> On Jul 5, 2024, at 09:53, Jeroen Massar via NANOG <[email protected]> wrote: > Please note that: > - Markmonitor is owned by Newfold Digital / Endurance International [1] > - Network Solutions is owned by Web.com <http://web.com/> [2] > - Web.com <http://web.com/> is... owned by Newfold Digital [3] > > And... we all still have ICANN as an ultimate power, and the TLD itself, next > to the above registrar. > > There is always going to be single point of failures in a hierarchical tree > like that.
Taking off on what Jeroen is saying here… A huge amount of PCH’s work is with
TLD registries. Much of that is ccTLDs, national domains, but a fair bit is
also with brand TLDs. I think a lot of people are dismissive of brand TLDs,
thinking “oh, that’s just trademark protection.” And MarkMonitor and CSC were,
admittedly, a part of the reason why people treat them dismissively. The
majority of brand TLDs lie fallow, with little to no use.
That’s unfortunate, because a TLD of its own is one of the VERY BEST things an
organization can do to reduce security externalities. It’s a really
foundational building-block in modern security. You can do DNSSEC and DANE and
use all of the security tools and processes that build upon those, without
having to depend upon the (largely non-existent) security of the
registrar-registry chain. There are more protocols and tools coming down the
pike that build further on that foundation. There are browsers coming which
will trust the existence or non-existence of a DANE cert, without allowing a
downgrade attack to a bogus CA cert. There are Digital Emblems coming
(participate in the BoF at the IETF if you care!). That leaves you with just
the one (?) externality of the IANA (and the RZM agreement) which, yeah, you’re
not going to get past. But that’s done very, very securely, so if you have to
trust one external party, at least they’re _competent_ and well-funded and not
going to get acquired by a Florida Man private-equity outfit.
ICANN’s going to open another round of TLD applications, and I expect a lot of
companies to go into that with their eyes more open than last time, knowing why
they’re doing it. It’s not about brand protection, it’s about
disintermediating the root of trust and giving yourself a solid foundation for
your security architecture.
-Bill
signature.asc
Description: Message signed with OpenPGP
