Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / IAB / 25 Jul 2023
Internet Engineering Task Force / IAB / 25 Jul 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF 117 IAB Open

Description

IETF 117: IAB Open
The Internet Architecture Board (IAB) will hold an open meeting 20:00-21:00 UTC on 25 July 2023 providing an update on the the EDM program, several proposed programs, and all the usual updates on various administrative and operational topics.

A

Thank you.

B

Are you locked into music.

C

Thank you.

B

uh Oh you're, showing the slides.

B

Okay, hello, everybody Welcome to IMB open at itf117. My name is Mia cullivan.

D

I am.

B

Okay, uh let's right away, we have a full agenda on the slide. You are on the screen. You already see the node well, it applies also um to an IB meeting because we're part of the ietf meeting week. I hope you know about this. It gives you references to all the policies you should know about.

B

um Maybe IPR is less important in this session.

B

Yeah, thank you, um but I want to point you to the code of conduct. It's really important that we all work together in a friendly and nice way, because that gives us the best outcome and makes everybody most comfortable next slide.

B

So the the previous slide that you didn't know is mine uh also mentioned that you need to log into meet Echo, because we want you uh on the blue sheet, that's important for our meeting planning for all kind of purposes, legal purposes and so on. So we want to have a good, transparent record of what we're doing in these meetings, and so please join the media. Echo please use mid Echo also for joining the queue and again be nice, and also note that this is recorded in live stream.

B

So yes, next we have somebody in the queue who just disappeared. Okay, next slide: this is the agenda for today we're in the welcome Park, as you might have recognized.

B

um We established uh this kind of practice of of asking one of our lives or managers to give a short report about what's happening in their organization and I. Believe people like it. So we continue that this time it will be Martin Thompson about w3c.

B

We have an invited talk, so that will be Nick Farrell I'm talking about fragmentation centralization, and then we have a longer time slot to talk about one of the proposed programs from the IB new proposed programs um on identity management, and we have some time for discussion there and because we have a one and a half hour slot this time we also offered um Elliott Lear the ISE a slot to talk about one of his recent drafts that he processed.

B

So hopefully we will have time for that and then, if everything goes well, we might even have an open mic at the end. But I don't promise that part. Okay next slide.

B

um Just very quick reminder: what is iob open, so iob open is kind of the forum for the IRB to mainly talk about our Technical and Architectural work and also a little bit about our leaders network. But what we really want to do with this session is to First give you um a little bit of visibility about what we're doing, but then also get feedback from you from the community about our work.

B

um If you, if you're engaging in this session with us here today, that's great looking forward for the discussion, but you can also reach us anytime, you can reach, uh send us an email. You can send us an email individually to all the IB members. You can talk to us during the meeting of course, and then there's architecture discussed, which is a little bit our discussion list.

B

So if you are not aware of that, you might subscribe there, there's also for each of the programs there's a list, and if you have any questions about liaison coordination, we have this liaison coordination at iab.org, mailing Alias that you can use.

B

This is skipping part, so a quick update about any kind of documents we published recently to documents and if you have been a follower for of iob, open you've seen them before, and so finally, we published the maintaining robust, robust protocol document, which has been with the IB for a very long time now and I. Think now we got like a good State here and then a new document, our newer newer document on application, Network collaboration using past English, so both of them are published. Please read them, I really like them.

B

If you don't like them, let me know if you like them. Let me know um we have the mtem workshop report, which is ready for publication. The workshop was like a year ago, I guess so. I think this is still a reasonable time, but we should really publish it and then there's also another Workshop report, which will hopefully come out very soon. There's one kind of document in the go. This is uh still kind of more or less the first version of your document.

B

We didn't have time to do a vision this time, but we're working on it. So the Privacy partitioning one is the one that we're still working on next next technical program Updates. This is actually there's somebody in the queue.

E

uh Yes, security, Enthusiast, um so uh two things, uh two things: um five minutes for the previous part is really short surprising, but perhaps that's the normal way, which means that we can't really discuss things in the in the equivalent of this slide on the web. There is a point on liaison which does not appear here. I think there is a real point on discussing liaison because I'm working in the itu I made the point in pitg yesterday in the ATU we are sending these ones here. We never get answers.

E

The fact that we never get answers means that it is like from the ATU or some people in the ATU a way to say we can continue whatever we want, which is not good, I, think we should discuss about that and how we are more proactive to give answers back to itu I. Don't know where this should be discussed, but it should. This should be discussed here.

E

Five minutes is not enough and finally, on the MTN Workshop I just could was caught by surprise this morning, when I saw Eliot answering on that one I really have problems with these reports. I really have problems with the representativity there. I I disagree with a number of things there. There could have been other things that that should have been mentioned here, but now it's too late, so I don't know how we process these things.

E

Unfortunately, but I don't know how you want to do that in five minutes or we do that offline or whatever is your way forward chairman. Thank you.

D

Yeah thanks a lot so, like I, think the the liaison staff we do have our office hours like where we can actually talk about it. It's actually in the slide like in the timing, so you can just come by. We can certainly talk about it. There's like a. We cannot do this in five minutes, like you said right, so so there's some hours you can come by and um like for the document itself, yeah.

B

Also on the on the itu issue that you mentioned, this is something that we are discussing actually in the least between the liaison managers or coordinators and so on. So this is this is ongoing, uh but it's not the focus of this meeting. We only have one and a half hours um but like come talk to us. That's always um the answer. I think you want to say something about M10, but yeah.

F

Yeah, so real, really, really briefly, uh we will work with you on the M10 report. uh Obviously we want to address all Community comments and uh the representation representation points are very valid I plan on fixing that it probably won't be this week. So you know expect an answer next week, but we will absolutely have that dialogue with you.

B

Yeah so um definitely I mean thank you for any feedback, but I also want to say because your point, your higher layer point, was that there's not enough time for discussion, so the M10 Workshop has been out for Community feedback for a while um I think we actually I'm pretty sure. I personally uh told you about the architecture, discuss mailing list.

B

um So, if you're not to subscribed to this one, please do because that's where we have all the discussion um we uh so like, and the workshop was a year ago right so like there were opportunities- and we mentioned it all over again, but we definitely take still your feedback. But please keep also in mind. This is a workshop report. It's not like a generic Agnes of the pump space. It's it's in order to reflect what happened at the workshop. No.

