Re: [ga] Domain Transfers

[Sandy Harris <sandy@storm.ca>]

Kent Crispin wrote:
> 
> On Sat, Dec 15, 2001 at 12:28:53PM -0500, Sandy Harris wrote:
> >
> > A fairly obvious and strightforward one would be to require PGP-signing of
> > all transactions.
> 
> A typical answer from a techie.  :-)

I'll plead "guilty as charged" on that. I do have some technical background
and I'd expect many people with similar knowledge of available technology
to come up with the same answer. I almost didn't post because using PGP
seemed too obvious to mention.

That doesn't mean I'm wrong.
 
> You have invested the time and energy necessary to learn how to use PGP;
> most other humans have not.

No, but quite a few have. A quick check on the servers shows keys for
several people at icann.org, a couple of dozen including a corporate
key at nsi.net, a few for Kent Crispin, ...

There are a variety of reasons for others to consider using PGP. Quite a
few people need at least one of encryption (privacy) or authentication on
at least some of their messages. If anyone wants more detail on that, mail
me off-list and I'll forward a copy of a message suggesting PGP use that
I sent to a bunch of my less-techie friends.

Also, there are some fairly good point-and-click interfaces on some versions.

> There are subtle pitfalls in using PGP (and
> indeed, any PKI so far in deployment) that are traps for the unwary, and
> it actually takes a non-trivial amount of technical sophistication to
> understand this.

Yes, indeed. However, to some extent any security or authentication
technology, electronic or otherwise, requires careful use and management
to be effective.

> All things considered, the time and effort coming up
> to speed on PGP is in fact substantial -- on the order of person-days,
> at least.  Summing that over all domain holders, the cost of your
> proposed solution is prohibitive.

It's certainly not free, either in time or in money, but I haven't seen
anyone prpose a solution that's cheaper and as effective.
 
> PGP has never made it as a *mainstream* solution for anything, and
> probably never will -- it remains a tool for techies.  Until there
> is a PKI that operates well on a global basis, no PKI-based solution
> will really be useful.

We could debate whether the PGP "Web of Trust" -- in which any user
can sign any key and it's up to the message recipient to decide from
the signatures available whether to trust a key -- is actually a PKI.

I'd say yes, but "PKI" usually means something much more hierarchical
in which some Central Authority signs keys for Lesser Authorities and
so on. Mere Users cannot sign keys at all, only messages.

However, presumably both registries and registrars have a few techies
on staff, as would most customer organisations that need to manage
their own transfers. So the specific model I proposed -- registries
sign keys for the regitrars and optionally registrars sign keys for
customer administrators -- looks feasible. 
  
> And even more -- the big problems are not the technology; the big
> problems are the human problems of identification in the first place.
> This all interacts with privacy and other concerns; it will be a long
> time before it is all sorted out.

My point is that I think PGP solves the technical part of the problem
neatly. However, I agree completely that the technology is the easy
part.
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html