Re: [ga] Domain Transfers

[Jefsey Morfin <jefsey@wanadoo.fr>]

Dear Sandy,
you are right. But your PGP like stuff must be massaged in a way it is 
obvious for the user. This is the smart card stuff. Today Microsoft has 
set-up a standard and passing your information is easy for everyone. The 
lobbying now is about the card reader to be delivered with the keyboard and 
the mouse. Dont wait for long as it is the way you will pay for TV, music 
and pictures....

Again the fight is through the network culture. If you keep it star culture 
a la ICANN it is Verbig Brother. If you keep it a la meshed network it is 
Passport/Project Liberty, and a few other around the NICs. If we get it a 
la distributed network it is the user liberty. This depends on the time 
sourceforge people make to understand the way it worked 20 years ago and to 
port it in our today java technology.

Jefsey

On 22:46 15/12/01, Sandy Harris said:
>Kent Crispin wrote:
> >
> > On Sat, Dec 15, 2001 at 12:28:53PM -0500, Sandy Harris wrote:
> > >
> > > A fairly obvious and strightforward one would be to require 
> PGP-signing of
> > > all transactions.
> >
> > A typical answer from a techie.  :-)
>
>I'll plead "guilty as charged" on that. I do have some technical background
>and I'd expect many people with similar knowledge of available technology
>to come up with the same answer. I almost didn't post because using PGP
>seemed too obvious to mention.
>
>That doesn't mean I'm wrong.
>
> > You have invested the time and energy necessary to learn how to use PGP;
> > most other humans have not.
>
>No, but quite a few have. A quick check on the servers shows keys for
>several people at icann.org, a couple of dozen including a corporate
>key at nsi.net, a few for Kent Crispin, ...
>
>There are a variety of reasons for others to consider using PGP. Quite a
>few people need at least one of encryption (privacy) or authentication on
>at least some of their messages. If anyone wants more detail on that, mail
>me off-list and I'll forward a copy of a message suggesting PGP use that
>I sent to a bunch of my less-techie friends.
>
>Also, there are some fairly good point-and-click interfaces on some versions.
>
> > There are subtle pitfalls in using PGP (and
> > indeed, any PKI so far in deployment) that are traps for the unwary, and
> > it actually takes a non-trivial amount of technical sophistication to
> > understand this.
>
>Yes, indeed. However, to some extent any security or authentication
>technology, electronic or otherwise, requires careful use and management
>to be effective.
>
> > All things considered, the time and effort coming up
> > to speed on PGP is in fact substantial -- on the order of person-days,
> > at least.  Summing that over all domain holders, the cost of your
> > proposed solution is prohibitive.
>
>It's certainly not free, either in time or in money, but I haven't seen
>anyone prpose a solution that's cheaper and as effective.
>
> > PGP has never made it as a *mainstream* solution for anything, and
> > probably never will -- it remains a tool for techies.  Until there
> > is a PKI that operates well on a global basis, no PKI-based solution
> > will really be useful.
>
>We could debate whether the PGP "Web of Trust" -- in which any user
>can sign any key and it's up to the message recipient to decide from
>the signatures available whether to trust a key -- is actually a PKI.
>
>I'd say yes, but "PKI" usually means something much more hierarchical
>in which some Central Authority signs keys for Lesser Authorities and
>so on. Mere Users cannot sign keys at all, only messages.
>
>However, presumably both registries and registrars have a few techies
>on staff, as would most customer organisations that need to manage
>their own transfers. So the specific model I proposed -- registries
>sign keys for the regitrars and optionally registrars sign keys for
>customer administrators -- looks feasible.
>
> > And even more -- the big problems are not the technology; the big
> > problems are the human problems of identification in the first place.
> > This all interacts with privacy and other concerns; it will be a long
> > time before it is all sorted out.
>
>My point is that I think PGP solves the technical part of the problem
>neatly. However, I agree completely that the technology is the easy
>part.
>--
>This message was passed to you via the ga@dnso.org list.
>Send mail to majordomo@dnso.org to unsubscribe
>("unsubscribe ga" in the body of the message).
>Archives at http://www.dnso.org/archives.html

--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html