Netizens-Digest Saturday, October 11 2003 Volume 01 : Number 525 Netizens Association Discussion List Digest In this issue: [netz] Danger from effort to privatize the Internet's Infrstructure Re: [netz] Danger from effort to privatize the Internet's Infrstructure Re: [netz] Danger from effort to privatize the Internet's Infrstructure [netz] ICANN analysis and recommendation to Verisign [netz] Industry response -- possible ICANN alternative for addressing (not domains) Re: [netz] ICANN analysis and recommendation to Verisign Re: [netz] ICANN analysis and recommendation to Verisign Re: [netz] ICANN analysis... (hit SEND too soon). [netz] Followup on DNS regulation Re: [netz] Followup on DNS regulation Re: [netz] Followup on DNS regulation Re: [netz] Followup on DNS regulation ---------------------------------------------------------------------- Date: Tue, 23 Sep 2003 00:43:05 -0400 (EDT) From: Jay Hauben Subject: [netz] Danger from effort to privatize the Internet's Infrstructure Hi, ICANN has just be given a three year contract by the US government. When will they ever learn that industry self-regulation can not work? In any case, I thought readers of the Netizens list would be interested in MICHAEL GEIST's latest column in the Toronto Star. He describes a new "service" by Verisign that he says amounts to "Tampering with the Internet" The URL for the column is: http://shorl.com/gavefifukudu Here are a few paragraphs from it: . . . This gradual transformation has developed with the open acquiescence of governments worldwide. Although many governments, including the Government of Canada, profess to view the Internet as a critical resource, they have been content to leave this resource alone, governed by self-regulation with a bare minimum of intervention. Last Monday, at 10:45 a.m., the danger of this laissez faire approach became evident to millions of Internet users. At that moment, VeriSign, the U.S. company that enjoys a monopoly over dot-com and dot-net domain name registration (there are competing registrars who sell domains to the public but they must all buy their domains from VeriSign), flicked a switch and launched a new service called Site Finder. Site Finder is designed to deal with a fairly common occurrence for many Internet users the entry of an incorrect domain name, either because the domain is no longer active or because of a typo. While users are accustomed to receiving an error message when this occurs, VeriSign's Site Finder service now replaces the error page with a VeriSign page that displays advertising and a search tool. . . . - ---------------------------------------------------------- Please feel encouraged to post your comments here so the netizens list might wake up a bit. Take care. Jay ------------------------------ Date: Tue, 23 Sep 2003 13:31:39 +0200 From: "Daniel Duris" Subject: Re: [netz] Danger from effort to privatize the Internet's Infrstructure Read more about this at http://www.evolt.org Why Verisign's Wildcard DNS is a Bad Idea By Joel D Canfield (spinhead) http://www.evolt.org/article/Why_Verisign_s_Wildcard_DNS_is_a_Bad_Idea/25/60224/index.html Dan - ---------- Original Message ---------------------------------- From: Jay Hauben Reply-To: netizens@columbia.edu Date: Tue, 23 Sep 2003 00:43:05 -0400 (EDT) >Hi, > >ICANN has just be given a three year contract by the US government. When >will they ever learn that industry self-regulation can not work? > >In any case, I thought readers of the Netizens list would be interested in >MICHAEL GEIST's latest column in the Toronto Star. He describes a new >"service" by Verisign that he says amounts to "Tampering with the >Internet" > >The URL for the column is: > >http://shorl.com/gavefifukudu > >Here are a few paragraphs from it: > >. . . This gradual transformation has developed with the open acquiescence >of governments worldwide. Although many governments, including the >Government of Canada, profess to view the Internet as a critical resource, >they have been content to leave this resource alone, governed by >self-regulation with a bare minimum of intervention. > >Last Monday, at 10:45 a.m., the danger of this laissez faire approach >became evident to millions of Internet users. At that moment, VeriSign, >the U.S. company that enjoys a monopoly over dot-com and dot-net domain >name registration (there are competing registrars who sell domains to the >public but they must all buy their domains from VeriSign), flicked a >switch and launched a new service called Site Finder. > >Site Finder is designed to deal with a fairly common occurrence for many >Internet users the entry of an incorrect domain name, either because the >domain is no longer active or because of