IAB Open Meeting, IETF 117

When: Tuesday, July 25, 2013, Session II 13:00 - 14:30

Chairs: Mirja Kühlewind, Suresh Krishnan

Welcome and Status Update - Mirja/Suresh (5 mins)

Slides: Internet Architecture Board Open Meeting

Document Updates

Program Updates

Workshops (None)

Liaison Updates

W3C Liaison Update - Martin Thomson (10 mins)

Slides: W3C World Wide Web Consortium

Fragmentation & centralization: Beyond “free” and “closed” - Nick Merrill (20 mins)

Slides: Fragmentation & Centralization: Beyond “free” and “closed”

Eliot Lear: Thank you, this was a great presentation. Just one or two
points. I think we have to be careful about definitions and what we mean
by control points. CDNs are really difficult to characterize in that
regard. Anyone can start a CDN; all it requires is money. The proof of
that is Cloudflare's own existence. They were not there. They came into
the market. They delivered a good service. And the same is true with
Fastly. No particular CDN -- the issue is whether there becomes a
lock-in function based on the APIs that are used. It's a great area for
exploration.

Nick Merrill: I think that while I agree, the proposition that anyone
can make a CDN with enough captial, it makes it more plausible that
Comcast and others have CDNs, yet nobody seems to use them. Why, in my
data, can I not see anyone using these AT&T or Comcast CDNs?

Mallory Knodel: I really appreciate the slide what aligned with my
realization from listening to a lot of conversations about fragmentation
over the last year, people don't mean what we mean. For them, it's a
statement about complexity. But then I have a question that comes from
the GAIA session earlier today. There was an interesting presentation on
not just companies dominated in the U.S., but when you have a global
network for your content distribution, all the content is going through
the U.S. There's few ISPs on the continent of Africa. If you're near a
country and your content is in the country, there's a likelihood that
your content is going around the country and back again. And in the GAIA
conversation, there's the question of why? There's all these things that
we think exist to keep content local when possible, irrespective of
whether there's a mandate for content localization, which is a trend as
well. So coming up with actual incentives in trying to solve that
problem may solve other problems too.

Nick Merrill: There is a tremendous advantage to having traffic routed
through your country. China has very little boomerang traffic. They only
have 3 ASes that connect it to the rest of the Internet. It creates an
asymmetry when it comes to attacks. So it's often assumed or presumed
that nobody would ever attack a DNS server or content distribution
network because doing so would cause too much blowback for the attacker.
If you were to go and attack something, you would suffer the
consequences to such a great degree that it wouldn't be worth the
attack. But the absence of any boomerang routing is different. There's
no incentive to go against leveraging some kind of attack against the
CDN if you don't rely on that CDN and that outage of that CDN wouldn't
affect you. There's a notion of sovereignty that needs to be balanced
against interdependence. There was this trade of thesis of globalization
that interdependence would prevent conflict because that interlinkage
exactly would disincent anyone from attacking anyone else. It would be
distractive. As we think about the real need for sovereignty, I think
it's equally important we balance that need for sovereignty against the
need for interdependence and the role that interdependence plays in
hopefully decreasing conflict and disincentivizing conflict.

Arnaud Taddei: So you just made the segue. Thank you, it was very
insightful and very good presentation. You finished on sovereignty. In
fact, what we see is a lot of concerns on fragmentation coming from,
let's say regulation. EU, under the name of strategy economy, how
they're actually weaponnizing a number of assets that are really going
to have a problem at the end. For example, take DORA, for example, the
digital operational residency act, it's really about cloud providers in
the sector. It's a little bit underrepresented in our presentation, but
maybe have you done some work and research on that part, how this is
influencing the potential fragmentation? Have you considered regulation?

Nick Merrill: That's a good question. I haven't looked specifically at
the role of regulation because it's hard to measure causal relationships
between regulations and the effects on the Internet. It doesn't mean
it's not possible. I just haven't found a way to do it. I think it's a
critical question. Especially with the GAIA EU project. I think it's
something I'm really fascinated by.

Arnaud Taddei: I don't think this project is going anywhere. I think it
was the other one which is the DORA. So how the EU is weaponizing its
instruments to precisely to fight U.S. in certain ways. So it goes down
to even weaponizing its capabilities to the other side so that they are
less incentivized to go for U.S. companies.

Nick Merrill: There's this theory in political science called hegemonic
openness theory is what it should be called. I think it's the late 18th
century. So the 20th century, Britain and then followed by the U.S., it
ran world trade. More or less this is true of the U.S. The Internet also
acts as a hedgemon. Why do we see the system be as open as it is? Why is
the system dominated and then there's yet this open and free trade. As
long as a hedgemon exists, in that situation, everyone else can kind of
do whatever they want and the hedgemon gets to benefit and extract rent,
basically, from that situation. Also, soft power weaponized into
interdependency. What about when the hedgemon declines? There tends to
be a chaotic period until a new hedgemon emerges. What happens if these
sorts of regulations and incentives be successful? What if they end up
challenging the hedgemon in a unique way. What does the Internet look
like? Well, hegemonic stability would say it would not be an open
Internet. That may be counter to some of our idealogical preferences,
but this is the prediction of that theory. It would be a serious
challenge to that theory, which is more or less proved out in trade and
finance. So what are we to make of this? Well, my overall theory is that
the Internet is both something countries fight on and over. It's
something that the countries use to struggle against one another. It's a
mechanism for international competition/cooperation, but it's also
something that nations struggle to control. It's a domain of conflict as
well as a mechanism for conflict and competition. So, you know, as this
plays out, we'll kind of see if there's a way to challenge this
hedgemon, and does that increase the openness of stability for the
Internet? If so, we have to have a very frank and serious political
discussion about what to do these things.

Andrew Campling: Interesting presentation. I'm sure you only scratched
the surface of four years, but you pointed out some really fun points.
Two questions, really. Did you consider or have you considered how
standards are used to reinforce control points? Because I can certainly
think of some standards being developed here which arguably strengthen
the role of CDNs, to randomly pick one that you talked about, CDNs. And,
also,s have you considered whether SDOs, as a whole, is another control
point.

Nick Merrill: What a great question. I haven't looked into that. They
probably are. I would love to look into it. There was so much, outside
of IETF kerfuffle, to talk about standards and I would really love to
look into that. I would really love to know what the answer to that
question is. Please reach out. I would love to talk about that idea
more.

Rich Salz: I'm curious how you determine that teleco's don't use their
CDNs? You said, for example, AT&T, who no longer owns HBO, has the CDN
but HBO, when they owned it, wasn't delivered over the HBO -- you know
it's delivered via Akamai, but you made the claim that lots of
organizations have CDNs and are not using them. You can do a DNS lookup,
and it will have Akamai in it. You made a general statement. I wondered
if that was just a view or if you had statistics? It's probably too
detailed to get into here. I would love to talk with you offline.

Nick Merrill: Yeah. I would be happy to talk about. I guess at the high
level, this is what you're asking. We have the dataset from 3 Text, a
lot of pulse metrics come from them, and we work with them to get this
corpus of CDN usage, and we kind of looked at the CDN usage to determine
the popularity of these CDNs. What we found was that AT&T and Comcast
was not in that dataset, which forced us to ask why. And there are a
couple of explanations we can come up with, but there's no resolution on
that yet.

Mark Nottingham: I've spent about 25 years working for the top three
reputable CDNs on your list. I will let you interpret that. And deploy
them in private companies like Yahoo and Merrill Lynch. I have thoughts.
Probably too many for the mic line. Are you looking at this from a
centralization standpoint in terms of what is good for the Internet? Or
are you looking at it from a competition standpoint? Which is a very
different thing. What's your angle here?

Nick Merrill: What's my angle here? You know, my concern is about
catastrophic pan-Internet challenges. I'm fundamentally concerned with
that scenario.

Mark Nottingham: From the competition standpoint.
There was a question about standards. Attend to think of it more in what
is the role of technical standards in an Internet governance, which is
kind of a bigger question.

Proposed IAB Technical program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS) - Chris Wood (30 mins)

See https://github.com/intarchboard/proposed-program-whodis

Slides: Proposed Program: WHODIS Wholistic Human-Oriented Discussions
on Identity Systems

Justin Richer: I think this is a fantastic set of questions to be asking
here at the IETF. The scope is definitely a hard one, because if you ask
10 identity professionals what identity is, you will get at least 17
answers. This work is going to have to embrace that because identity
means a lot of things that are contextual. It's often that context that
people actually care about, and identity is usually -- I would say, at
least, many times, it's a tool to solve things in a different context.
Identity is the thing that most fits the type of, you know, a small part
of the problem that they are actually after. That said, I do think that
because of that, it makes sense to have sort of a wider effort in the
IETF to look at identity systems. I do think that there is space and
discussion and probably desire for machine identity and stuff like that.
I'm not sure if it actually belongs in the same spot. I don't know.
People and computers are, in fact, different. I know it's kind of a
weird thought for most of the folks in this room. Regardless, it's an
important set of questions. It's a wide set of questions, and there's a
lot of people that we can hopefully pull in to have this conversation to
figure out which parts of this the IETF ultimately really needs to care
about. So thank you for bringing this up. I hope to see more on this.