E

I I get it and the uh I am on the main list. I was really surprised why it followed crack I, don't know why, but anyway, that's pretty my fault uh fair enough, but still uh thank you for your best to address that, and- uh and that was my feedback anyway, so we'll go back on the uh liaison our open hour, whatever, please.

B

Come on Thursdays, okay, um but we also have some information about liaison's here, we're just in the middle. So let's go to the next slide.

B

So that's the part about program updates. um This is just a quick update about the one program that is still running um and this program. The goal is to talk about availability, deployability and maintain obtainability of protocols and our and also implementations of the protocols.

B

um There I may already mentioned the um the document that was published recently, which was discussed in this group. There's also another draft about or a new draft about greasing. So that's really brand new. It was just published at the draft deadline a few weeks ago. Please read that one, it's an early phase and there is also a draft about code maintenance. This one will be presented tomorrow and today in dispatch gen dispatch.

B

If you want to discuss that one, it's also coming out of this group, but it has an applicability to like the whole ietf. So hopefully we can move it over to the ITF to process it there and the EDM program is meeting on Wednesday morning in the IAB office.

B

So if you want to join the EDM program first of all in the mailing list, but come to the um to the meeting, it's an open meeting, it's early, but it's no meeting next and then the exciting news about this session is that we have two new proposed programs, uh we're talking about E Impact first, because that was really just recently proposed.

B

It should be a venue for half discussions about environmental impacts and and I hope we figure out um any kind of, or can I talk about any kind of topics which are not yet in the ietf OR irtf, but also we are looking for things that we can identify that and can go back into the iitf and we can do in this organization again. This is also like all technical programs.

B

It's open to everybody, there's a mailing list you can subscribe to, but we are in the process of creating this program, so we didn't fully decide yet because what we want is your your feedback from the community about this program. The scope of the program, so please provide us input this. This is the point of time right now and then the other proposed program is later on the agenda, so that site is quite empty because you will hear more about it.

B

um Do we want to take those yeah.

D

Sure and I don't know like just to go for this right. So there's a lot of updates like on the liaison front. We got like 25, um listen statements since the last ITF, and um so like one of the um liaisins, that's a 3gpp, so we had a meeting on Monday, so it went like extremely well and the RFC that describes a relationship is pretty out of date.

D

So there's going to be some uh work to update that bring it up to code and um for the higher bandwidth discussions with the liaison So, like um I, think Tommy sent out a mail to the liaison coordinators uh for all the liaisins, like that we are going to have in office hours. So it's at lunch time on Thursday, so please do come by.

D

We can certainly discuss and like uh go through the Liaisons and see what requires responses and and I think like I think this is something we discussed at the last office hours right. So sometimes we get lessons. It's not clear like which of them require actions on our part. I think that's something we can discuss on the high bandwidth channel for sure. Thank you.

B

Yeah, since the last meeting there was no workshop and we didn't announce one, uh and now we go to Martin Thompson. Where is he yes?.

D

There's.

G

Only three of them anyway, so that's me, Martin Thompson um I only have three slides. There should be relatively brief.

G

um A number of you might already know what the w3c does, um but this slide sort of covers briefly the sorts of things that they're doing it's not exhaustive, they've been around for close to I, think 30 years working on the web and various technologies that associated with that there's. Some important things to note here: HTML is not really their business.

G

At this point, there has been moved to a group called The what working group and there's a number of other documents in that sort of space as well, but they look after HTML, CSS, fonts SVG, a lot of things you would use on the web. All of the Dom interfaces in particular are theirs. There's a whole bunch of work on accessibility, internationalization security, XML semantic web of verify, verifiable credentials.

G

uh The web in cars, the webinar things there's a there's, a whole lot of work that that goes on there, but it's all Loosely around the uh presentation, layer and.

C

Visible.

G

Web that you, you would see today, so um if there's any questions on this, um whether or not something is w3c or not, that you can visit their website and and see what sort of things they're working on or talk to one of the many people who are familiar with what's going on over there to see what's going on over this, give you a profile idea next place.

G

So the w3c is, unlike the ietf membership funded organization. uh It is recently formed into an independent non-profit I think they followed a lot of the iitf LLC uh thing with great interest and managed to form a similar sort of organization earlier this year, in fact, and um that has moved from a somewhat unusual organizational structure into a more conditional one with an independent board.

G

I think someone requested that I mentioned that there is no longer a beneficial benevolent dictator for life as part of the organizational structure, um it is now much more Community governance and very much aligned with the the style of governance that we see here at the ITF. uh Although work continues on that one, the number of challenges involved in that one uh there's there's a large team.

G

uh There that's involved more actively in the in the work that goes on there, but otherwise very similar in terms of the style of work, though, I would point out that we treat mailing lists as the primary venue for engagement in working groups. They treat GitHub as the primary venue for interactions and there's a bit of a style difference there in.

G

In terms of of how they work there, another notable difference is that, while the ITF requires that uh people disclose the IPR that they're aware of when discussing things, the w3c requires that members make a commitment when they participate in the working group to provide the IPR that they own on a royalty-free basis, and they have a number of policies around that sort of thing. So that's something um some an interesting difference. Perhaps next, please.

G

Right so there's a number of different interactions with the ITF over the over recent years. You will notice there's something of a theme that that sort of flows throughout all of these things.

G

We see a lot of these features that are built for the web uh developed in in two places, and the primary pattern that we see here is that the w3c will look at the the interface the uh the way in which it integrates with the web browser and the security applications of that side of things, whereas the iot Air Force spend time on the protocols and the security of the protocols, some of that is in in progress in privacy passed.

G

There is an ITF working group, there's no formal working group currently in the in the w3c, but that that is work in progress over there. uh Other interesting things is that HTTP originally sort of started under the aw3c umbrella, but it's now very much an ITF thing. It has been for a long time and uh I won't say anything about the bottom point and that's all I have uh I think it's probably good.

