Inside ICANNWatch  
Submit Story
Lost Password
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)

    Security Mockapetris Wants DNSSec *NOW*
    posted by michael on Friday April 11 2003, @07:24PM

    The Register reports that DNS pioneer Paul Mockapetris thinks DNSSec ought to be implemented right away, and is concerned about "politics" (read, 'fear of ICANN') slowing adoption of what he sees as a needed security enhancement for the DNS. If you only think about the engineering, you can understand why someone might feel this way. But there are other considerations...

    In principle it sounds like a great idea: use a chain of trust verified by cryptgraphically unforgeable digital signatures to secure the DNS. Problem is, it creates another root -- a root of certificates. A public key infrastructure (PKI) would have many applications outside of securing web pages, and could have substantial privacy implications too. So it's no surprise that may people are a little, well, nervous, at the idea of putting an erratic body like ICANN in a position of strength in any future PKI, must less what might become the beginning of a global system for distinguished names. The fact that ICANN might be one of the certifiers at the root of a PKI that even possibly could evolve into something global and ubiquitous ought to be enough to give anyone the willies.

    ICANN is bad where it is, but control over the DNS allows it only a bounded amount of harm. There are serious questions about whether a PKI is a good idea, as well as serious arguments that it could be useful. Throwing ICANN into the mix is not going to help.

      ICANNWatch Login  


    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

      Related Links  
  • The Register (UK)
  • Paul Mockapetris
  • certificates
  • privacy
  • reports
  • DNSSec
  • More on Security
  • Also by michael
    This discussion has been archived. No new comments can be posted.
    Mockapetris Wants DNSSec *NOW* | Log in/Create an Account | Top | 3 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    say what?
    by fnord (reversethis-{moc.oohay} {ta} {k2yorg}) on Saturday April 12 2003, @11:46AM (#11496)
    User #2810 Info
    Paul Mockapetris is not just a "DNS pioneer". He is the author of DNS. The Register is a bit closer, listing him as a co-author of DNS (along with Jon Postel of all things. Jon was many good things but he didn't co-author DNS, it was Paul alone who deserves the credit/blame).

    To the main point, it would be relatively simple to use a Pretty Good Privacy (PGP, or similar) key, even in WHOIS, to ascertain whether one is dealing with the entity that one thinks one is dealing with. I know Paul is dealing with this at a different level, and he has pushed this idea for at least a couple of years now. In fact I think I wrote about this for ICANNWatch and supported him (and still do). It becomes even more important with ICANN's WLS (Wait List Service). If one purchases another's Domain Name but cannot purchase another's unique signature then one cannot pass oneself off as another (assuming, and it is a very large assumption, that the end user can be educated on the difference, or, and this is more likely, someone programs a frontend that makes it seamless, ubiquitious, and idiot proof).

    Regardless, much as I detest the present ICANN hegemony, so long as they don't artificially restrict unique identification strings (a bite that even ICANN couldn't chew), one might as well give them control of the process. As with everything good on the internet, one simply routes around ICANN as damage. -g

    [ Reply to This | Parent ]
    Uh, no.
    by Anonymous on Monday April 14 2003, @06:08PM (#11502)
    DNSSEC is not a PKI. It could be used to create a PKI (that is, using the DNS as a transport for raw keys with DNSSEC being used to insure those keys are modified in transit), but a lot of people don't think that would be a good idea (ICANN being involved being just one of the reasons).

    There are reasons to not like DNSSEC (whether they are sufficient to derail deployment is a subjective call, in the end the market will likely decide), but calling DNSSEC a PKI is not one of them.

    [ Reply to This | Parent ]

    Search ICANNWatch.org:

    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com