On Fri, Jul 4, 2025 at 9:30 AM Theodore Ts'o <tytso@xxxxxxx> wrote:
On Fri, Jul 04, 2025 at 12:21:59AM +0200, Michael De Roover wrote:
> I love the way you think here! Cost-benefit, yeah, customer service departments
> are the ones to face the angry customers whose data and/or networks have been
> breached. If we can offer guidance on how to prevent that outcome, why wouldn't
> they consider it? I think this is something worth doing.
It's not just about the technical issues about networking protocols
and the software stack, but also about the business model of who will
pay for the initial implementation on the client and the servers; who
will pay for the on-going maintenance on the client and servers
(including security updates); what happens when newer versions of the
software no longer "fit" on hardwre which is a few years older than
the bleeding edge?
The business model is the entire point. I get that most folk in IETF are focused on the technology side. Businesses that have followed my suggestions in the past have done extremely well. Extended Validation certificates happened because Microsoft had a liability problem and Tim Callan, Melih Abdulhayoğlu and myself got the industry to agree on a solution.
My proposal for a 'Handle Service Provider' is for a new product that can be delivered by *existing* businesses. All a DNS registrar will need to do to start offering HSP service is add in a module to CPanel. The product will be a logical upsell for VPN providers, password managers, anti-virus vendors.
The scheme also provides a solution for one of the major problems with proprietary services and the network effect. Very profitable in the short run but eventually takes you to a place called anti-trust. Unlike US law, EU law doesn't care how a monopoly was formed. If you have a monopoly, you have problems. So what if the companies facing that problem had a way to give the EU commission what they really want which is an open functioning market for these services and not actually breaking them up?
It isn't just the IETF that is dominated by folk who obsess more about the technology than the business. CEOs tend to listen to Wall Street far more than their customers which is why so many Internet users are complaining about really crappy AI slop being rammed down their craw. Whenever I do a search these days, the top half of the screen is taken up by an LLM slowly churning out a piece of buggy sample code which is at best identical to the first hit from StackOverflow which is where the model was trained. They could do the whole thing so much cheaper with a Perl script to carve out the code fragment from the StackOverflow page. Or maybe that is what they are really doing with some scripting to slow down output of the 'AI' version.
Most of the people in the IETF are folks who specialize on the
technical side of things, about without addressing these buiness and
financial issues, it's very likely that the a most fancy and
comprehency architecture will end up getting ignored and end up being
irrelevant.
My architectures are not 'fancy'. They are invariably simpler than what they replace. The TAXI architecture that turned into SAML was originally a 20 page draft that had all the functionality of PKIX.
It's not our area of expertise, and unfortunately, sometimes people
who do have more domain expertise in this area (e.g. product managers)
are either not welcome, or have an agenda based on the needs of the
company or companies which employ them.
Well I always talked to my product managers.
As a result, I tend to be very skeptical over solutions which require
radical rearchitecture. By the time it is implemented, and deployed,
it may be that it has been overtaken by events. Sure, this can happen
with incremental changes, but at least the time and cost to implement
can be much less, which mitigates this risk.
This is not a 'radical rearchitecture'. It is merely recognizing that we took a wrong turn 30 years ago because we failed to understand what the DNS is.
The DNS is the naming system of the Internet.
That means the DNS should be the naming system for ALL the Internet.
Which means it should be the naming system used by people to identify themselves, same as for hosts and services.
Which means that anything that calls itself an IoT device needs to have a DNS name. Using Internet Protocol is meaningless unless the device can be addressed by a DNS name.
The Internet architecture has become clouded because we didn't push back when people claimed that solving the 'Identity' problem required a new naming infrastructure, it doesn't DNS works. It became cloudy because we allowed people to palm off devices slaved to a cloud service as 'IoT', they aren't. IoT devices have a DNS name and WebPKI cert so you can log into them with a Web browser.
