Comments below.
-Jorge
Yes we should get ready for an alien invasion and for when they take over the root zone.
Part of my point is that ICANN does more than simply run the root zone. We do a lot of things. Pervasive surveillance is a factor in many of them. I've heard it discussed, as a genuine policy concern, in some issues already - for example, in discussions about the proposals for replace WHOIS from the EWG. It should feature in discussion of proxy and privacy services as well - WG just announced.
FYI, ICANN does not "run" the root zone. Regardless of being the current contractor for the IANA functions.
Do you really feel that quibbling over whether the management of the root zone is fully synonymous with 'run' is the most useful response to my point?
DNSSEC is the underlying technology of DANE, which is a technology that can replace Certificate Authorities as trust anchors for encryption, which in turn helps mitigate problems of state subversion of CAs to eavesdrop on allegedly secure https streams.
DANE has been proposed as an authentication mechanism based on DNSSEC, while it may facilitate the establishment of secure connections it does not inherently make the more secure.
Yes, indeed, I understand what DANE does. It does not inherently make it more secure - but we aren't talking inherently, we are talking actual observed problems with Certificate Authorities in practice.
Security is part of ICANNs remit, indeed . Security includes surveillance as part of the threat model. A change in the threat model should change how we consider security issues. Security is a complex area, with a lot of interdependencies, and the DNS is part of that.
There has been in the past many proposals and developments for strong encryption and more robustness and support for security, but the industry and providers didn't consider the extra load and investment necessary, and the problem here is not the NSA sniffing traffic.
One reason why industry was not keen on strong crypto everywhere was the lack of a pervasive surveillance threat. Now we have a pervasive surveillance threat. Reports out of ie IETF currently seem to indicate there is a distinct change of mood about the importance of crypto everywhere.
Surveillance and filtering (not just threats) have been going on for long time, if you take a look at several polls people are concerned but the majority does not care, which it translates into economics for service providers. On the other hand not the IETF, ICANN or any amount of technology will solve a problem that's a political problem.
Some problems, such as security, have multiple dimensions, including political and economic ones, but we don't generally run the DNS based on polling. ICANN should not merely be catering to what the majority of consumers demand, but also making decisions about best practice.
I would have thought this point was obvious. The majority of consumers don't ask about DNSSEC, use the UDRP, care about IPv6, or any of a number of other issues. The idea that we should just through up our hands and do nothing because an issue has limited support from a majority of consumers is a very odd argument to make.
It will be extremely naive to assume that the "other side" will not have the resources or capabilities to counter whatever technology based approach you can envision, which it does not mean we don't have to keep working to make the Internet more secure or more private.
Not at all.
It would be extremely naive to assume that 'the other side' does not have the resources or capabilities to make a serious attack on any given technological approach, but it would be ignoring the quantitative aspects of the argument entirely to jump straight from 'it is possible to produce an attack on a given approach' to 'and that approach can always be scaled to pervasive levels'.
In short, numbers matter. We could equally say 'the state will always be able to overpower any individual when it chooses to use force', which is of course true - but we know that doesn't mean the state can overpower ALL the individuals.
We keep working to make the internet more secure and more private. If we only are able to protect, say, 90% of users? That would still be worth doing.
There is no absolute security on any system, you can implement the strongest encryption and security methods and exploits will always look for the weakest link, that in many cases has been proven to be the human factor. As I said before, it only takes a badly paid technician or a corrupt government official, and you can add a disgruntled employe with a dissenting opinion, which Snowden is a vivid case, to break the highest levels of security we can imagine.
Sure, but if we are specifically trying to defeat pervasive, ubiquitous surveillance, then it is enough to make it more difficult by an order of magnitude or too - and I think that is genuinely achievable. Surveillance will still exist, but if it becomes difficult enough that it requires either serious corruption, or warrants, then we will have made a big difference.
Collection of data will take the path of lowest resistance, put as many roadblocks as you wish but once again given the mandate and the funding, your efforts will be fruitless.
I'm failing to follow this, you seem to be responding in absolutes to a quantitative argument.
So let me put it in more concrete terms. If we are able to change standard internet practice so there is far more encrypted traffic, better access control, etc, and this makes pervasive surveillance of user content, say, 10 times more expensive to implement - is it your contention that this is pointless because the response will always be simply be to spend 10 times as much money on pervasive surveillance? What about 100 times? 1000?
If you take some time to go through some of the embassy cables disclosed by wikileaks, particularly from developing countries, you will be surprised to find that the "serious" corruption it is just an amicable lunch or round of golf with the US ambassador.
Of course. And I'm from Australia, a nation already deeply complicit in US surveillance efforts (we are part of the 'Five Eyes' group - I used to live in a town where 8% of the population were there due to employment as a US surveillance facility).That state agencies have been known to act illegally wasn't really something I disputed - but I contend (and hope) that making something illegal makes it at least somewhat less likely to happen on a global scale.
My point was rather that if we can harden our communications systems to the point where they can not be easily eavesdropped, of course well resourced state agencies will still have a reasonable chance at surveilling some of my private communications, by various means, if it chooses to do so - I'm reasonably security savvy, but I'm not going to fool myself that a penetration expert couldn't access my communications if someone really wanted wanted to (just as we state sponsored APT teams manage to compromise secure sites fairly regularly). But if we can harden our communications to the point that passive surveillance isn't sufficient, and the state needs to do something that requires them to either get a warrant, or illegally act without a warrant, then we will have accomplished something significant in reducing surveillance - even if some spook agencies still will choose to illegally bypass warrants. Because of course some state agencies will still act illegally, but there are limits to what illegal acts they will perform on a wholesale basis, against average citizens.
Cheers
David