Brent Zundel: I edited and wrote the presentation exchange protocols at
decentralized foundation where I sit on the Steering Committee. This is
a very interesting set of questions. I do want to warn, slightly, that
anytime you're talking about the big-I Identity, the conversation will
inevitably become very fraught and lead to almost immediate stoppage of
any technical progress. So trying to determine what technical progress
can and ought to be made should be almost an entirely separate
conversation from the big I. Who is identity? Who should have one? Is it
the machine? Is it degenerative, whatever? All that to say happy to
participate. Would have liked to have known about this beyond just
having seven people say, Have you heard about what this IAB thing is?

Chris Wood: Apologies that it was not advertised in the venues that you
participate in. We probably should have sent it to the verified
credentials group. That makes sense. On the tackling what the big-I
Identity question is, I don't think the intent is to define what is or
is not and what are the circumstances that a person should or should not
get an identity. I mean, we'll certainly -- it's hard to avoid, like,
talking about identity in this particular space, but I don't think we're
trying to establish a canonical definition of what capital I Identity
is. That seems like a good way to not make any progress. And limiting
our scope to something that's a bit more manageable will hope us in an
already wide, diverse space. Thank you for the suggestion.

Dick Hardt: Like a number of people here, I've been involved in identity
for a long time, a couple of decades. I participated in many, many
workshops that have lasted over days or weeks, trying to get people to
all understand what is identity. You know, the Open ID Foundation exists
because I came and ran and we decided to take our toys and go somewhere
else because we couldn't get anything started here. There's identity
work all over the place and an awful lot of that here. It's unclear what
you are wanting to do with this that doesn't turn into a multi-week
workshop. I'm just trying to understand a whole different parts of
identity. Like, what is a credential? You're not going to get an
agreement on that. What is identity? You're not going to get an
agreement on that. I think you've seen the tip of the iceberg, and this
thing you see is big and complicated, right, but you're only seeing 10%
of what's going on.

Chris Wood: For sure. I'm willing to acknowledge that our understanding
of the situation may be very different from those immersed in this space
for a very long time. I'm hopeful that we have the ability to dig into
jobs with widely used mechanisms and use them.

Mirja Kühlewind: I'm just trying to understand. You say there's a lot of
work there. There's probably also a lot of problems. And we try to not
solve them all, but what can we do in this community to try to solve the
problems. Or are you saying we shouldn't even try?

Dick Hardt: Can a lot of people are solving problems. I think trying to
get a layout of what's happening in identity is a massive work effort.
Right? Before you can even figure out where are there problems to solve.
For the people in the industry, we're all working on solving the
problems. It's like there's thousands of people working on identity for
a long time. Trying to understand the scope of the lay of the land, that
just seems hard to do. And what is identity and credentials? That first
part seems tough.

Chris Wood: So a concrete example. I mentioned the OAuth example
earlier. There are very, very similar technologies, verifiable
credentials, et cetera, all of these are trying to similar things. In
the circumstances of when you would use them, how they're used, how
they're misused, we want to represent sort of like a clear picture for
the relationship between these types of things. Or at least that's one
of the proposed goals, at least.

Dick Hardt: This is why I have concerns. You just listed three things in
my mind that are very different, and you think they overlap with each
other.

Chris Wood: They definitely overlap with each other.

Mirja Kühlewind: I think we need to have the discussion in the program.
Or are you saying you don't even want to have the discussion? Let's take
it offline and go through the queue for now.