a typo. While users are >accustomed to receiving an error message when this occurs, VeriSign's Site >Finder service now replaces the error page with a VeriSign page that >displays advertising and a search tool. . . . >---------------------------------------------------------- > >Please feel encouraged to post your comments here so the netizens list >might wake up a bit. > >Take care. > >Jay > > ------------------------------ Date: Tue, 23 Sep 2003 11:43:45 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] Danger from effort to privatize the Internet's Infrstructure At 12:43 AM -0400 9/23/03, Jay Hauben wrote: >Hi, > >ICANN has just be given a three year contract by the US government. When >will they ever learn that industry self-regulation can not work? First, who should, in your opinion, regulate? Second, ICANN has already "strongly suggested" to Verisign that they remove their wildcard records for .com and .net. Industry operational lists like NANOG are exploding with anger, by ISPs, at Verisign, and at least one class action suit has been launched. Verisign did this a week from this last Friday. Let me be clear: Verisign did something completely egregious, and there is, indeed, an inherent conflict of interest between being a registrar (which can be competitive) and a registry (which needs to be neutral). This is not the first questionable action by Verisign, and their contract should be under extremely close review -- if not revocation. ICANN is flawed, but it does seem to have responded strongly here, as has the Internet Architecture Board. Do note that Verisign's contract is _not_ with industry, but with the US Department of Commerce -- it was in place before ICANN. (more inline) > >In any case, I thought readers of the Netizens list would be interested in >MICHAEL GEIST's latest column in the Toronto Star. He describes a new >"service" by Verisign that he says amounts to "Tampering with the >Internet" > >The URL for the column is: > >http://shorl.com/gavefifukudu > >Here are a few paragraphs from it: > >. . . This gradual transformation has developed with the open acquiescence >of governments worldwide. Although many governments, including the >Government of Canada, profess to view the Internet as a critical resource, >they have been content to leave this resource alone, governed by >self-regulation with a bare minimum of intervention. > >Last Monday, at 10:45 a.m., the danger of this laissez faire approach >became evident to millions of Internet users. I don't know where he came up with 10:45 last Monday. Verisign started this the previous Friday. >At that moment, VeriSign, >the U.S. company that enjoys a monopoly over dot-com and dot-net domain >name registration (there are competing registrars who sell domains to the >public but they must all buy their domains from VeriSign), flicked a >switch and launched a new service called Site Finder. > >Site Finder is designed to deal with a fairly common occurrence for many >Internet users the entry of an incorrect domain name, either because the >domain is no longer active or because of a typo. While users are >accustomed to receiving an error message when this occurs, VeriSign's Site >Finder service now replaces the error page with a VeriSign page that >displays advertising and a search tool. What Verisign did is more damaging than this article suggests. It's not just a matter of taking typos to their commercial search engine. What they did was to change the behavior of DNS so that all conceivable domains in .com and .net appear, to a DNS client, as if the domain exists. In other words, there is no way for software to tell that a domain is nonexistent. Many S p a m checking tools will not forward mail for which a DNS lookup shows a nonexistent source domain. Using nonexistent source domains is common in unsolicited commercial email. Beyond this checking, the Verisign maneuver also has a negative effect on general email. When someone sends mail to a nonexistent domain, most mail forwarding code will drop it (usually sending an error message to the sender). Without the ability to determine that a domain is nonexistent, mail servers now may queue mail to retry delivery, consuming large amounts of ISP storage and congesting the net with retries that are bound to fail. I would note, however, that all of this problem analysis and criticism has come from the private sector. There have been, for example, no alert messages from the National Infrastructure Protection Center or the Computer Emergency Response Team. >. . . >---------------------------------------------------------- > >Please feel encouraged to post your comments here so the netizens list >might wake up a bit. > >Take care. > >Jay ------------------------------ Date: Tue, 23 Sep 2003 15:30:57 -0400 From: "Howard C. Berkowitz" Subject: [netz] ICANN analysis and recommendation to Verisign Remember, Verisign's contract is with the US Department of Commerce, _not_ ICANN. http://www.icann.org/correspondence/secsac-to-board-22sep03.htm ------------------------------ Date: Tue, 23 Sep 2003 15:42:47 -0400 From: "Howard C. Berkowitz" Subject: [netz] Industry response -- possible ICANN alternative for addressing (not domains) At 11:12 AM +0200 9/23/03, Axel Pawlik wrote: > >Dear Colleagues, > > >The Regional Internet Registries (RIR) have published >three (3) documents: > > a. Proposed Open Letter to ICANN from the Regional > Internet Registries > b. Proposed Agreement between the RIRs to create the > Number Resource Organization > c. Proposed Agreement between the RIRs (acting through > the NRO) and ICANN concerning the Address Supporting > Organization > >These documents are available on a single web page at: > >http://www.ripe.net/ripencc/about/regional/draft-public-comment.html > >In order to ensure that RIR members and address communities in every >region have the opportunity to comment, the Board of the RIRs have >requested that RIRs post the documents for a period of 30 days. The >comment period closes at midnight (UTC) on the 22nd October 2003. > >Each of the RIR Boards will consider the comments as they are >received, and each RIR Board intends to make a decision whether to >adopt these documents following this comment period. If these >documents are adopted by all the RIR Boards, it is the present >intention to formally pass the following open letter to ICANN on the >24th of October. On the same date the Boards of the RIRs currently >intend to direct their CEOs to sign the MoU concerning the >establishment of the Number Resource Organization. > >All comments should be addressed to: nro-comments@apnic.net. The >comments will be passed to all the Boards of the RIRs, and will also >be published on the web site http://www.apnic.net/nro-comments. Any >dialogue that arises from such comments will also be published on this >site. > >Subscription information for the nro-comments mailing list is >available at: > > http://mailman.apnic.net/mailman/listinfo/nro-comments > >All postings to this mail address (nro-comments@apnic.net) are >public, and will be published at the following URL: > > http://www.apnic.net/nro-comments > >kind regards, > >Axel Pawlik >Managing Director >RIPE NCC ------------------------------ Date: Wed, 24 Sep 2003 10:44:12 +0200 From: Alexandru Petrescu Subject: Re: [netz] ICANN analysis and recommendation to Verisign Howard C. Berkowitz wrote: > Remember, Verisign's contract is with the US Department of Commerce, > _not_ ICANN. Also remember that IAB (overseen by ICANN) is chaired by a VeriSign employee. Alex ------------------------------ Date: Wed, 24 Sep 2003 09:06:42 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] ICANN analysis and recommendation to Verisign >Howard C. Berkowitz wrote: >>Remember, Verisign's contract is with the US Department of >>Commerce, _not_ ICANN. > >Also remember that IAB (overseen by ICANN) is chaired by a VeriSign employee. > >Alex The IAB is not overseen by ICANN, but by the Internet Society. ------------------------------ Date: Wed, 24 Sep 2003 09:10:49 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] ICANN analysis... (hit SEND too soon). >Howard C. Berkowitz wrote: >>Remember, Verisign's contract is with the US Department of >>Commerce, _not_ ICANN. > >Also remember that IAB (overseen by ICANN) is chaired by a VeriSign employee. > >Alex The IAB is not overseen by ICANN, but by the Internet Society. Even with the potential conflict of interest, the IAB also has recommended that Verisign cease-and-desist with the wildcards. Now, in the IETF process, IAB recommendations are just that. For something to be more binding, it has to go possibly through a Working Group or Area, and definitely through the IESG. There's increasing comment that Verisign hasn't just committed an operational error, but has actually broken the DNS protocol by effectively disabling the no-such-domain error message. I'll say again that I totally disapprove of what Verisign has done, but I do see nongovernmental organizations making a strong response. There is need for pressure, as well, on the Department of Commerce. ------------------------------ Date: Fri, 3 Oct 2003 10:43:30 -0400 From: "Howard C. Berkowitz" Subject: [netz] Followup on DNS regulation It's unfortunate there was no response to earlier posts, but the industry response has been gathering momentum, and ICANN (see below) is getting much more forceful. The North American Network Operators