Re: Circle of Fifths

[Steve Crocker <steve at shinkuro.com>]

On Nov 5, 2009, at 11:39 PM, Phillip Hallam-Baker wrote:

> On Thu, Nov 5, 2009 at 5:44 PM, Steve Crocker <steve at shinkuro.com>  
> wrote:
> > Full disclosure: I serve on the ICANN board of directors, and I chair
> > ICANN's Security and Stability Advisory Committee (SSAC).  Both of  
> > these are
> > volunteer, i.e. unpaid, positions, but ICANN does pay my travel  
> > expenses for
> > meetings.
> >
> > It's mildly amusing to see how this thread has drifted from where it
> > started.  Also annoying.  See inline for responses.
> >
> > On Nov 5, 2009, at 12:53 PM, John Levine wrote:
> >
> > > > As near as I can make out, ICANN collects bucketloads of cash  
> > > > without
> > > > really having any idea why. The only rationale seemed to be to  
> > > > pay a
> > > > rather surprising large salary to the CEO.
> > >
> > > Agreed, except for the surprise part.  The whole staff is paid
> > > impressively large amounts and has been as long as I've been  
> > > watching
> > > ICANN.  They seem to feel that their peer organizations for
> > > compensation purposes are investment banks rather than other
> > > non-profits.
> >
> > I don't have access to the salaries of individual employees, and I  
> > doubt you
> > do either.  In general, ICANN pays its staff competitively in order  
> > to
> > attract and retain skilled people.  A very large number of people  
> > also
> > participate in ICANN as volunteers, similar to the way the IETF,  
> > ISOC and
> > other organizations work.
>
> $722,079 for the services of Twomey was far more than he could have
> expected in any other role and far more than his performance in the
> job justified.
>
> In response to John,: I think that prior to his appointment all of us
> would be very surprised to know what Twomey would be making in a few
> years time.
>
> Beckstrom can clearly demand a very substantial salary in other roles.
> That is why I used the past tense.
>
>
> > > > Instead they are currently looking to raise even more money through
> > > > the sale of TLDs but last time I heard were curiously  
> > > > uninterested in
> > > > providing any material support to the root operators who would be
> > > > bearing the expense of supporting these new domains.
> > >
> > > If I were a root server operator, it would take an implausibly large
> > > amount of money to be worth the strings that ICANN would attach.  A
> > > key reason that the DNS still works is that there's no root server
> > > contract, so the root operators can individually or jointly tell  
> > > ICANN
> > > to pound sand if they don't care for the root zone that ICANN offers
> > > them. Hence ICANN is very cautions about changes.
> >
> > This is multiple pieces of nonsense:
> >
> > o ICANN is very cautious about changes to the root because that's  
> > the right
> > thing to do.  A huge amount of work goes into vetting each and every
> > requested change.  To suggest they are cautious only because of the  
> > root
> > operators is both factually wrong and insulting.  It's really time  
> > to stop
> > bashing the ICANN staff.  When they make a mistake, they'll admit  
> > it and fix
> > it.  The competence level inside ICANN is surely as good as in the  
> > IETF and
> > other organizations.
>
> One of the problems of living in the US is that there is really very
> little experience of long lived institutions. Let us stipulate for the
> sake of argument that all the current staff are competent, what
> guarantees do we have for situation 20 years from now, how about 50?
> How about 500? There is a College in Oxford that is currently facing
> the imminent expiry of its 499 year lease.

Yes, one of the problems of living in the U.S. is it's a young country  
that is unafraid to invent, experiment and reflect on its  
institutions.  Thus comes the Internet, invented even though we have  
the oldest operating democracy.

> I really don't think that this degree of thinking is evident in the
> design of ICANN.

Rather more than you're giving us credit for.  But there's a lot of  
ground to cover before we get to the 50 or 500 year mark.  We're just  
over one decade into this process.

> The type of situation that we can end up in is illustrated by the
> French recording rights society, which U2 withdrew their songs from
> after receiving a pittance (I seem to rememer it was less than $100)
> while the President of the organization proudly unveiled the grandiose
> multi-hundred million dollar building on which the money collected on
> behalf of U2 and the other artists had been spent.

Yup, that's why we spend so much time on governance models and issues,  
with more to come.

