so much time on governance models and issues,with more to come.

o The idea that the root operators would actually catch or stoperrors in
the root zone is more fantasy than reality. The root operators arehighlyautomated and don't generally look at the content of each update ofthe rootzone. At a recent meeting in the EU, a senior official at a majorregistrymade the claim that the root operators were the last line ofdefense againstmalicious or capricious behavior by ICANN or the U.S. Government,and that
DNSSEC would diminish the ability of the root operators to protect a
registry from being removed from the root zone. I took theopportunity askif the root operators were, in fact, ready, willing and able toserve insuch a capacity. If so, were there realistic plans and practice inplace?We're living in a post 9/11 world where organizations take suchquestionsseriously. They prepare plans and they practice dealing withcontingencies.I followed up with the root operators at a subsequent meeting. Nosuch
plans exist, and the root operators do not seem inclined to organize
themselves to act in such a capacity. (I'm not taking a positionpro or conas to whether they should have such a role. I'm only sayingthere's noconnection between the claim that they have this role and anyrealistic
chance that they would actually do so today.)
Steve, it appears that you do not understand the security concerns
that are driving the politics of DNS.

The concern that ICANN might drop the Palestine zone out of the root
is precisely the source of the Egyptian delegation concern. That is
the reason why the ex-Interim Prime Minister of the Palestinian
authority took the time to meet with Twomey, I can assure you that it
was no social call.

The concern that ICANN might drop Cuba out of the root zone is one of
the principal drivers of the Brazilian concerns.

The Russian and French delegations have no specific concerns that they
have voiced to me but they certainly understand that ICANN has power
over the communications system that is only checked by the US
government, if at all.

Some folk in the old US State department thought this situation was
just dandy. Some folk in the new administration are less than happy
with the situation. It means that all it takes to create an
international crisis is for some fool in Congress to put in a bill to
force ICANN to drop Cuba, Palestine or whatever other country they
want to grandstand against out of the root.

There is no particular secret to learning these concerns, you just
have to do some active listening.

We're pretty far afield. Conspiracy theories are easy to create. Ihave listened to these sorts of arguments, including directly from theprincipals of some of the countries. Simply not connected to reality,but definitely understandable in terms of the broader long standing,slowly evolving geopolitical drama. The Internet is the politicalpawn of the decade. It's important to sort out which issues arespecific to the Internet and which are really proxies for the broadereast vs west, north vs south, developing vs developed politicaltensions.

Whether the concerns are credible or not, they are genuine. And some
of the people who hold them have the power to ensure that DNSSEC is
not deployed in their country.

The decision whether to deploy DNSSEC within an existing ccTLD is upto that operator. Those decisions will be based on a wide variety offactors. Some have already deployed. Many more are in the process ofdoing so and will move forward more rapidly when the root is signed.Others will delay or choose not to, either for lack of resources,concerns over various pragmatics, or, as you say, for politicalreasons. Fortunately, the benefit of DNSSEC is incremental. Thewhole system doesn't unravel is some subset of the TLDs choose not toimplement it. It's a bit early to know whether the number of zonesthat will be permanently unprotected will be zero, a small number or asubstantial number. Let's revisit this in a few years.

The idea that the root operators would serve as the last line of
defense is not as naive as you imagine. The threat does not need to be
very credible to ensure that ICANN is kept in line. Nor is it the
'root operators' who are the real last line of defense, rather it is
the ISPs that route the address blocks for the IP addresses that they
employ.

There are large number of ISPs. Quite a few are monetizing therewriting of DNS responses.

Let us imagine that some Florida Congressman decides to grandstand
with an amendment to force ICANN to drop Cuba out of the root. The
preparations to protect against the damage would begin the minute the
bill was published. The Internet community is pretty quick to respond
in such cases, I don't think it would take more than a day before
backup roots were ready to deploy if necessary.