Peter Kasselman: I'm working on standards mostly in the OAuth area. Very
excited to see this. I think this is great. In terms of the questions
around scope, you know, I think if we think about this program as kind
of an integration point to bring different communities together to
exchange ideas, I think that's actually really helpful. Otherwise, I
find myself sort of traveling from working group to working group to
figure out what it is that you're doing and how does that fit with what
I'm doing? So a clearing house for those conversations, that's really
good. You know, I think you might want to think about defining --
whether it's credential or identity system, think about maybe framing it
in terms of the outcome that you want with identity systems. With
identity systems, often the goal is something along the lines of making
sure that the right person has access to the right thing at the right
time. That actually, then, opens up the conversation about all the
technology building blocks that you need. Brent's earlier comment about
the big I, that might be another one. If you can focus on the technology
pieces, that's helpful. But, also, then, it just helps us structure the
conversation. To Dick's point, it's big problem. Identity goes well
beyond humans. We're seeing so many challenges of managing devices,
workloads, and this configuration -- you mentioned you're using an IP
address, which is an identifier for address on a network for a human.
Maybe we don't have proper human identity systems, but maybe we don't
have proper systems for machine identity, and we end up sort of merging
these things inappropriately. So I would prefer a broader scope. Again,
it allows us to at least connect these silos and have these
conversations in one place.

Chris Wood: I mean, on one of the other slides, bringing people together
in the workshop, it was one of the goals that was primarily identified.
And we didn't explicitly list the use cases that we would want to target
or to use to frame these discussions because we were hoping that the
contributors who do come and facilitate and contribute to these
discussions would bring what is important to them. Authentication being,
perhaps, the most obvious one.

Martin Thomson: I understand that this is an IAB program that you're
proposing here, and there's always the possibility that we can really
sort of get into the weeds and have a very broad scope. I think that's
certainly something that a program could consider as within bounds for
discussion. Even if the stated charter or goals for that program were
somewhat narrower. My sort of goal here is to ensure that when we talk
about these things, we have something more of a focus on, for instance,
the effects of what we're talking about on people as opposed to machine.
And using a proxy for a person that's a great idea and something we
should be talking about, but I don't care about the IP address as a
proxy for identifying a server or something, a piece of machinery
because I think broadening the scope in that particular way would be
just a -- I mean, we already heard. It's an ocean we're looking to boil
with a magnifying glass, as it is. I would rather not get too far into
the other things. I'm also surprised that no one has mentioned the
identity layer of the Internet yet. And I wanted to be the first.

Chris Wood: Yeah, thanks, Martin. The name, despite being kind of cute,
I guess, for the program has human oriented in it particularly because
that was the focus. I'm not opposed to expanding the scope, but I think
there's arguments on where we should face our focus to start.

Kaliya Young: My Handle is "Identity Woman" and I have convened
the Internet Identity Workshop since 2005 twice a year. You are
welcome to come and share what you are doing and get input and feedback
on it from the community. I will just name, building on Dick's point.
About three years ago, I did work for a client to identify all identity
standards in SDOs and other industry associations that I could related
to human-centric identity, and I identified 1500 of them.

Chris Wood: No disagreement there. I anticipate there's going to be --
1500 is a bit higher of a number than I was expecting. Let's put it that
way. But the actual ones that are used in practice, we're going to have
to try to keep things small to start and focus on pretty important ones.
Perhaps a total, complete, exhaustive picture of the landscape may not
be a goal that we can accomplish in this type of program. I don't know
if it's worth our time, but -- well, today I learned.

Joe Salowey: This work is important. I think Martin's point is good.
We're going to have to -- maybe focusing on machines is not the right
thing to do, but there's going to have to be some aspect of that because
more and more -- there's just a lot of work in that area. So we won't be
able to separate it completely. That's my thinking.

Heather Flanagan: I'm one of the many people that has worked in the
identity space for a while. I'm actually the coordinator of one of the
groups you mentioned in the proposed program charter. I'm like, and I
still didn't hear about this. I think it would be more useful for the
IAB to say -- I mean, you use -- you kept saying "we," and I kept
wondering who we was. If you're going after a program that's actually
scoped to what can we, the IAB do or the IETF do in this space, I think
that's interesting. I think there are enough other identity-focused
standards organizations that are looking at scale. I know you said you
didn't want to take the energy from the room, but you're going find it's
all the same people. So coming at it with a bit more focus to what can
you accomplish here would be very helpful.

Chris Wood: That seems to be like a pretty unanimous comment that we're
getting. That seems like perfectly good feedback to fold into the
proposed charter.

Mirja Kühlewind: An IAB program is to figure out what work we can do.
The reason we're creating a program is because we on the IAB are not all
identity experts. We need to have the discussions with the identity
experts which are not part of the IAB. That's what is posing a problem.

ISE slot: Introduction to draft-farrell-tenyearsafter - Eliot Lear (ISE) (15 mins)

Slides: Ten Years After The Snowden Revelations (and other
ISEities)

Open Mic

[No time for open mic session.]