Group this month (meeting along with the American Registry of Internet Numbers) will have a panel where Verisign is challenged. http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm I'm the first to say that ICANN could be much better. Nevertheless, I return to the question I asked in the first response to Jay: who _should_ be dealing with this technical and economic aspect of Internet governance? ------------------------------ Date: Fri, 03 Oct 2003 18:56:54 +0200 From: Alexandru Petrescu Subject: Re: [netz] Followup on DNS regulation Say Howard, do you think ICANN, or any body for that matter, can stop a Verisign action when similar actions of other companies have not been stopped at all by ICANN and no other organization body did? IIRC, one of the original ideas for ICANN purposes was to prevent conflicts involved by john-doe buying CocaCola domain names. These days, anybody can buy gogole/coaccloa/your_mangle_here domain names and still get thousands of eyeballs (equal potential money), nothing stops anybody from doing that. Maybe only thing that can stop Verisign do what they do is another Verisign-like company. Maybe Google wants to offer their search service to Verisign and eventually buy Verisign and then change back the wildcard thing to its genuine behaviour. I'm not being cynical and I do share many of the ideas circulated on this list. Alex GBU Howard C. Berkowitz wrote: > It's unfortunate there was no response to earlier posts, but the > industry response has been gathering momentum, and ICANN (see below) > is getting much more forceful. The North American Network Operators > Group this month (meeting along with the American Registry of > Internet Numbers) will have a panel where Verisign is challenged. > > > http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm > > I'm the first to say that ICANN could be much better. Nevertheless, I > return to the question I asked in the first response to Jay: who > _should_ be dealing with this technical and economic aspect of > Internet governance? > ------------------------------ Date: Fri, 3 Oct 2003 14:44:18 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] Followup on DNS regulation >Say Howard, do you think ICANN, or any body for that matter, can stop a >Verisign action when similar actions of other companies have not been >stopped at all by ICANN and no other organization body did? Looking at the outrage on the ISP operational lists, I think something will happen here -- it's a survival issue for ICANN. In parallel, the regional registries (RIPE NCC, ARIN, APNIC, LACNIC) are putting together something that could be a replacement and/or complement to ICANN, specifically for IP addresses rather than DNS. Court actions against Verisign already have started, but not from ICANN. The letter from ICANN in the URL that I gave, reading between the lines, is a warning shot that ICANN is considering revoking Verisign's contract. Another industry response to Verisign's wildcards is a series of modification to DNS software (e.g., BIND) that recognizes the wildcard behavior and treats it as a nonexistent domain. Lots of ISPs are putting in filters to prevent connectivity to Sitefinder. If Verisign tries to counter these moves, they will be setting themselves up for such things as antitrust action. Verisign people will be on a panel at the NANOG meeting on October 19-21, and I expect fireworks. The ARIN meeting follows NANOG, at the same site, from Oct 22-24, and bad responses from Verisign and/or ARIN may very well lead to even more acceleration of alternatives to ICANN by the regional registries such as ARIN. The regional _address_ registries, while admittedly in a less controversial area than DNS names, have several years of responsible operation as not-for-profits. My own feeling is that Verisign reached for far too much this time, and the industry is gunning for them. ICANN is in a position where it will be seen as part of the problem (and thus irrelevant) unless it is visibly part of the solution. > >IIRC, one of the original ideas for ICANN purposes was to prevent >conflicts involved by john-doe buying CocaCola domain names. > >These days, anybody can buy gogole/coaccloa/your_mangle_here domain >names and still get thousands of eyeballs (equal potential money), >nothing stops anybody from doing that. > >Maybe only thing that can stop Verisign do what they do is another >Verisign-like company. Maybe Google wants to offer their search service >to Verisign and eventually buy Verisign and then change back the >wildcard thing to its genuine behaviour. > >I'm not being cynical and I do share many of the ideas circulated on >this list. > >Alex >GBU > >Howard C. Berkowitz wrote: >>It's unfortunate there was no response to earlier posts, but the >>industry response has been gathering momentum, and ICANN (see >>below) is getting much more forceful. The North American Network >>Operators Group this month (meeting along with the American >>Registry of Internet Numbers) will have a panel where Verisign is >>challenged. >> >> >>http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm >> >>I'm the first to say that ICANN could be much better. Nevertheless, I >> return to the question I asked in the first response to Jay: who >>_should_ be dealing with this technical and economic aspect of >>Internet governance? ------------------------------ Date: Fri, 03 Oct 2003 22:14:17 +0200 From: Alexandru Petrescu Subject: Re: [netz] Followup on DNS regulation Howard C. Berkowitz wrote: >> Say Howard, do you think ICANN, or any body for that matter, can >> stop a Verisign action when similar actions of other companies have >> not been stopped at all by ICANN and no other organization body >> did? > > > Looking at the outrage on the ISP operational lists, I think > something will happen here -- it's a survival issue for ICANN. In > parallel, the regional registries (RIPE NCC, ARIN, APNIC, LACNIC) are > putting together something that could be a replacement and/or > complement to ICANN, specifically for IP addresses rather than DNS. A-ha, good to know. I've been following ICANN's struggle for survival (if I can say so) and saw how many factors are involved, and difficult to deal with, when it tries to be as open as the Internet audience would like it to be. So, looking at a new potential effort by the registries. Is this also oriented towards being as open to as possible to as many people as possible? > Court actions against Verisign already have started, but not from > ICANN. The letter from ICANN in the URL that I gave, reading between > the lines, is a warning shot that ICANN is considering revoking > Verisign's contract. (Revoking? so Verisign will revoke the certificates perviously assigned by the plaintiff's e-commerce customers :-) Good to know. The signs that I've seen up to now about Verisign were not that bad at all. I might not be very well informed, but I had the impression of a well-intentioned company, this is the first time I see something that bad about them (well, except the other CA's stories [*]). I think they spend lots of time and money to build this level of credibility, and wondering about what happens if this credibility is undermined by this action; are there any other potential players enjoying this level, such as to potentially be given control of the root servers. > If Verisign tries to counter these moves, they will be setting > themselves up for such things as antitrust action. Ok and then look back and see what's happened to the other antitrust cases. Of course, it was good to watch. As you say, fireworks. > My own feeling is that Verisign reached for far too much this time, > and the industry is gunning for them. My own impression is that this makes so much noise only because it is so easily visible, anyone with a browser gets to see the thing and get a feeling of the problem. I wonder why they did it only for .com and .net domains, it does not work for .org, .info and country-level domains. As long as people look mainly at .com things most of the time then this might look like a problem, indeed. But there are also many people looking mainly at country-level or org or edu domains and they don't see nothing. If there were to be legal actions and such (as you say "anti-trust cases") I think professional lawyers would have no problem defending a useful cause for the majority of users, just as Microsoft did. Say, what would a netizen do in this entire context? Is a netizen hurt by a potentially helpful service? Is a US netizen hurt by a potentially helpful service? Is a netizen outraged by the side-effects of the commercialization of the Internet in that private interests (and not public interests) lead to destabilizing the overall working of the Internet? A netizen would need to provide a palpable counter-argument of how this endangers, and make it as visible as the advantage. This can be done, instead of crying "wolf". Alex GBU [*] speaking of CA stories. Many people complain about their security service not being that good, and claiming more trust than what they actually offer; at the same time I see them as the only CA that does implement a good feature (OCSP) that I really like, and that is an IETF standard, built and specified in the IETF style. I went to two other large CA's and asked the same thing, they said 'wait'. ------------------------------ End of Netizens-Digest V1 #525 ******************************