[Fwd: Re: [ncdnhc-discuss] Proposed amendments to Security resolution] (fwd)

Jonathan Weinberg weinberg at mail.msen.com
Thu Nov 1 20:53:05 CET 2001 

	It may be my thick-headedness, but I have some trouble grasping
the distinction Dave draws between ICANN's "authority" and its "purview."  
I agree, surely, that ICANN does not have authority over the lower-level
name servers that Dave referred to.  But I think we move in the wrong
direction when we refer to matters outside ICANN's authority as somehow
nonetheless within its brief.  I would urge this language (written by
ICANN staff, not me) to define the limits of ICANN's scope:

>>>>
ICANN is assuming responsibility for a set of technical functions
previously performed under U.S. government contract by IANA and other
groups.  Specifically, ICANN coordinates the assignment of the following
identifiers that must be globally unique for the Internet to function:

    * Internet domain names
    * IP address numbers
    * protocol parameter and port numbers

In addition, ICANN coordinates the stable operation of the Internet's root
server system.
>>>>

Jon



On Thu, 1 Nov 2001, Dave Crocker wrote:

> At 11:22 AM 11/1/2001 -0600, Alejandro Pisanty - CUAED y FQ, UNAM wrote:
> >In the next paragraph I think you get the technology wrong. The root
> >servers *are* distributed and diverse, and protecting them is a separate 
> >(nonetheless important) issue. What we are talking about is the DNS as a 
> >whole, and that in turn includes operations on it like assigning names, 
> >finding out
> >about contacts, etc.
> 
> You are correct on both counts.  The root server complex is highly 
> distributed.  Physical attack on them is probably the least interesting 
> security question for the DNS.  There ARE some issues about the root 
> servers to attend to, but dangers from physical or administrative 
> centralization and not among them.
> 
> Further, I concur with your sense of scope.  We need to worry about 
> security for the overall DNS.  It is easy to focus only on the upper 
> levels, but the damage from disruption to the lower layers can be quite 
> damaging.  Think of the effect of take out aol.com or ntia.doc.gov.
> 
> However there is a difference between the scope of ICANN's "authority" and 
> the scope of ICANN's purview or interest.  Hence my suggestion -- also made 
> to ICANN staff -- is that discussions about requirements and solutions be 
> largely independent of the level within the DNS.  Define policies and 
> procedures that attend to security issues throughout the DNS.
> 
> ICANN can then enforce those policies and procedures for the entities over 
> which it has direct responsibility.  For the rest, it can pursue promotion 
> and education, to encourage adoption.
> 
> As to the question that Michael raises, concerning such things as technical 
> development that are outside of ICANN's scope:  ICANN can produce 
> functional requirements and operational guidelines.  It can choose to adopt 
> or reject technical work done elsewhere, such as the IETF.  No, it should 
> not replicate work done elsewhere.
> 
> Think of ICANN as being like an IT department.  They do not invent 
> technology or products.  However they DO evaluate and adopt them.  And that 
> is very much a technical standards effort, albeit not one of inventing 
> technical standards.
> 
> 
> >*changed "preventative" to "preventive"
> 
> showing off, huh?
> 
> 
> >Are we converging?
> 
> A bit scary, isn't it?  Maybe we need to worry that someone is going to 
> jump out of the bushes and say trick or treat...
> 
> d/
> 
> ----------
> Dave Crocker  <mailto:dcrocker at brandenburg.com>
> Brandenburg InternetWorking  <http://www.brandenburg.com>
> tel +1.408.246.8253;  fax +1.408.273.6464
> 
> _______________________________________________
> Discuss mailing list
> Discuss at icann-ncc.org
> http://www.icann-ncc.org/mailman/listinfo/discuss
> 


Jonathan Weinberg
weinberg at msen.com

More information about the Ncuc-discuss mailing list