G

If there's questions, um if people have questions now, um we have a couple of minutes but come and see me if you have any questions, there's also Mark Nottingham, who is one of the w3c board members here, um I'm sure he'd be very happy to help you out and understand all of those things and there's a number of other people floating around in the audience like uh Sam who's on the w3c team and um a few folks who have who are active participants in various groups in the w3cic floating around in the audience here so I think there's plenty of people around who know.

G

What's going on. Okay, thanks, everyone.

D

Thanks Martin.

D

Yeah I would like to introduce you to Nick. So Nick is like a invited like talk talker today, so Nick is a research fellow at Berkeley for the center for long-term cyber security. So we read this interesting paper by him like about like um the internet. Like you know, fragmentation pretty much like, and we thought it would be a really interesting talk to have here. So thank you very much for taking our invite Nick and looking forward to your talk thanks. Thank you thanks for having me, let me pull it up fitting it.

D

What did you do it? Okay,.

B

Yeah.

H

Okay, ah fantastic okay, yeah, my name is Nick Merrill I'm, a research fellow at the UC Berkeley Center for long-term cyber security and I'm here, to give you uh kind of four years of work in 20 minutes so by Nature I'm going to have to elude some of these details and I've tried to do so uh somewhat strategically. You know trying to get take my best guess at what you already know.

H

uh This is my first ietf I'm really happy to be here and happy to kind of you know ingratiate myself into this community a little bit.

H

um So this is about fragmentation and centralization on the internet and um by way of introduction, you know, I got interested in this work in about 2019 and I was doing my postdoc and my post-doctoral advisor Stephen Webber came to me and said: what's going on with internet fragmentation, everyone's talking about internet fragmentation? What is it?

H

Is it real uh what it has happening specifically and mechanically, and what is the direction and velocity of this trend over time if it is indeed real and at that time there were these headlines like uh the Splinter net is already here, the Splinter net is growing, uh and the world economic Forum I think that the Apex of this was the WF Wes internet fragmentation and overview, and in all of these there was this kind of vague and data free sense of Internet fragmentation, but begged the question.

H

Still you know what is it there's a lot of implicit understanding, but explicitly what is internet fragmentation? So here's my own frame, the intuitive picture behind internet fragmentation, as it was understood by policy makers. Not the ietf, as was understood by the non-technical community at that time, is that a supposedly global internet is becoming increasingly different in different countries, National borders, where the with it with a kind of the area of interest.

H

And of course there are consequences here for freedom of speech, investment, technological development, political relations, which we'll talk a little bit about more later. But this is what people were thinking of when they talked about internet fragmentation at that time. So how do we measure well? I did some work uh basically taking proxy measures at different layers of the internet stack and I? Don't I've decided to elude this uh the details on this with this audience today you can find that at this link and I think that these slides are available somewhere.

H

So you would have access to them and follow up if you want to learn more about the methodology here, but what I found was surprising to policy makers and we're probably not surprise this audience. Oh I see I I. This is an older version of the slide. That's fine!

H

um What I found is that the internet is multi-polar and that the simple story- The policymakers, told about a free internet versus the closed internet free countries. You know countries with free internet versus countries with the closed internet was overly simplified and to take a very simple uh and tightly scoped example. Think about the transition between ipv4 and IPv6. So you know there is some degree of Internet fragmentation. Some you know. Ipv6 uh penetration is uneven throughout the world that matters a great deal to people who design switchboards.

H

It matters a great deal to people who design routers. um That's not necessarily what policy makers were talking or thinking about right. Of course, those things are important. They come off of someone's balance sheet somewhere and there are kinds of policies we could think about. That can move the needle on this, but that wasn't really what policymakers were talking about. They had different questions that were ultimately about different kind of political things. Yeah.

D

Oh.

H

Absolutely too loud a.

D

Little bit closer yeah, that's perfect!.

I

That's perfect yeah thanks.

H

So what were we talking about? So we looked instead to talk about content blocking, because we felt that the discussion that policy makers were having was ultimately discussion about politics, and we felt that content blocking was the thing we could measure technically. That would reveal something political.

H

So what we did was take this IC lab data set, which you know you can uh kind of follow through I. This is an old version of the slides. That's okay, though I'll circulate or find a way to circulate a newer version. um So we took this IC lab data set.

H

That um kind of we used to see what was blocked in different countries where there was evidence of you know some kind of uh tampering or dropping packets along the wire and related that to host names, and we took those host names and ran it through this uh uh kind of this commonly available data set that categorizes those uh websites by the kind of content they have, and this data set actually was used by corporate firewalls for kind of blocking.

H

You know restricting access to gambling websites or pornography websites or other kinds of things like that, and we use that to categorize, basically who's blocking. What kinds of contents you can see. A little sample of the data set here we can see is that different countries are interested in blocking different things. South Korea blocks a tremendous amount of pornography. Most of what South Korea blocks is pornography, and, on the other hand, you know a lot of the content that you see. Blocked in Turkey is categorized as news and media in that days.

H

So our hypothesis here is, you know, we're not taking a normative kind of view of what should or shouldn't be blocked or whether things should or shouldn't be blocked. What we tried to do instead was take a descriptive view of which countries blocked similar types of content, which countries blocked content. That was in a similar uh vein, a similar uh that was categorized similarly to others.

H

So um we created this map, and- and again you know, if you follow through to this paper, you can even see an interactive version of this map. um You can explore it, see a force diagram and all other kinds of neat things, and what we find first of all is that there's a tight cluster here. Most countries really don't block much and they're broadly similar to one another, and some countries are outliers Venezuela blocks.

H

You know kind of idiosyncratic content, basically things that are about the the regime there, and then there are other countries that actually have surprising similarities. um You know uh China and Hong Kong. You can see. Hong Kong plays this position uh between China and kind of this. This main block, which is a you, know, kind of provocative observation in its own right.

H

But what really kind of tickled our interest about this was that when we correlated these similarities to other facets that are of interest to to uh political scientists like military alliances and trade agreements, what we found is that, uh if you're in a military alliance with someone, you probably block uh similar content, if you're in a trade agreement with someone, you probably block similar content, you're more likely uh to be in a trade agreement uh with someone that you block similar content to, then you are with someone who you don't and what we concluded from this basically is that these relationships reflect and likely go on to shape, maybe a two-way Direction causation.