Since it is pretty clear that the rest of the world would move to a
non-ICANN root regardless of the level of reliability it provides in
preference to a root that is intentionally broken by the US Congress,
the contingency planning does not need to be particularly thorough.
This is explained to the Congressman by the State department in words
of few syllables and the bill is quickly dropped.

Note the interior political dynamic here. The problem is not 'the US',
it is one egotistical member of Congress who has the power to create
an international incident through grandstanding.

You're inventing a scenario and choosing your inferences. Good plotfor pulp fiction.

DNSSEC completely disrupts that delicate balance of interests. If the
DNSSEC root of roots is widely deployed in embedded devices according
to current plans, a defection by ICANN becomes a real risk. At that
point there is no certainty that the plan to drop out Cuba will fail.
Most importantly, the State department now has to spend real political
capital to ensure that the bill is dropped - if it chooses to do so.
Perhaps the President prefers having their vote for Health Care or
whatever.

ICANN is accountable and transparent. You're creating a conspiracyscenario that really doesn't have a basis in fact or even inpossibility.

Now you have two approaches that you can take here. The first is that
you can continue to ignore an issue that has created real concern
outside the US, or you can look at minor modifications to the DNSSEC
architecture that allow the concerned parties to be co-opted.


Discussion of architectural changes to DNSSEC belong in the DNSEXT WG.

The real political problem here is that the Internet does not provide
enough important jobs for everyone to feel included. So a technical
architecture that provides more jobs for people to do, provides a
means of co-opting those parties.

Discussion of political problems related to lack of employment seemspretty far afield for an IETF discussion list.

With due respect, we're well into an entirely different set of topicsfrom yesterday. I'm breaking off at this point.


Steve

If you look at the original Web of Trust paper by Phil Z. you will
note that his original plan had an option for quorate voting to
establish trust relationships, an idea later implemented in SDSI. A
mechanism that allowed for multiple root signers would give the
Brazilian, French and Russian delegations something to take home to
their governments and say 'this is how we can address the
concentration of US interest'.

We have 13 root servers, we should plan to have at least 13 apex
roots. In fact we should allow anyone who wants to do so to become an
apex root signatory and relying parties should have the option to
choose whoever they please as and whatever voting criteria they
please.

The nice thing about this approach is that it re-establishes the
previous situation where the risk of defection is controlled by
removing the expectation of success rather than through the
traditional approach of making defection difficult. No single apex
signatory would be universally trusted so there is no risk of
universal failure. And each relying party chooses multiple apex
signers to trust so defection by a single signer does not even result
in a local failure. If there is no expectation of failure there is no
reason to default. So the only failures that might occur at an apex
signatory would be through mistake rather than malice.


This situation is considerably better for ICANN as well, if we replace
'Cuba' with 'Palestine', the CEO and staff of ICANN are suddenly on
the front line of an irredentist dispute. What do people fight over in
irredentist disputes? They fight over symbols, the WTC was attacked in
9/11 because its owners had set themselves up as a symbol of the
capitalist system.

Now as I said earlier, you can continue to ignore such security issues
and tell everyone that they should not be at all worried by your
friends. But lets face it, DNSSEC has been 'about to' deploy for the
past ten years and has been 'expected soon' ever since I first met you
almost fifteen years ago.

You cannot deploy an infrastructure change by designing to the 80:20
rule. You can't even do it by addressing the concerns raised in the
working group. You have to go out there and look under the rocks and
find out what is lurking there.

Again, DNSSEC is a security protocol, your intended early adopter
audience is made up of people who are unreasonable and paranoid. So
don't complain when we say that we do not trust ICANN.

o There's no basis at all for saying anything at all about whatstringsICANN would attach to support for the root operators. The rootoperators
aren't asking for support, so the question simply hasn't come up.


But that overlooks the fact that only four of the root servers
survived the great DDoS attack. And two of those are run by VeriSign.

So ICANN's failure to recompense the root operators for their services
further deepens the vendor capture issue that is the reason that
Twomey really was never worth three quarters of a million bucks a
year.


--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf