Dear colleagues,
Thank you all very much for your constructive comments. Please make sure you
contribute in the document itself, so our experts can take your views into
account when finalising the document.
As an explanation. IS3C focuses on the deployment of all security-related
Internet standards and ICT best practices. See e.g. the list of 23 Internet
standards (of which one is a best practice) we developed recently that all
organisation can use when procuring ICTs. The alternative narrative we are
working on now, can be used for all standards and best practices (for more
information, see is3coaltion.org). Also, we make a clear distinction between
organisations that need to take action themselves and organisations that need
to demand this level of security to be built in by design when procuring ICTs,
by adding them to their procurement demands. The arguments most likely will
vary between the two. Please keep this in mind.
Why DNSSEC and RPKI? Among IS3C's members the desire arose to have one Working
Group focus on two standards only. Consensus led to DNSSEC and RPKI, which led
to natural partners. Where your concerns on DNSSEC are concerned, please add
them in the doc so that they can be added into the final document. Also, please
add the solution, so it can be taken into account as well.
Should you be interested to participate in our work in the future, please let
me know and I will guide you to our membership list. Finally, I am reaching out
to you as the Dynamic Coalition's coordinator.
Thank you again, as your comments are very valuable to us.
Kind regards,
Wout de Natris
IS3C: Making the Internet more secure and safer
________________________________
From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> on behalf of
anti-abuse-wg-requ...@ripe.net <anti-abuse-wg-requ...@ripe.net>
Sent: Tuesday, March 12, 2024 9:57 AM
To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net>
Subject: anti-abuse-wg Digest, Vol 145, Issue 7
Send anti-abuse-wg mailing list submissions to
anti-abuse-wg@ripe.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
or, via email, send a message with subject or body 'help' to
anti-abuse-wg-requ...@ripe.net
You can reach the person managing the list at
anti-abuse-wg-ow...@ripe.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of anti-abuse-wg digest..."
Today's Topics:
1. Re: IS3C public consultation on an alternative narrative to
deploy Internet standards (David Conrad)
2. Re: IS3C public consultation on an alternative narrative to
deploy Internet standards (John Levine)
3. Re: IS3C public consultation on an alternative narrative to
deploy Internet standards (Alessandro Vesely)
----------------------------------------------------------------------
Message: 1
Date: Mon, 11 Mar 2024 19:55:17 +0000
From: David Conrad <d...@virtualized.org>
To: Wout de Natris <denatriscons...@hotmail.nl>
Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>
Subject: Re: [anti-abuse-wg] IS3C public consultation on an
alternative narrative to deploy Internet standards
Message-ID: <3d269691-628c-49b5-b173-b01518b92...@virtualized.org>
Content-Type: text/plain; charset="utf-8"
Hi,
I've focused my comments specifically on the section entitled "The Alternative
Narrative, a Call To Action for Leaders?.
While I understand the desire to encourage DNSSEC and RPKI deployment at the
leadership level, however if you??re targeting policy makers and C-levels, I
would strongly encourage a balanced, honest approach, one that highlights both
the benefits as well as risks. From experience, I believe focusing only on
(alleged) benefits and stretching applicability (almost beyond recognition) can
be quite counter-productive when the inevitable failures (e.g.,
https://ianix.com/pub/dnssec-outages.html,
https://packetvis.com/blog/rpki-trust-anchor-malfunctions/) occur.
FWIW.
Regards,
-drc
Partner/CTO, Layer 9 Technologies (layer9.tech <http://layer9.tech/>)
> On Mar 11, 2024, at 2:58?AM, Wout de Natris <denatriscons...@hotmail.nl>
> wrote:
>
> Dear colleagues,
>
> IGF DC IS3C invites you to participate in the consultation on positively
> enhancing the deployment of two Internet standards: DNSSEC and RPKI. You are
> invited to answer either of these questions: Do the arguments used to favor a
> positive decision, convince you to order deployment within your organisation
> or from your service provider? / Do they assist you to convince decision
> takers in your organisation to invest in security by design? You are invited
> to share your views and arguments with IS3C?s expert team and have been
> granted commenting rights in this document to do so. The consultation runs
> from 11 March to 12PM UTC, Friday 5 April 2024. Your contribution will be
> taken into consideration when finalising the text before publication this
> spring. Here is the link to the Google Doc:
>
> https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing
>
> <https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing>
> IS3C WG 8 work document
> <https://docs.google.com/document/d/1YYq3ie9D03L1Z5ssgPbWKV5becUgNw0h7_fmm9xGWKs/edit?usp=sharing>
> docs.google.com <http://docs.google.com/>
> We hope to receive your views so we can present the most convincing arguments
> to deploy DNSSEC, RPKI and all other security-related Internet standards and
> ICT best practices. (FYI, this project is sponsored by ICANN and RIPE NCC.)
>
> Kind regards,
>
> Wout de Natris
>
> IS3C: Making the Internet more secure and safer
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20240311/55076bbb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL:
<https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20240311/55076bbb/attachment-0001.sig>
------------------------------
Message: 2
Date: 11 Mar 2024 17:30:26 -0400
From: "John Levine" <jo...@taugh.com>
To: anti-abuse-wg@ripe.net
Cc: mich...@blacknight.com
Subject: Re: [anti-abuse-wg] IS3C public consultation on an
alternative narrative to deploy Internet standards
Message-ID: <20240311213026.EA5F584E0F56@ary.local>
Content-Type: text/plain; charset=utf-8
It appears that Michele Neylon - Blacknight via anti-abuse-wg
<mich...@blacknight.com> said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>Serge
>
>Several ccTLD registries have given discounts for DNSSEC.
>
>What is unclear is how many of the domains with DNSSEC enabled are in active
>use, so the lack of ?problems? could be simply down to a complete lack of us /
>ignorance that the technology was enabled.
>
>My main issue with focus on DNSSEC is that it is seen being a ?good use? of
>resources, so small registries who should invest in other things that are
>fundamentally more important feel obliged to enable
>it. There?s also the entire ?I?ve got DNSSEC so now my domain / site / service
>is secure? belief. Much like people who think that smacking an SSL cert on
>their site magically renders it secure.
It makes sense if you're likely to be a phish target or you're
sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.
I agree that for random little private domains the benefit is marginal.
R's,
John
------------------------------
Message: 3
Date: Tue, 12 Mar 2024 09:57:49 +0100
From: Alessandro Vesely <ves...@tana.it>
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] IS3C public consultation on an
alternative narrative to deploy Internet standards
Message-ID: <c40c80ee-ada0-496c-acde-2623f13a1...@tana.it>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 11/03/2024 22:30, John Levine wrote:
> It appears that Michele Neylon - Blacknight via anti-abuse-wg
> <mich...@blacknight.com> said:
>>
>> Several ccTLD registries have given discounts for DNSSEC.
>>
>> What is unclear is how many of the domains with DNSSEC enabled are in active
>> use, so the lack of ?problems? could be simply down to a complete lack of us
>> / ignorance that the technology was enabled.
>>
>> My main issue with focus on DNSSEC is that it is seen being a ?good use? of
>> resources, so small registries who should invest in other things that are
>> fundamentally more important feel obliged to enable
>> it. There?s also the entire ?I?ve got DNSSEC so now my domain / site /
>> service is secure? belief. Much like people who think that smacking an SSL
>> cert on their site magically renders it secure.
>
> It makes sense if you're likely to be a phish target or you're
> sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.
>
> I agree that for random little private domains the benefit is marginal.
DNSSEC everywhere would make more sense than HTTPS everywhere, which
instead won the hype. Being sure to connect to the IP designated by the
domain is essential, while encrypting every page of sites like, say,
wikipedia is just wasting cycles.
Best
Ale
--
------------------------------
Subject: Digest Footer
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
------------------------------
End of anti-abuse-wg Digest, Vol 145, Issue 7
*********************************************
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