H

These geopolitical relationships.

H

Now, there's one big caveat to that observation, which is that not everyone say in Internet governance is necessarily equal right.

H

So one way of thinking about this, what happens when you visit a web page- and this is a wonderful diagram that comes from David Clark's uh piece control, Point analysis, type of 2012 paper- and you know don't worry about this? Okay, don't don't try to don't try to interpret this diagram? The point is it's very complicated.

H

There are a lot of different things that happen when you try to visit a web page, but one thing we can do- and this is building off of David Clark's analysis is boil this down to a few key control points. These are things that you cannot Route Around and in fact uh we did this work in conjunction with the internet, Society for the boss, pulse uh internet pulse dashboard, which I'm sure a lot of people here are familiar with.

H

We contributed kind of this data and the framework for uh the centralization part of the internet pulse dashboard. So, in order to do that, we identified these key control points certificate authorities, you know who does uh web hosting. Who does proxy Services you think of that as content distribution networks? So people like cloudflare DNS servers? You know din cloudflare, also data centers top level domains.

H

All of that, and for each of these we did kind of a mix of data collection and manual coding processes to see who is your whose jurisdiction is where, and what jumped out is this right away? Is that the jurisdiction uh for the companies that run a lot of these Services is the United States and in fact uh we can create this kind of diagram. The proportion of each of these control points who's uh provided by us-based corporations. So we look at the market share, let's say of of cdns, we say Okay of that.

H

You know of the cloud flare right. You have 70 of the market, your jurisdiction is the United States and we sum up the market shares of all of those providers who are based in the United States to create the summary statistic, which is the proportion for each control Point whose jurisdiction is the United States. So you can see here a number where the overwhelming majority- in fact, in some sense, even the totality, is based in in the United States.

H

So let's talk about a few top level domains. We all know about top level domains here. Quite a lot of these top level domains are administered by registry, backends or registrars who are in the U.S, um and this is you know, has been relevant to U.S interests before who here is out of curiosity, who here is familiar with the operation in our sites?

H

Okay, very few people, okay, great! Well, here's a very interesting uh tidbit for you and the new version of the slide will have a reference to uh some work on this uh immigration. Customs and um enforcement ice has been running since 2006. This program called operation in our sites. What they do is basically, when someone is uh kind of you know, uh running a foul of um intellectual property, let's say or something else, then ice can go and seize from the domain registered. The domain registry back end that website.

H

So this has been used, for you know clear web drug marketplaces. This has been used for people selling counterfeit seat belts, very wide variety of things that has been enforced against. What's fascinating about. It is first it exploits the fact that registry back ends are based in the U.S and uses this kind of of uh seizure process to take advantage of this, and second, this whole process happens without due process.

H

So this is actually, you know, forfeiture civil forfeiture without due process and in some cases, Isis down the Civil forfeiture process on U.S citizens, which isn't you know if you're not from the US, that's not supposed to happen, um but the conditions of recourse- and you know if you know anything about ice. You know the conditions of recourse or not always so uh clear, oh dear, something has happened.

J

Maybe because.

D

My internet is working.

H

All right, we'll just do the next slide thing.

H

Is it clicker around.

A

But.

D

I need to better just say next, please, okay,.

H

Next slide, please so proxy services, so you may be familiar with content distribution networks, uh cloudflare Akamai things like that Amazon cloudfront. You can see that the overwhelming majority, almost all cdns, are run by U.S companies by market share the cdn's not saying every CDN in the world, but the cdns that people use 97.6 are based in the United States next slide, please.

H

So if you've ever tried to use Tor, which I imagine many people in this room, have you know that it's a huge pain to use in practice, because you're constantly getting captured and the reason you're constantly getting captured- is that these cdns have decided that it's simply not worth their time to allow tour traffic in Tor traffic tends to be malicious. It's you know, broadly implicated in DDOS attacks makes it hard for them to do the kind of DDOS mitigation that their customers pay them for, so they just block it now.

H

This has a kind of some interesting consequences that we could discuss later. um You know you know Tori. You probably know that it was largely funded by the U.S uh Department of Defense. For kind of you know International interests of the United States, so there's this interesting uh kind of uh conflicting sets of Interest here between the Department of Defense and private corporations in the US, who aren't necessarily cooperating fully, but that's a topic for another time.

H

Next slide, please uh we we did instead actually- and this is uh some forthcoming work in Duke Law review- which again the the newer version of the slides uh you'll, have a reference to that um in the Duke Law review. Oh previous slide, please uh in this Duke Law review piece we have coming up you'll. We kind of make this argument. uh That's you know a basically an Anti-Trust or Monopoly argument. What we show- and you can see from this diagram- is that content distribution networks are not only uh overall domiciled in the United States.

H

There are a few players who really dominate the market and almost all of the market is dominated by the top three, and you know this graph I would say uh you can look at it a few ways. Cloudflare has a huge market share in part because the long tail of internet companies use cloudflare, uh but don't count out fastly in cloudfront and Optima Akamai in particular, as a favorite of really really big content providers uh like HBO, Max or whatever. You know, they'll tend to use document.

H

But you know the point remains, no matter how you slice it they're very small handful of companies that absolutely control this market. So that's a concern, at least for antitrust in the US and the fact that this is overwhelmingly a kind of a us-based story. Tells you a lot about kind of where the control of the internet is remember again: content distribution networks, sit between user queries and server responses.

H

If the CDN doesn't want to show you something, the user is not going to get it and there's some interesting research recently about how dominant cdns really are with respect to end users. Experience of the internet, something like 76 of all user requests to cdns, can be delivered to those users without traversing the Tier 1 isps at all.

H

A lot of these cdns have totally cut the tier, the traditional kind of tier one public core of the internet out of the picture, and that again is, you know, becomes relevant for uh the kind of competition story, because policy makers tend to think of the tier one isps as competitive. There is an efficient market for bandwidth, I'm sure many people here have heard how efficient the market for Transit is from people like Bill Woodcock. Now it's true that that market is uh for Transit is efficient among Tier 1 isps.

