data request on Sitefinder

Mailman List Mirror (Read Only)
1

The session this morning ran out of time, so I didn't get to ask my
question.

Verisign's review panel has identified a number of problems -- I won't
argue if they're minor or not -- that are addressable with software
changes. We heard this morning that Postfix is an application that
will need to be changed to handle the proposed new version of
Sitefinder's MX record. Of course, it's generally considered a good
idea to test sofware before deploying it.

So -- how much notice would the operator community want before
deploying new software? What about for enterprises? (We all know that
stuff *can* be deployed more quickly in emergency circumstances. We
also know the problems that that can lead to, which is why we generally
want testing and controlled deployment.)

    --Steve Bellovin, http://www.research.att.com/~smb

2

-----BEGIN PGP SIGNED MESSAGE-----

Steve Bellovin wrote:

The session this morning ran out of time, so I didn't get to ask my
question.

Verisign's review panel has identified a number of problems
-- I won't
argue if they're minor or not -- that are addressable with software
changes. We heard this morning that Postfix is an application that
will need to be changed to handle the proposed new version of
Sitefinder's MX record. Of course, it's generally considered a good
idea to test sofware before deploying it.

Ahem, so Verisign wants to change the complete working of the
internet with the currently installed base because they want
to gather all the typo's??? Are they going to pay us the money
for upgrading/verification/checking/testing etc?

Fix the Webbrowsers, which in most cases already support the
functionality their 'application' gives. If Verisign wants
the webbrowsing folk to use their 'sitefinder technology'
then they should take a share in Microsoft, AOL, Opera and
a number of other companies and pursuade them to include it.

Don't change something that doesn't need fixing.
(Ignoring the spam thing :slight_smile:

*if* Verisign gets it through that the installed base has
to bend over because they introduce such a thing it would
be a very bad thing for the internet as a whole and it would
really mean that the internet is yet another commercial
thing controlled by one single entity.

Greets,
Jeroen

3

Ahem, so Verisign wants to change the complete working of the
internet with the currently installed base because they want
to gather all the typo's??? Are they going to pay us the money
for upgrading/verification/checking/testing etc?

Fix the Webbrowsers, which in most cases already support the
functionality their 'application' gives. If Verisign wants
the webbrowsing folk to use their 'sitefinder technology'
then they should take a share in Microsoft, AOL, Opera and
a number of other companies and pursuade them to include it.

Given that this functionality does exist in web browsers, there's the flavor of monopolistic competition that may be vulnerable to antitrust action.

Don't change something that doesn't need fixing.
(Ignoring the spam thing :slight_smile:

*if* Verisign gets it through that the installed base has
to bend over because they introduce such a thing it would
be a very bad thing for the internet as a whole and it would
really mean that the internet is yet another commercial
thing controlled by one single entity.

Look at the interview with Verisign's CEO at http://news.com.com/2008-7347-5092590.html?tag=nefd_gutspro, and I think you'll see that your "what it would really mean" is exactly Verisign's position.

4

Jeroen - and Howard -

>
>*if* Verisign gets it through that the installed base has
>to bend over because they introduce such a thing it would
>be a very bad thing for the internet as a whole and it would
>really mean that the internet is yet another commercial
>thing controlled by one single entity.

Hmmm - Jeroen, I dont think this is what this means at all. What it means
is that today there is no one entity controls what is routed or passed
through and over the Internet. In fact the Internet is a fiction. It is
peering agreements and now-adays a number of DNS roots. So then what is it
you are really looking for? A single authority to manage the Internet?

For instance - who controls what ISP's route and don't route at the
client-side level? Becuase for all intents and purposes, the back-end is
just pipe. The answer that you will find is that NO ONE controlls the
Internet today.

5

> ... would really mean that the internet is yet another
> commercial thing controlled by one single entity.

Look at the interview with Verisign's CEO at
http://news.com.com/2008-7347-5092590.html?tag=nefd_gutspro, and I
think you'll see that your "what it would really mean" is exactly
Verisign's position.

see http://www.cbronline.com/latestnews/165c8acb5f79bb5780256dc50018bddd
for an oblique response to some of sclavos' statements in the interview
referenced above.

note that in the third paragraph where it says "root server operators" it
really should say "name server operators", like http://oarc.isc.org/ does.
but the reporter really "got it right" on everything else.

6

-----BEGIN PGP SIGNED MESSAGE-----

Howard C. Berkowitz wrote:

Given that this functionality does exist in web browsers, there's
the flavor of monopolistic competition that may be vulnerable to
antitrust action.

