Subscribe: CircleID: Comments
Added By: Feedage Forager Feedage Grade B rated
Language: English
charles christopher  contact  data  domain  epp  icann  mar pdt  network  posted mar  posted  registrar  registrars  registry 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: CircleID: Comments

CircleID: Comments

Latest comments posted on CircleID


RE: IETF and Crypto Zealots (Charles Christopher)


>I do not accept the proposition that network providers will make the best decisions
>about how to satisfy user needs.  Rather, I believe, that providers ought to make
>information available to users, or to user's agents (human or, more likely, software)
>and let the users make the choices of how to use network services.


Trust is how the issue is being discussed, but choice is the primary concern. This is about choice, specifically not taking away the choice of good actors.

Bad actors likely never trusted the network to begin with, only the good actors did. As the good actors lost trust they made choices causing them to become ambiguous (network privacy techniques) relative to the bad actors, and that is not the good actors problem (some fail to realize this) …. The lack of network trust and choice by the bad actors is a “cost of doing business", and thus bad actors don’t get to complain, its their career choice. They made their bed, now lay in it. Don’t like it? Choose an honest career, then you have network choice returned to you.

The “anarchists” I am aware of are seeking the positive dynamic of increased choice. And they also tend to apply the golden rule in their lives, they expect to be able to do what everyone else does. That means there is accountability, they can defend themselves when needed and others can to. Anarchy is in fact not always chaos, although in the limit it can be. Most rational people do in fact seek “anarchy” but not in the extreme, they simply seek to increase choice as government tries to decrease choice. Such people call themselves libertarians.

If you want an example of chaos, walk into the well defined rules based motor vehicle office, fill out the wrong form for your purpose and fill it out incorrectly (for your safety, be sure NOT to sign it), then hand it to the lady behind the window with a serious look on your face .... The network chokes on that packet …. That’s what happens in the limit of taking all choice away. Total lack of choice DOES result in chaos, always.

If you offer me more choice it tends to increase my trust. I will feel in control, the more choices the more control and the more trust. There is generally peace.

If you take away my choice(s) you will destroy my trust. I will feel vulnerable, I will do something to regain control, and you will not like what I do:

"Learn the rules so you know how to break them properly.”
- Dalai Lama

"Among the many misdeeds of the British rule in India, history will look upon the act depriving a whole nation of arms as the blackest."
- Mahatma Gandhi

Link | Posted on Mar 13, 2018 6:39 PM PDT by Charles Christopher

RE: IETF and Crypto Zealots (Karl Auerbach)


My perspective on this may be colored by the fact that I was working on true end-to-end protection of network traffic even before there was an Internet.  The approaches that we always used back in the 1970's were to have a layer between IP and TCP that encrypted packets, not connections.  IPSEC resembles that approach, and as would be expected the really hard part is not the basic protection but, rather, the key management and replay protection.  I still prefer the IPSEC approach to the SSL/TLS approach. What I do not like about the SSL/TLS (including TLS 1.3) approach is that unless an endpoint is really careful about inspecting certificates and chains of delegation it may end up chatting via an unwanted proxy that will have access to the clear data. It is that ability to slip into the middle that is is one of the things being claimed as being a valuable thing by network operators.  I tend to disagree.  If a proxy/web cache is so valuable to me a user then why should an operator hide this thing from the user.  My, decidedly suspicious, thought is that perhaps the operator is rather more interested in mining user data from the connection and that any performance gains are merely a nice side effect. I am a strong advocate of the stupid network concept - which is a shorthand for saying that the internet's data plane should be as simpleminded as is reasonable.  I moderate that by accepting that control planes can be rather complex. Clearly internet control planes could benefit from knowing more about the traffic being carried.  But linkages from the data plane to the control planes always invite security leakage as well as reliability concerns. When I was at Cisco I engaged in some work to see if I could do better control plane decisions - or rather give end point clients and servers better information about which pairing of client to server would best suit the proposed network communication.  I came up with a thing I called the Fast Path Characterization Protocol - a highly imcomplete design in which a client could provide a description of the proposed communication (I used an Int-Serve TSPEC) and ask the net for information about the potential paths and peers that could be used.  The incomplete work is still up on the net at I do not accept the proposition that network providers will make the best decisions about how to satisfy user needs.  Rather, I believe, that providers ought to make information available to users, or to user's agents (human or, more likely, software) and let the users make the choices of how to use network services. I've spent decades building tools (and using tools) to diagnose and repair network problems.  Yes, security protections get in the way of network repair.  But that difficulty does not lead me to the conclusion that we should open the network to deep packet inspection by providers any more than the fact a person may occasionally need to be examined by a doctor should lead to a requirement that people should walk around everywhere and at all times naked. The idea that a network operator must depend on user traffic - which is typically bursty and non-reproducible - to diagnose problems strikes me, the grandson of a radio repairman and son of a TV repairman - that those who depend on that traffic are not sufficiently skilled to have learned the value of test generators and reproducible traffic.  Sure, user traffic serves as an initial indicator of trouble - although one would hope that a provider might have systems to learn of problems before users do.  However, when getting down to the hard job of problem isolation and repair, depending on user traffic - and thus arguing that user traffic should be open to view at all times - tells me that the provider is an amateur. Link | Posted on Mar 13, 2018 5:37 PM PDT by Karl Auerbach[...]