H

The important caveat is that Tier 1 isps are not relevant from the perspective of cdns next slide, please so the finding there, then, is that U.S organizations effectively control the global internet through their control over these key control points and my takeaway from this. What I surmise is that what we observe is internet fragmentation is not a response to a global internet so much as a response to a U.S controlled internet. It is that fundamental U.S control that drives a lot of the fragmentation.

H

Behavior we observe, and although I didn't get a chance to get into it, it is unclear fundamentally what we mean by fragmentation. Some people consider you know EU gdpr, to be kind of fragmenting because it produces different versions of websites in different countries, which is in some sense in the front affront to a global internet, and while that is the case, I think that the differing opinions of Europeans the legitimacy in their minds of sovereignty shows in some sense. um You know, proves out this. This thesis in some sense uh next slide.

H

Please, um okay, next slide! Please we'll ignore this for now, um okay, so well! This is this is an old side. You can ignore. What's on the stream, maybe previous slide, we give something give people something to look at so I'll uh I'll share with you kind of where my mind is on these questions. Now, I I hope you know to get feedback from from you about these questions and and kind of what you think about them.

H

So my observation is that you know, regardless of what we might decide, internet fragmentation is and decide how we might consider the problem of fact. Centralization you know personally I consider centralization to be a really big problem, because it centralizes points of control.

H

um These cdns, in particular, might be uh very appealing targets for sophisticated apt attacks, uh which could be you know, very, very destructive indeed, depending on the nature of those attacks. uh Whatever we might do to mitigate those problems requires us to really understand both the politics and the economics of the the market for these core internet services. We understand I think far too little about what the market looks like for things like DNS servers and things like content, distribution networks.

H

How does this Market fit together and what are the incentives um that people in this market uh deal with and what drives behaviors of Market participants? This isn't the only question we could ask, but it's something that we surely need to know. If we want to make any progress on this and to illustrate this point, you know I've been working with a little bit with Scott Schenker at UC Berkeley, who has some really interesting proposals around what he calls the inter Edge?

H

Basically, these composable extensions used to be called the extensible internet extensions to uh kind of TCP that provide a lot of the services that cdns provide things like ddrs mitigation um and con. You know caching, things like that can be provided by these decentralized nodes. Now, if we want these sorts of things to catch on, we'll have to understand first of all, who's the customer who's going to use these and second who's the provider. And what are those providers?

H

Incentives trying to understand these market dynamics will help us understand how we might stand to get uptick around these things and what we can do from a policy perspective to make those more appealing?

H

Second, another question specific question: that's been on my mind recently is: what exactly is the nature of the relationship between Telecom providers and content distribution networks? So a puzzling example and something that's been puzzling me lately, and if anyone here has any insights, please tell me it's that at t a telecom, in fact, my telecom owns HBO, another service I like I, enjoy to use, and my collaborator teaches near chania.

H

Berkeley law asked me one day: hey, you know what CDN does HBO use because I see ATT has a CDN who here knew that ATT had a CDN.

H

Okay, a few people I did not know that ATT had a CDN and I published a lot of UPS about CEs. This was news to me right so I thought. Well, surely their HBO Max is going to use HBO it's going to use ATT and CDN, and certainly that would make sense. It's vertically integrated IP. You know platform, content, delivery and I'm an ATT customer.

H

If they're going to deliver because anyone's going to use that CD- and it's me so I opened up, you know Chrome and did a little digging and where were these packets come from Akamai, so I did a little Googling at Akamai and ATT have a relationship with each other. What is the nature of the relationship between Akamai and ATT?

H

Why is it that ATT would bother having a CDN only to go and use Akamai for their content? Delivery is the CDN no good? Are they not good at competing with Akamai? Are they white labeling uh their own transit? To aquamide and that's why it looks like ahmai- is Akamai white labeling their service to at T, so that at T can use their kind of retail relationships with small to medium Enterprises.

H

What's going on the fact that I can't answer, this question shows us how little we know about how this Market fits together and if we don't understand how this Market fits together, I'm very pessimistic about our ability to do anything to enhance this kind of problem of centralization I'm, let alone to do anything about the fragmentation that results from. So that's the end of my 20 minutes and you know I hope we still have some time for questions. If anyone has any I'd love to hear them,.

D

Thanks a lot uh nick uh Elliot I think you are online first, we kind of kicked you off. So if you want to go ahead, go ahead.

K

Thank you very much.

K

um It's a great presentation, uh Nick and uh not surprising uh your your advisor Stephen or whoever, actually here today and I, even Workshop called itat, and we've been talking about bundling economics which was uh really enjoyable um just one or two points that I think we have to be really careful about definitions in terms of what we mean by control points um cdns and uh are are really difficult to characterize in that regard, because on one hand anybody can start a CDN. All it requires is money.

K

If, um if Elon Musk wanted to break out another 40 billion dollars, he could have the best CDN in the world, probably assuming he could hire anybody. But um uh it's not, and in fact the proof point for that is- is cloudflare's own existence um that they were they weren't there. They came into the market. They they delivered a good service and the same is truth fastly, uh and that is actually a technical relation, which is uh no particular CDN is required uh for the internet to function. It's the.

K

The only issue is whether there becomes a lock-in function based on the apis that are used um so there. This is it's a great area uh for um exploration.

H

Thank you yeah great comment. Thank you um yeah. You know. Listen, that's really interesting. Point I I tend to agree, and that makes it even I agree with you about that that uh Point, by the way, I'm sorry I have nowhere to look you're like the booming voice of God here in this room.

H

So so look I I think that while I agree that proposition that anyone can come along and make a CDN with enough Capital makes it even more puzzling to me that a t and other telecoms Comcast have cdns. Yet nobody seems to use them. Why, in my data, can I not see anyone using these 18t or comcast cdns? If it's so easy to make and telecoms already have the infrastructure that delivers The Last Mile hop to my home? Why is nobody using this CDN infrastructure?

H

Why is it that these big cdns still have this market dominance in? uh In that context, that's a puzzle. I haven't yet figured out.

D

Okay, Mallory hi.

L

um Mallory nodal the center for democracy and Technology, um so yeah I really appreciate your slide.

