[governance] "Oversight"

Norbert Bollow nb at bollow.ch
Wed Jun 13 09:35:08 EDT 2012 

David Conrad <drc at virtualized.org> wrote:
> Just a small nit:
>
> On Jun 11, 2012, at 3:32 AM, Norbert Bollow wrote:
> > John Curran <jcurran at istaff.org> wrote:
> >> For clarity, which USG "oversight role" are we referring to?
> > ...
> > 3) review of root zone changes before publication
> 
> Currently, outside of internal checks done by Verisign as the Root
> Zone Manager, there is no review of root zone changes prior to
> publication. DoC's role, as far as I understand it, is to verify
> that ICANN, as the IANA function operator, followed the documented
> policies and processes in handling a request from a TLD
> administrator. Once a change is authorized, the next point (outside
> of Verisign) where the change can be reviewed is after it hits the
> root servers.

David's nit is of course well justified in that I was indeed imprecise
there -- probably because I'm a bit of a "doubting Thomas" in regard
to the assertion that DoC would routinely, for every root zone change
request, "verify that ICANN, as the IANA function operator, followed
the documented policies and processes in handling a request from a TLD
administrator" -- it will take some serious evidence to convince me
that that role description isn't pure propaganda and not just a facade
for something that is in reality intended to be pure international
power politics. (These doubts are quite independent of the questions
about whether such an intention results in effective power, and
whether or not the resulting situation should be considered to be a
serious problem from the perspectives of people outside the US and
their governments.)

> As mentioned in a previous note, I believe this to be a flaw in the
> current root zone management system.

Since technical correctness of the resulting zone data is easier to
double-check than procedural correctness, and since I would expect
unintended honest errors on the technical level to likely occur more
frequently than any malicious subversion of the documented policies
and processes for handling requests from TLD administrators, I
agree that there seems to be some kind of flaw here.


In a later posting, David Conrad <drc at virtualized.org> wrote in
response to a posting of Parminder:
> Assume the USG forces Verisign to remove .IN from the root zone. A
> query for <anything>.IN will then result in a "name error" response
> being returned to the querying resolver (typically operated by
> ISPs).  With DNSSEC, some cryptographic data is also returned that
> allows the resolver to prove (in the mathematical sense) that the
> holder of the root zone signing key (Verisign) agrees that the "name
> error" should be returned.  Without DNSSEC, you still get the "name
> error", the resolver just can't prove that's what the holder of the
> zone signing key intended.
> 
> So, we now have a root zone(provably, if you bother to verify the
> DNSSEC data) without .IN in it.  Let's say you run an ISP anywhere
> in the world.  Now, _all_ of your customers that attempt to connect
> to any website in the .IN domain will get "name does not exist" in
> their web browsers, email programs, bittorrent clients, etc.  Your
> customers are probably not going to assume it is because the USG
> removed the .IN domain, rather they're more likely going to assume
> you screwed up somehow and call you to scream at you. After a
> sufficient number of calls (which, depending on the scale of your
> ISP, will probably be from minutes to hours), you'll most likely fix
> the problem for your users by getting a copy of the root zone,
> reinserting the .IN data into that copy, and putting that root zone
> on your resolvers.

I agree that customers of ISPs in India would indeed assume that
their ISPs have screwed up, and get their ISPs to change their
resolver config in a way that makes them independent of all root
servers which fail to carry the .IN zone.

The situation may well be different outside India. I don't see a
lot of references to .IN domains here in Switzerland. Most people
and companies in India that I have had contact with seem to use
.COM, .NET and .ORG domain names rather than .IN, and it'll be a
lot less obvious to people that it is *their* ISP who should fix
the India domain name issue for them.

And if it doesn't concern India but a smaller and economically
less important country, any pressure on most ISPs outside the
country from their customers will be much weaker still.


But anyway I don't think that "the US might want a ccTLD to suddenly
disappear" is the most appropriate threat model here. I think we
should rather discuss scenarios with some kind of slippery slope,
like e.g. the following:

Suppose that as a first step, the US would demand that all domain
names which are used to host clear instances of child pornography
(sexual abuse of young children which is filmed or photographed
with intentions of criminal enrichment) must be deleted from DNS
within 24 hours of receipt of a notification from an US government
agency. If a TLD registry outside the US doesn't agree, maybe the US
government would demand a root zone change by means of which DNS
queries for that TLD are sent to nameservers that provide a filtered
view of that TLD. Besides the child pornography sites, all other
domains of that TLD would still work. There would not be a big public
outcry because hardly anyone wants to destroy their reputation by
taking the side of child pornography sites.

As a second step, the same principle might get applied to sites of
Islamic extremists who promote violence. Some people would protest,
but in most countries, most ISPs would probably rather disappoint
some potential or actual customers than risk having to defend
themselves in the court of public opinion and in the courts of
law against the accusations of failing to comply with the laws and
of supporting terrorism.

It would probably continue to go downhill from there. All kinds of
ideas are dangerous and threatening to some kinds of politicians:
Some would feel threatened in business interests tied to the
military-industrial complex if any of the groups that advocate
non-violence and anti-militarism achieves great influence. Some
would feel threatened if one of the groups that advocate holiness
in sexual purity and honesty achieves great influence and tells
people not to vote for politicans who don't live according to
these principles. Maybe I am a bit paranoid here, but it doesn't
seem far-fetched to me that in such situations, rabble-rousers
might react with racist, pro-violence slogans to the websites of
such groups, and some of those who are in power might take that as
justification to declare all kinds of strongly moral religious 
statements to be too provocative to be allowed on the Internet...


In the above, the references to the US are mainly because it happens
to be the US that appears to have some relevant power. I wouldn't
view "let's give the role of the US to the UN" to be in any way an
improvement with regard to this kind of concerns. The fact that the UN
does some good work in regard to the promotion and protection of human
rights, and also promotes itself in the name of human rights, has not
stopped some UN agencies such as WIPO from putting human rights rather
low on their scale of actual priorities.


So I would suggest that what needs to be done is to work towards
an oversight model that is designed to be as robust as possible
against risks of "slippery slope" scenarios such as the one described
above. The existing international human rights law is a good starting
point IMO. I would say what is primarily missing right now is a global
multistakeholder process to interpret this practically in the
Internet governance context, in a way that results in concrete
recommendations for feasible and effective governmental actions.

Greetings,
Norbert

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list