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Charles Christopher)


>Am I missing some technical flaw here to stop this ? Nope :) As a registrar I would also point out some other details. Most problems with domain name registration involves the email account used to allow access to an admin account used to manage the domain name. Registries have a manual backend that in effect looks like an admin panel at a registrar. So there is no need for an EPP backend to manage a small number of domain names, you can just use the registry admin panel to mange your domains. Thus, there is no email account that can be exploited to gain access to a domain management account at a registrar. To the extent you secure your REGISTRY access your domain will be safe, and as a registrar you actually have many more options to do this than if you were a registrant of a registrar. Remember, as a registrar you have a direct contract with the registry, not some registrant TOS that says your registrar can do anything they want, at any time, without notice to you. The level of service, and contractual obligation, is orders of magnitude beyond that of being a registrar customer. The domain registrar industry makes it appear that domains require some special step at the registry to be renewed. This is not true. Registrars do not delete domains, only registrars do. Thus registrar never "renew" domains, they only delete them. This is an esoteric point, but is it important to understand. Lets say .COM renewal fee is $10 at Verisign and does not change. If you fund your account with $1000 then, so long as you pay your ICANN fees, you could walk away from your relationship with Verisign for 100 years and the domain will still be there when your return.  There are no EPP or human truncations required to maintain the registration in the registry, only an account balance to debit against. For a large corp funding that account for decades likely cost less that the paperwork to have someone actually do it. ICANN fees these days are about $6000 per year, or $500 per month. Very cheap insurance. Without going into details, speak to your favorite domain name lawyer for details such as Stevan Lieberman or John Berryhill, being a self registrar renders many requirements of ICANN accreditation meaningless. In other words you are unlikely to ever sue yourself over your own domain registrations. And yet sometimes ICANN will demand documentation stating you promise not to sue yourself, or lie to yourself ... Their contract is just not written for self registrars, and fortunately does not impede doing so, much of it very nicely just falls away when you do. Except they parts where you have to declare you will treat yourself right! Perhaps the biggest tech hurdle is that a registry will require you to demonstrate EPP backend competency via an EPP on boarding test. So you have to have to actually interact with the registry through EPP to have and account setup, even though you will never use that access again. There are plenty of people in the industry, and I am one, who have done this for others to help them setup new registrars. John and Stevan can help with this, as they would just call on one of us for this step. And I think I would generally suggest using them to setup the registrar contracts as well, its such a bureaucratic process that its worth paying someone with the battle scars of having done it. Talk to them about pricing. People forget the days when most registrars were literally mom and pops working out of their homes. It is very sad that has been lost, it was very different to have a support call with the person who fed themselves and put the roof over the head with your reg fee. That was service! There are many self registrars like me doing the same today. But now when you open yourself up for retail registrations, the ICANN bureaucratic hell rains down on you. This is not an issue for a brand self registrar. Piece of cake, yum! :) - Charles Link | Posted on Mar 08, 2018 6:42 PM PDT by Charles Christopher[...]

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Phil Buckingham)


I agree Christopher , Fred. Surely this could work for each closed .brand Registry, since by its very nature second level registrations are internally generated and owned by that particular .brand company and its affiliates.  Owning & controlling its own fully integrated registrar ,would enable the .brand to lock away its own registrant whois data. Am I missing some technical flaw here to stop this ?

