On 1/18/2005 10:11 PM rogerk@queernet.org noted that:
> Quoting "Ross Wm. Rader" <ross@tucows.com>:
>
>>As Elliot pointed out to me on Friday, all rules favor thieves. Rules
>>constrain those that are inclined to follow rules which empowers those
>>that don't.
>
>
> That's why you need inviolable mechanisms, not rules.
These are semantics that wouldn't address the core problem.
>
> For instance, confirmation should never pass through a registrar or reseller --
> only direct from user to registry.
The issue here isn't bad transfer policy, lax confirmation rules or poor
practices in place at this reseller or that registrar.
There is a fundamental flaw in registry security policy. RRP policy
allows me to make my own assertions without any checks or balances to
correct inappropriate assertions.
In other words, anyone can pretend to be me with very little trouble.
Anyone pretending to be me is totally trusted by the registry with no
secondary checks. Anyone pretending to be me has the same access to
registry resources that I do.
The basic RRP registrant identity model is a very basic construct that
Verisign inherited from Network Solutions, whose implementation dated
back to when they took over the .com contract from GSI. It is high time
that the community started holding our steward accountable for these
deficiencies and ensured that these flaws are fixed.
Oddly, the timing to fix these problems couldn't be more perfect.
-- Regards,-rwr
"In the modern world the intelligence of public opinion is the one indispensable condition for social progress." - Charles W. Eliot (1834 - 1926)
This archive was generated by hypermail 2.1.3 : Mon Jan 31 2005 - 23:00:02 EST