Verisign is indeed being monopolistic here.
But you still have a choice of disabling/changing software
on your local machine, that is your personal choice.
If you install the Google/Altavista/Yahoo toolbar like many
people do you will get that functionality. You are probably
hinting to MS's dominant IE position, you can turn it off.
You can't turn off sitefinder easily though.

todd glassey wrote:

Howard C. Berkowitz wrote:
> >*if* Verisign gets it through that the installed base has
> >to bend over because they introduce such a thing it would
> >be a very bad thing for the internet as a whole and it would
> >really mean that the internet is yet another commercial
> >thing controlled by one single entity.

Hmmm - Jeroen, I dont think this is what this means at all.
What it means is that today there is no one entity controls
what is routed or passed through and over the Internet.

Not routed or passed indeed, that is IP level and that is done
per ISP/network.

In fact the Internet is a fiction. It is peering agreements
and now-adays a number of DNS roots. So then what is it
you are really looking for? A single authority to manage the Internet?

I am not looking for that. ICANN made it possible that there
was one well-known root (there are indeed others). This root
is currently in control by Versign and they are now going to
just make it work for them, not for the public, not for the ISP's.
If they can do that, it is exactly that, the root is Verisign's
and not that of the public and not of the ISP's.

Verisign should NOT be putting wildcards in the .com/.net
zones as it is NOT their domain, they where entrusted by
the public and with that the ISP's to run .com/.net and
make sure that it keeps working in the way it used to.
But now they are going to make money from a public resource
by abusing their power they have over the .com and .net zones.
Even though many have oposed _after_ they suddenly implemented
it breaking quite a lot of applications and usages.

For instance - who controls what ISP's route and don't route at the
client-side level?

The ISP itself because that is their part of the internet.
It isn't called inter-network for nothing.

Becuase for all intents and purposes, the back-end is
just pipe. The answer that you will find is that NO ONE controlls the
Internet today.

DNS is a *very* important application in todays internet,
he who controls that, controls the internet as that is
the biggest user base. I don't see a major fraction of
the internet suddenly moving away from the current roots
simply because that is the part where the information is.

Ofcourse you can use your .leet domain, but who can access it?

Greets,
Jeroen

7

I don't even want to start down that path. If we were talking normal software development and deployment schedules we'd be talking six months to a year from notice to the software company to deployment. But obviously that isn't going to happen. As a software developer I'd want at least 30-60 days to do development and testing. As a service provider thought, I'm pretty conservative about updating my servers. And of course this change probably wouldn't be back-patched into old versions, so that means I'm biting off all kinds of other changes that I need to test as well.

More importantly--Verisign needs to deploy alternate servers so it's actually possible to test software against the changes they propose to make. Otherwise we're just running around guessing what the behavior is going to be.

But fundamentally the problem is this. There is no way to handle root wildcards by various registries in a standard and reliable way. Verisign has not even been able to provide code for how to handle *their* wildcard in a reliable way. Each registry may implement different features with different behaviors. What works for one won't necessarily work for another. And every time any one of them changes, or a new registry is added, every single piece of software that relies on a particular behavior has to be checked and possibly patched. We can't afford to run the internet that way.

8

I like John Currans proposed timeline of Length of Verisign Contract+1 day.

However, absent that, I think that 12 months to the operational community and
24 months to the enterprise community is probably a reasonable starting point
as long as they are willing to accept delays if a significant portion of the
responses indicate that this is insufficient time.

How do you think AT&T customers would respond if AT&T were to redirect all misdialed
800-numbers to TFDA powered by Tellme? I tend to think the response would not be
a positive one. In fact, I'd expect the FCC to have something strong to say about it.

Owen

9

i maintain that there is a different problem that is fundamental.

Verisign is clearly expecting the operations community to incur costs so
that they can make their (estimated) $100M a year. what's wrong with this
picture?

richard

10

I said 90 days myself - 30 of investigation and 30 to plan and then 30 to
clean-up whatever messes the act causes.

Todd

11

Steve Bellovin wrote:

... We heard this morning that Postfix is an application that
will need to be changed to handle the proposed new version of
Sitefinder's MX record. Of course, it's generally considered a good
idea to test sofware before deploying it.

So -- how much notice would the operator community want before
deploying new software? What about for enterprises?

Well, that would be a little longer than the time for upgrading from
BIND 4.x to BIND 8.x (oh, that would be 9.x these days, folks were so
slow to upgrade that the major version changed meantime :-)!

I'm pretty sure that's on the order of 4 years or more for operators.

Since Postfix is run by a lot more enterprises than BIND, let's double
that number! How about, until all the W95 and W98 and W2K servers are
updated....

12

if verisgn thinks this ought to get done faster, i think they should volunteer
to pay the costs, don't you?

richard