Link | Posted on Mar 08, 2018 5:50 PM PDT by Phil Buckingham

RE: IETF and Crypto Zealots (Anthony Rutkowski)


Thanks. Unfortunately, we have many layers of communications related challenges today. They are not so much new, as arising faster, on a larger scale, and more complex. The national (especially in Washington) and world news every day are also a reminder that we have some serious contemporary meta-challenges that have no obvious communications technology solutions that make one yearn for the simplicity of habitation at the Ganden Sumtseling Monastery (in the photo)

Link | Posted on Mar 08, 2018 11:53 AM PDT by Anthony Rutkowski

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Charles Christopher)


Verisign WHOWAS service:

Trivial to add the contact objects as they move to a thick registry:

Link | Posted on Mar 07, 2018 10:13 AM PDT by Charles Christopher

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Charles Christopher)


>First, many registries have chosen to show contact data
>to registrars via EPP only in two circumstances:

Would you mind sharing a list of a couple example TLDs?

Also, Verisign is moving to thick registry implementation. If they implement sponsor/auth code access then yes, the door is blocked here. But not yet.

When certain registries told registrars to stop using their public whois servers to obtain contact info and only use EPP, they started metering even registrar access to public who. As a registrar I pushed the registries on this pointing out examples of whois server data not matching EPP data and since the public uses the whois server this is more "authoritative" and thus a registrar MUST have unimpeded access to both. The registries removed registrar public whois metering. The inconstancies between these two sources remain, its not common, but it is there for many different reasons.

The law of "Unintended Consequences", and lack of current certification process so close to the law, leaves me wondering if the registrar/registry community will sort this out on its own. For many years I have been vocally supporting PAID registry WHOWAS services, and that such services would likely bring them more revenue that domain registrations. Verisign does provide such a service, lacking contact info. A GDPR business case can easily be made that registry WHOWAS can be used to detect domain theft and a a tool supporting contact object verification details. Verisign is very clear about their current WHOWAS service being a PAID service, although the price remains $0.00 ... With GDPR you would need to be a registrar to have access to such a service, which you could in turn offer to law enforcement etc, thus creating a profitable service for registrars.

I would also like to add that I to think whois should be unimpeded like the records of my home ownership /property records, without which I could not demonstrate ownership of my own home and thus protect myself. But the moment we allowed proxy whois, we all shot ourselves in the collective foot on this point. If proxy whois had not been allowed, and useless proxy contact data is what EPP contains as well as ICANN data escrow, then we'd all be an a much better position to fight this. Domain theft, for example, is going to increase dramatically from here on .... Which would in turn will support the offering of registry WHOWAS paid services, at a rate not equal $0.00.

>where other registrars cannot query it via EPP.

Internal to the ICANN RADAR system is the publishing of IPs a registrar uses to access other registrar's whois servers. This list is used to white list whois accesses within the registrar community to support domain transfers. With out it COM/NET transfer verification policy would be impossible to satisfy.

Link | Posted on Mar 07, 2018 10:07 AM PDT by Charles Christopher

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Frederick Felman)


Christopher - The idea of large companies becoming their own registrar is an interesting one and there are some brands executing on that idea.  Companies like AppDetex have technologies and services that support companies that want to become their own registrar.  - f

Link | Posted on Mar 07, 2018 8:25 AM PDT by Frederick Felman

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Greg Aaron)


Hello, Christopher.  You suggested that law enforcement, IP attorneys, etc. simply become registrars and then they would have access to "everything they need" (e.g. contact data) via EPP.  Unfortunately that will not work due to some technical and policy decisions.

First, many registries have chosen to show contact data to registrars via EPP only in two circumstances: if you are the sponsoring registrar of the domain or contact object being looked up, or if you have the auth code for the domains (so you can make a registrar-to-registrar transfer).  If you're not the sponsoring registrar, you usually can't see contact data for EPP objects you don't already control.

The second problem is that .COM and .NET are still thin registries.  This means that for about 78% of gTLD domain names, the contact data's held at the registrars, where other registrars cannot query it via EPP. 

You are correct that currently, EPP contact IDs are useless for certain purposes because they are not re-used, and registrars tend to create new contact IDs for every domain.  EPP was designed to allow that.  Imposing a "one registrant, one EPP contact object" would be theoretically possible but a big policy and implementation job to move to.