> o The idea that the root operators would actually catch or stop  
> errors in
> > the root zone is more fantasy than reality.  The root operators are  
> > highly
> > automated and don't generally look at the content of each update of  
> > the root
> > zone.  At a recent meeting in the EU, a senior official at a major  
> > registry
> > made the claim that the root operators were the last line of  
> > defense against
> > malicious or capricious behavior by ICANN or the U.S. Government,  
> > and that
> > DNSSEC would diminish the ability of the root operators to protect a
> > registry from being removed from the root zone.  I took the  
> > opportunity ask
> > if the root operators were, in fact, ready, willing and able to  
> > serve in
> > such a capacity.  If so, were there realistic plans and practice in  
> > place?
> >  We're living in a post 9/11 world where organizations take such  
> > questions
> > seriously.  They prepare plans and they practice dealing with  
> > contingencies.
> >  I followed up with the root operators at a subsequent meeting.  No  
> > such
> > plans exist, and the root operators do not seem inclined to organize
> > themselves to act in such a capacity.  (I'm not taking a position  
> > pro or con
> > as to whether they should have such a role.  I'm only saying  
> > there's no
> > connection between the claim that they have this role and any  
> > realistic
> > chance that they would actually do so today.)
>
> Steve, it appears that you do not understand the security concerns
> that are driving the politics of DNS.
>
> The concern that ICANN might drop the Palestine zone out of the root
> is precisely the source of the Egyptian delegation concern. That is
> the reason why the ex-Interim Prime Minister of the Palestinian
> authority took the time to meet with Twomey, I can assure you that it
> was no social call.
>
> The concern that ICANN might drop Cuba out of the root zone is one of
> the principal drivers of the Brazilian concerns.
>
> The Russian and French delegations have no specific concerns that they
> have voiced to me but they certainly understand that ICANN has power
> over the communications system that is only checked by the US
> government, if at all.
>
> Some folk in the old US State department thought this situation was
> just dandy. Some folk in the new administration are less than happy
> with the situation. It means that all it takes to create an
> international crisis is for some fool in Congress to put in a bill to
> force ICANN to drop Cuba, Palestine or whatever other country they
> want to grandstand against out of the root.
>
> There is no particular secret to learning these concerns, you just
> have to do some active listening.

We're pretty far afield.  Conspiracy theories are easy to create.  I  
have listened to these sorts of arguments, including directly from the  
principals of some of the countries.  Simply not connected to reality,  
but definitely understandable in terms of the broader long standing,  
slowly evolving geopolitical drama.  The Internet is the political  
pawn of the decade.  It's important to sort out which issues are  
specific to the Internet and which are really proxies for the broader  
east vs west, north vs south, developing vs developed political  
tensions.

> Whether the concerns are credible or not, they are genuine. And some
> of the people who hold them have the power to ensure that DNSSEC is
> not deployed in their country.

The decision whether to deploy DNSSEC within an existing ccTLD is up  
to that operator.  Those decisions will be based on a wide variety of  
factors.  Some have already deployed.  Many more are in the process of  
doing so and will move forward more rapidly when the root is signed.   
Others will delay or choose not to, either for lack of resources,  
concerns over various pragmatics, or, as you say, for political  
reasons.  Fortunately, the benefit of DNSSEC is incremental.  The  
whole system doesn't unravel is some subset of the TLDs choose not to  
implement it.  It's a bit early to know whether the number of zones  
that will be permanently unprotected will be zero, a small number or a  
substantial number.  Let's revisit this in a few years.


> The idea that the root operators would serve as the last line of
> defense is not as naive as you imagine. The threat does not need to be
> very credible to ensure that ICANN is kept in line. Nor is it the
> 'root operators' who are the real last line of defense, rather it is
> the ISPs that route the address blocks for the IP addresses that they
> employ.

There are large number of ISPs.  Quite a few are monetizing the  
rewriting of DNS responses.

> Let us imagine that some Florida Congressman decides to grandstand
> with an amendment to force ICANN to drop Cuba out of the root. The
> preparations to protect against the damage would begin the minute the
> bill was published. The Internet community is pretty quick to respond
> in such cases, I don't think it would take more than a day before
> backup roots were ready to deploy if necessary.
>
> Since it is pretty clear that the rest of the world would move to a
> non-ICANN root regardless of the level of reliability it provides in
> preference to a root that is intentionally broken by the US Congress,
> the contingency planning does not need to be particularly thorough.
> This is explained to the Congressman by the State department in words
> of few syllables and the bill is quickly dropped.
>
> Note the interior political dynamic here. The problem is not 'the US',
> it is one egotistical member of Congress who has the power to create
> an international incident through grandstanding.

