On Thu, Jan 21, 2021 at 5:14 AM Nick Hilliard <nick@xxxxxxxxxx> wrote:
Phillip Hallam-Baker wrote on 21/01/2021 01:57:
> People make waaaay too much out of the risks of running registries
Yep they certainly do, until there's a registry failure, or even the
threat of one. At that point, people often execute dramatic u-turns in
their opinion, depending on how important the registry's function was to
them.
Nick
Has there ever been a proper consideration of the abstract security concerns for a registry?
I rather suspect the closest we get is Warwick Ford et. al. writing the Certificate Policy Statement RFC in PKIX which was largely based on Michael Baum's practice statement for VRSN class 3. That is rather heavily PKI focused and it is all based on a Kohnfelder PKI architecture and 1980s PKI technology.
Perhaps we should ask how registries can go wrong. Or maybe we should ask the IAB to consider this.I can think of a few problems:
Integrity
* Duplicate registrations
* Unauthorized registration modification
* Unpublished registrations
* Inappropriate semantic mapping
Availability
* Rent seeking
* Denial of service
* Coercion by government
What gets wrapped round the axle in DNS space is of course the semantic mapping issues. DNS names have an obvious interpretation. There is the natural assumption microsoft.com arrives at Microsoft Inc. Failure to achieve that mapping correctly is actually a serious safety and security issue as they provide the most popular desktop operating system. That is a very complex issue and I am not in the least impressed by the way ICANN has approached it.
ULAs are free of semantic binding, or at least the ones I propose to issue will be.
OK so there is one 'risk' that perhaps should be mentioned openly because it is likely the one of most concern to people, 'what are the unexpected uses of these addresses' or 'what else is PHB planning he is not telling us about'.
Well I really wished I knew myself because I can see several possibilities but they are still a bit on the fuzzy side. I think I am going to have to build a prototype before I can start to get a handle on those. But it is my experience that getting the addressing right is the key to solving any network protocol issue. URIs made the Web.
The registry concern that is rarely considered in IETF is what happens if there is no registry? There are two possibilities:
1) Innovation is put on hold until the registry is created.
2) People just create their own code points
The second has occurred on countless occasions and sometimes between really big companies. Every hard drive has a unique identifier which is actually in the MAC address space. After asking nicely and getting the run-around, the drive makers just allocated themselves 1/16th of the total MAC address space.