L

I, don't think it had a number on it, but where um it really aligned with my um realization in listening to a lot of conversation about fragmentation over the last year, or so when it's become very, very popular to talk about most the time when people are talking about it, they don't mean what we think they mean they mean things are getting complicated, it's just a complex, it's a statement about complexity and that resonated when you were talking about how the internet used to be or is, and um is still very U.S Centric, but that's changing.

L

So it feels like fragmentation, but maybe what it is is there's just a plurality of approaches to content and other things like that for better or worse right. So that was just my comment, but then I'd add a question to you or to others. This comes actually from the Gaia session earlier today. uh There's a really interesting presentation on um not just companies that are dominated in the U.S, but even when you have supposedly a Global Network for your content distribution.

L

um All of the traffic is still going through the U.S so they're talking about like the fact that there are very few ixps in on the continent of Africa, for example, and if you're in one country and the content you're requesting is in the same country, it's still highly likely that your traffic is going all the way around the world and back again um and we couldn't in the Gaia conversation.

L

Nobody really had a good answer as to why, because it seems more efficient, they're all these kinds of incentives that we would think would exist to keep content local when possible. Irrespective of whether or not there's a mandate for Content localization, which is something that's a trend as well and so coming up with actual incentives and trying to solve that problem might solve a lot of other problems too. So I just wanted to bring that forward here and wonder if you had thoughts on it, um because I think it's related.

H

Yeah I have so many thoughts on that. So I have a two dueling observations. First, obviously, there's a tremendous strategic advantage to having all the traffic route through your country. Okay, this shouldn't need to be said, but yes there's a tremendous number of metadata attacks and other things and reasons why you might want traffic to route through you now. Here's another interesting observation: let's say that there exists some country that doesn't have any kind of boomerang routing whatsoever and in fact such country exists. China has very little Boomerang routing.

H

If you send a packet domestically from China to China, it will route only through China uh and it will not go internationally at all, and the reason is that China only has three uh uh as that connected to the rest of the Internet. It's called the Great bottleneck of China, analogies of the Great Farm, so there's some great work on kind of how that's architected and how those as work and why they work.

H

But one really interesting thing is that it creates this asymmetry in uh when it comes to attacking internet infrastructure, so it's often assumed or presumed that no one would ever dare attack something like a DNS server or a Content distribution. Network work because doing so would be too much. That would cause too much blowback for the attacker. You know if you were to go and attack something you you would suffer the consequences of such a great degree.

H

It wouldn't be worth the attack, but the absence of any Boomerang routing actually makes that calculus look a lot different. There is absolutely no incentive to go into against. uh You know leveraging some kind of attack against the CDN. If you don't rely on that CDN and if that outage in that CDN wouldn't affect you, those kinds of asymmetries are actually very powerful and we should absolutely be cognizant of them when we think about what it means for the internet to be stable.

H

Globally, uh stable internet means some kind of balance, between uh Boomerang routing and perhaps, and and not there's some notion of sovereignty. That needs to be balanced against interdependence, and this is actually mimicked in debates about uh trade throughout the 20th century. There was this kind of thesis of globalization that interdependence would would prevent conflict, because that interlinkage exactly um would disincent anyone from attacking anyone else. It would be too active and, as we do think about the very real need for sovereignty, I think that it's equally important.

H

We balance that need for sovereignty against a real, realistic need for interdependence and the role that interdependence plays um in, hopefully decreasing conflict and disincenting conflict.

D

Thank you, I, don't know, go ahead.

E

um So in fact, you just made the segue. So first of all, thank you. It was very insightful and um very good presentation, uh but this is a good segue. You finished on on sovereignty, because, in fact, uh what we see is a lot of concerns on fragmentation coming from, um let's say, regulation and Hyper regionalization.

E

So how regulations, including the EU, is uh under the name of uh we call the Strategic autonomy, how they actually uh weaponizing a number of a number of assets that are going to really have a problem at the end, so, for example, uh take Dora, for example, the the new um called the digital operational resiliency act uh that is really about uh Cloud providers in the FSI sector. So so my question here is: is a little bit underrepresented into your presentation, but maybe have you have you done some work and research on that part?

E

How this is influencing the potential fragmentation? Sure sorry.

H

What is the have I done? Work on what exactly.

E

So have you considered regulation regulation.

H

Regulation.

E

Whatever the EU is doing, yeah.

H

That's a great question: you know: I I haven't really looked specifically at the role of regulation in part because it's hard to measure causal relationships between regulations and the effects on the internet. uh That doesn't mean it's impossible. It just means I, haven't figured out a way to do. It I think that it's a critical question, especially with guy assuming you're talking about the EU Gaia project.

H

um You know it's, it's something I I'm, really fascinated by so.

E

No, it was not the Gaya project, because I don't think this one is going anywhere. I think it was the other uh one which is the Dora d-o-r-a uh another, uh so so how the EU is weaponizing its uh instruments to uh let's say precisely, to fight us. Okay in certain ways, so it goes. It goes down to even weaponizing its auditing capabilities to the FSI um so that they are less incentivized to go for U.S companies on what they do right.

H

Yeah, so you know, there's this theory in political science called hegemonic stability, Theory and really it should probably be called something more like hegemonic, openness, Theory. But the idea is that in global trade- and it I think it was the late 18th century into the 20th century. You know Britain and Then, followed by the U.S. It was this hegemon that basically ran world trade and into the 21st century with the financial system more or less. This is true of the US and in the internet. I'd argue you.

H

The internet also asks sort of as this hegemon and the puzzle behind this theory is like okay, there's this hegemon. So why do we see the system be as open as it is? Why is it that a hegemon can dominate the system? And yet you know there's still this open and free trade.

H

Why is it that a hegemon can dominate this internet yet there's still this open and somewhat Global flow of data, and this theory that has a pretty satisfying explanation for this phenomenon, which is basically that as long as a hegemon exists, it actually benefits the hegemon to have a very open system, because in that situation uh everyone else can kind of you know, do whatever they want and the uh you know the hegemon, whoever they are, gets to benefit from their Central position and extract some rent.

H

Basically, from that, Central position also influence some soft power weaponized into interdependence, as Abe Newman would say, and all those other things now what happens when the hegemon declines? Well, it turns out that when the hegemon declines, there tends to be a very, very uncomfortable chaotic period and until the new hegemon emerges, in which case openness uh happens again.