You're inventing a scenario and choosing your inferences.  Good plot  
for pulp fiction.

> DNSSEC completely disrupts that delicate balance of interests. If the
> DNSSEC root of roots is widely deployed in embedded devices according
> to current plans, a defection by ICANN becomes a real risk. At that
> point there is no certainty that the plan to drop out Cuba will fail.
> Most importantly, the State department now has to spend real political
> capital to ensure that the bill is dropped - if it chooses to do so.
> Perhaps the President prefers having their vote for Health Care or
> whatever.

ICANN is accountable and transparent.  You're creating a conspiracy  
scenario that really doesn't have a basis in fact or even in  
possibility.


> Now you have two approaches that you can take here. The first is that
> you can continue to ignore an issue that has created real concern
> outside the US, or you can look at minor modifications to the DNSSEC
> architecture that allow the concerned parties to be co-opted.

Discussion of architectural changes to DNSSEC belong in the DNSEXT WG.

> The real political problem here is that the Internet does not provide
> enough important jobs for everyone to feel included. So a technical
> architecture that provides more jobs for people to do, provides a
> means of co-opting those parties.

Discussion of political problems related to lack of employment seems  
pretty far afield for an IETF discussion list.

With due respect, we're well into an entirely different set of topics  
from yesterday.  I'm breaking off at this point.

Steve



> If you look at the original Web of Trust paper by Phil Z. you will
> note that his original plan had an option for quorate voting to
> establish trust relationships, an idea later implemented in SDSI. A
> mechanism that allowed for multiple root signers would give the
> Brazilian, French and Russian delegations something to take home to
> their governments and say 'this is how we can address the
> concentration of US interest'.
>
> We have 13 root servers, we should plan to have at least 13 apex
> roots. In fact we should allow anyone who wants to do so to become an
> apex root signatory and relying parties should have the option to
> choose whoever they please as and whatever voting criteria they
> please.
>
> The nice thing about this approach is that it re-establishes the
> previous situation where the risk of defection is controlled by
> removing the expectation of success rather than through the
> traditional approach of making defection difficult. No single apex
> signatory would be universally trusted so there is no risk of
> universal failure. And each relying party chooses multiple apex
> signers to trust so defection by a single signer does not even result
> in a local failure. If there is no expectation of failure there is no
> reason to default. So the only failures that might occur at an apex
> signatory would be through mistake rather than malice.
>
>
> This situation is considerably better for ICANN as well, if we replace
> 'Cuba' with 'Palestine', the CEO and staff of ICANN are suddenly on
> the front line of an irredentist dispute. What do people fight over in
> irredentist disputes? They fight over symbols, the WTC was attacked in
> 9/11 because its owners had set themselves up as a symbol of the
> capitalist system.
>
> Now as I said earlier, you can continue to ignore such security issues
> and tell everyone that they should not be at all worried by your
> friends. But lets face it, DNSSEC has been 'about to' deploy for the
> past ten years and has been 'expected soon' ever since I first met you
> almost fifteen years ago.
>
> You cannot deploy an infrastructure change by designing to the 80:20
> rule. You can't even do it by addressing the concerns raised in the
> working group. You have to go out there and look under the rocks and
> find out what is lurking there.
>
> Again, DNSSEC is a security protocol, your intended early adopter
> audience is made up of people who are unreasonable and paranoid. So
> don't complain when we say that we do not trust ICANN.
>
>
> > o There's no basis at all for saying anything at all about what  
> > strings
> > ICANN would attach to support for the root operators.  The root  
> > operators
> > aren't asking for support, so the question simply hasn't come up.
>
> But that overlooks the fact that only four of the root servers
> survived the great DDoS attack. And two of those are run by VeriSign.
>
> So ICANN's failure to recompense the root operators for their services
> further deepens the vendor capture issue that is the reason that
> Twomey really was never worth three quarters of a million bucks a
> year.
>
>
> --
> New Website: http://hallambaker.com/
> View Quantum of Stupid podcasts, Tuesday and Thursday each week,
> http://quantumofstupid.com/