Link | Posted on Mar 07, 2018 7:58 AM PDT by Greg Aaron

RE: ICANN Proposed Interim GDPR Compliance Model Would Kill Operational Transparency of the Internet (Charles Christopher)


Registrant ID's:

This is actually how the thick EPP registry backend is designed, however many registrars do not use "contact objects" this way and thus the concept does not work. In fact one registry recently cleaned up their backend database to rid itself of all the unused objects (think "unique IDs"). ICANN could try to force registrars to use the contact objects in this way, but if I as a registrant want say a home address on a personal domain and a business address on a business domain then there will be two contact objects and thus two unique IDs even though I am the same person. In another example I help manage the domains of a couple of not-for-profits who's employees have little clue about domain names, so I am listed even though I have no legal involvement in those organizations (I have strong friendships with those who manage them) - Does this mean their whois is wrong or right? ..... Perhaps this is why ICANN's description is vague, the pieces are in fact there right now, and are technically seductive, but in the real world it just doesn't not work.

The "registrant ID" is to the contact object as the "domain registration ID" is to the domain name.


I have always wondered why companies with enormously valuable domain assists, and their own internal legal department, don't bother to become registrars themselves. Here is one more reason to do so. Move your domains into your own registrar which is the safest way to control them, and then "pierce the gates" and have full access to everything you need.

Likewise those law firms serving the industry. Become a registrar and become that for which the entire system and its data must flow freely.

Law Enforcement, get together, setup a registrar, and share its access. A "self registrar", especially one with no domains, is pretty trivial to manage, just have to pay ICANN its quarterly indulgences ... Hmmmm, I think there is a business opportunity here ...

Link | Posted on Mar 06, 2018 8:13 PM PDT by Charles Christopher

RE: U.S. Complaint to WTO on China VPNs Is Itself Troubling (Charles Christopher)


>conflicts of law

I only see only conflicts of trust.

Should I choose to use a service providers VPN I am required to trust them. I trust no one.

However, they are not required to trust to me and any possibility of having them trust me is removed (by law).

They are to be considered good and trustworthy, I am not. I am guilty unit proven innocent.

>and getting worse.

Of course this will get worse, its based on a double standard.

Link | Posted on Mar 06, 2018 12:59 PM PDT by Charles Christopher

RE: U.S. Complaint to WTO on China VPNs Is Itself Troubling (Anthony Rutkowski)


The conflicts of law in supporting these services and meeting divergent contractual and regulatory requirements both internationally and domestically are monumental and getting worse.

Link | Posted on Mar 06, 2018 12:43 PM PDT by Anthony Rutkowski

RE: U.S. Complaint to WTO on China VPNs Is Itself Troubling (Todd Knarr)


I know they have a certain amount of flexibility. But as far as I can see they don't have the flexibility to prevent the network operator from accessing the data flowing across the VPN (because the network operator is the one operating the VPN and it's endpoints and they have access to all the encryption keys). That's where those standards run headlong into the business security requirement that the data remain secure vs. the network operator who isn't authorized to see it.

Link | Posted on Mar 06, 2018 11:41 AM PDT by Todd Knarr

RE: U.S. Complaint to WTO on China VPNs Is Itself Troubling (Anthony Rutkowski)


It is not clear that some of the existing Y and X series standards don't have enough flexibility to accommodate a wide variety of VPN instantiations.  The standards were largely developed by U.S. and European providers and equipment vendors.

However, if one is going to be filing complaints to the WTO that are reliant on standards in a particular venue, it might be wise to have the foresight to have ensured those standards exist in that venue.  Hence the admonition to engage in SG13 and SG17 at the end of the article.  On the other hand, if one is just going to call for trade wars, it is not clear what purpose is being served by filing a complaint at all.

Link | Posted on Mar 06, 2018 3:32 AM PDT by Anthony Rutkowski

RE: U.S. Complaint to WTO on China VPNs Is Itself Troubling (Todd Knarr)


So, what are the ITU-T standards for customer-equipment-based VPNs? The ones I find are all for network-based VPNs which've been pretty much abandoned for failure to meet basic business (not technical) security requirements.

Link | Posted on Mar 05, 2018 11:57 PM PDT by Todd Knarr