H

So what I wonder what I ask myself is kind of what happens if these sorts of of uh regulations, these sorts of incentives, end up being successful, what if they end up, really challenging the hegemon in a real and Lasting way such that you know in this case the US no longer is the Edgemont over the Internet. What does the internet look like? Well, hegemonic stability, Theory would say it wouldn't necessarily be a very open internet uh that may be counter to some of our expectations.

H

That may be counter to some of our probably ideological preferences. But this is the prediction of that theory, and you know if we observe something else, it would be a serious challenge to that theory, which is more or less you know, uh proved out, at least in trade and finance. So what are we to make of this? Well, you know. My overall kind of theory is that the internet is both something countries fight on and over meaning it's country. It's something that the uh countries use to struggle against one another.

H

It's a mechanism for for international kind of competition cooperation, but it's also something that uh Nations struggle to control uh it's a domain of conflict as well as a mechanism for for conflict and competition. So you know, as this plays out we'll kind of see if there is a weight of challenging this hegemon, and if there is a way of challenging the hedgemont. Does that uh decrease the openness or stability of the internet?

H

And, if so, when we have to have a very Frank and serious political discussion about what's to be done about these things or you know how to kind of preserve some standard of of service in that situation.

E

Thank you very much really frightening and inspiring. Thank.

B

You and we need to move on a little bit quicker. We have a few more people in the queue.

D

Yeah I think Andrew. Your next go ahead, like I think the queue is like hopelessly reordered but like um I, think we have a memory so.

J

Thank you, uh Andrew kampling, 409, Consulting, uh really interesting presentation, um I'm sure you're only scratch the surface of four years, but you put out some really fun points. uh Two questions really um did you consider?

J

Have you considered um as we're in the ITF how maybe standards are used to reinforce control points, um because I can certainly think of some standards being developed here, which are arguably strengthen the role of cdns to randomly pick on one as you just talk about cdns um so be usually get your view on that, and also have you considered whether sdos as a whole?

J

Is it another control point, because whether.

H

Standards are.

J

A control Point, what were the standards do? Bodies or.

L

Control.

J

Points they're exploited by certain big organizations to exert control, yeah.

H

What a great question I haven't looked into, that I haven't thought about it, they probably are I would love to look into it. You know there was so much um like outside of iitf kerfuffle about new IP and kind of how standards you know whatever itu um yeah I would love to look into that. I. Really wonder what the answer to that question is I, wonder how to think about that yeah. If you're interested, please reach out I'd love to to talk about that idea. More thanks.

D

Nick um Rich you're up next.

I

Rich Souls I guess I work at the fourth largest CDN I'm, your HBO providers. um I'm just curious, though, how you determine that various telcos don't use their cdns.

H

How I determine that various telecoms.

I

You said, for example, um ATT who no longer owns HBO. It has the CDN but HBO renowned. It wasn't delivered over the HP I.

M

Mean you know you.

I

Know how it was delivered via Akamai, but how you were you made also the claim that lots of organizations have cdns that aren't using them. I.

H

See so in the example of HBO, when I goes to HBO and I request, content, I can look at the packet headers and.

I

Yeah yeah, you can even just do a DNS, lookup and it'll have Aquaman in it yeah. No, but I'm. Just you made a general statement. I just wondered.

N

If you.

I

Had other, if that was just a view or you had some statistics, you.

H

Might.

I

Be probably too detailed to get into here, uh I'd love to talk with you offline.

H

Yeah I'd be happy to talk about it, I guess at a high level. I think this is the answer to the question you're asking we have this data set from W3 text that has we partnered with them.

H

You know they're a partner also of Internet Society, um a lot of pulse metrics come from them and we work with them to get this Corpus of uh CDN usage, and um you know we kind of looked at the CDN usage to determine kind of the popularity of these cdns and what we found was that you know 18 team Comcast wasn't in that data set which forced us to ask. You know why, and there are a couple explanations we could come up with, but um there's no resolution on that question. Yet thank.

D

You thank you thanks, uh Mark you're up next. Thank you.

O

Hi uh Mark Nottingham I've uh spent about 25 years working for the top three reputable cdns in your list, I'll. Let you interpret that um and also deploying them in private companies, including Yahoo and Merrill Lynch um I'm. Also, a law student I'm also uh and I serve as an expert to the CMA in the UK, although I can't represent them. Of course, so I have thoughts, probably too many for the mic line, um but.

O

Are you looking at this from a a you know, centralization standpoint of just generally, what's good for the internet, or you mentioned, you were also looking at from a competition standpoint, which is a very different thing. What's what's your angle here.

H

What's my angle here, you know my concern ultimately is about catastrophic, pan Internet, outages, okay, I'm fundamentally concerned with that scenario. Okay,.

O

That that's actually really helpful context. Okay, I would love to chat you more because I.

H

I'd love.

O

Some thoughts, um especially I, guess from more from the competition law, standpoint, great um and and I think there was a question about uh uh standards, bodies of point of control. Just as an aside, that's also a very interesting question to me: I tend to think of it more in terms of what is the role of technical standards in Internet governance, uh which is kind of a bigger question.

D

Thank you very much samita. The queue was closed, but did you want to make a brief thing? Okay, perfect. Thank you.

H

Thank you very much, Nick. Okay, thank you very awesome.

D

Presentation and like thanks for coming and.

D

Thanks uh Chris hear it.

D

Do you want control, Chris.

F

Did.

C

You.

D

Want control.

D

I guess you got it.

G

I think so.

P

Yeah all right, hello, everyone um Chris, uh representing the IAB talking about a new proposed program. uh We call hudis a holistic human oriented discussions on identity systems, um as you may have seen on the email that went out to the architecture, discuss list um the I guess. The primary motivation for this is to try to get our heads around the very, very large and vast ecosystem that involves things like authentication, technology, credential technology identities where credentials like a specific type of technology that binds like an identity to a particular user.

P

In this case, and then an identity is whatever like that, could be anything an email address, a phone number. uh What I I don't know an account name, there's all sorts of different types of identities. That's part of the problem here uh that the way these two things I guess overlap and the I guess the scope and size of the ecosystem is a just a kind of big and complicated, um like the slide that we just saw earlier in the last presentation.

P

um For some of these things, we kind of we know how they work and function, um and some of the Technologies are like have a ton of energy and momentum in the industry, and the standardization space um like things in w3c with web often are very well understood. Past keys in practice like they're, taking web off and actually getting them more widely deployed is great.

P

um So we, the intent, is not to kind of like take energy out of those particular. You know, groups and communities and put it elsewhere um uh instead is try to get our head around. You know the the I guess, the the overlap uh between all these different, like Technologies as they're, used in practice, so, um and probably to also seek some clarity on how um some credential and a credential mechanisms and types of identities are used or misused in practice.

P

um uh So some of the goals proposed goals, um because everything's up for a proposal here uh is to kind of just go out and look um about what the landscape looks like for this particular type of technology and have discussions with the experts that are in this community, as well as outside the community. Who may be developing these particular Technologies, bring them into the room um and try to make sense and develop a clear mental model for how this stuff works?

P

um It would also be useful in developing that mental model to get a more clear understanding of how these are used and um I've, also, in parentheses, noted how they are misused. um So the the canonical example that I like to go to here is people misusing IP addresses as a type of identity for a user. That's like a practice that does exist, and we should try to get away from that and understanding. Why that's the case and what is the gap that exists? That put us in that situation?

P

The first place would be something that might be discussed in this particular program um and uh if there are gaps that like clearly emerge that are well-defined, that can, you know, be filled by technical work to dispatch that to the appropriate places in the ietf such that we can, you know, develop Technical Solutions and get them out into the world.

P

um So concretely, some possible outputs may be uh to like document some of these use cases to put them down. In writing, um or uh in a document like an RFC, doesn't have to be an RFC. Just a single piece of uh uh literature that someone could look at a GitHub page would also be perfectly fine, in my opinion.

P

um uh Perhaps in documenting these use cases, we could also talk about what are some common patterns that emerge for using this type of technology and what are some anti-patterns that emerge in practice or anti-catering set.

P

um uh You know people bring to the table in these discussions, um because this is a pretty you know huge and vast and complex space we'd like to I.

P

Ideally have people come in from um outside of the community, like I said, and when we'd like to facilitate sort of uh collaborations with these groups, um maybe even in the form of IED workshops where we, you know, solicit papers or position papers on on this topic and have people come to the same room and discuss um and again, um uh as I was saying, there's a possible goal, um identify places where we can actually do things concretely in the ITF, um so um I think I.

P

Think the the questions that we're interested in with respect to the actual proposal um are mostly around scope, um because uh this is uh I keep saying this is super huge and complex, um so I uh I'm sure everyone understands that by now. um But there are, there are reasonable ways you could refine this down to something: that's a bit more manageable. So, for example, you you could imagine just restricting this to discussions on credential systems and just punting everything that has to do with identity. Don't even talk about it.

P

Just focus on what are the, what are the different types of credential mechanisms that are used and how do they interact in practice and, um as are there any like obvious gaps that exist um just this morning, for example, I was sitting in the the oauth working group and listening to some presentation on like some credential mechanism, that has like selective disclosure, I'm, like gee I, sure heard about selective disclosure and other contexts like privacy, pass and other contacts in the w3c, um and uh it's uh there's just a lot of overlap happening, and uh you know we'd like to have a place for these uh different groups to come and discuss things.

P

um Another question that was raised on the list was: you know: what is the the scope of an identity? If we're to consider that you know, does it pertain to only humans as the title suggests, um or does it you know, extend to like machines and devices, and you know like identities and credentialing systems that are used to uh get two devices that are not representative of humans to talk to one another?

P

To do things like you know, do some computation or exchange some workload or whatever, so it would be interested to hear thoughts on that if people have them and uh yeah, so uh that was it there's not really much to this other than like we'd like to hear feedback and see what people think um uh you know. Is this a good idea, bad idea? um What should the scope be, um and uh you know take any questions you may have of.

D

Course, and- and you did send out a call for comments on the architecture discuss.

P

Correct yeah and there's um there's a GitHub repository that has the draft text there. um It could use some wordsmithing based on the feedback we've already received on the list, um so we do intend to do that which need to get her on to doing it um and uh um but yeah I guess we'll start with Justin. Thank you.

M

Hi Justin, richer, um so I think that this is a uh fantastic set of questions to be asking here at the ITF.

M

uh The scope is definitely a hard one, um because if you ask 10 identity professionals, what identity is you'll get at least 17 answers, and um and like you need to this work is going to have to embrace that, because identity means a lot of things that are contextual, and it's often that context that people actually care about and identity is usually um or I, would say at least many times a tool that people are using to solve something in a particular context. Identity is the thing that most fits.

M

The the type of uh you know a small part of the problem that they're actually after um that said. I do think that, because of that, it makes sense to have you know, sort of a a wider effort in the iitf to look at identity systems. I do think that there is.

M

There is space, And discussion and probably desire for machine identity and stuff, like that, I'm, not sure if it actually belongs in the same spot- and um you know I I, don't know because people and computers are in fact different. I know it's kind of a weird thought for most of the folks in this room, uh yeah I see you shaking your head uh regardless, regardless it is. It is an important set of questions. It is a wide set of questions and there's a lot of people that we can hopefully pull in.

M

To have this conversation to figure out which parts of this the ietf ultimately really needs to care about. So thank you for bringing this up and I I hope to see more on this great thanks.

C

uh Brent zundel um I chair the verifiable credentials working group at w3c, the decentralized identifiers working group at w3c, um I edited and wrote the presentation Exchange protocols at the decentralized identity Foundation where I sit on the steering committee. um This is a very interesting set of questions.

C

I do want to warn slightly that anytime you're talking about the big eye identity, the conversation will inevitably become very fraught um and lead to almost immediate stoppage of any possible technical progress and so trying to determine what technical progress can and ought to be made should be a an almost entirely separate conversation from the big eye. What is identity? Who should have one? Is it the machine? Is it the human? Is it generative?

C

Is it whatever um all of that to say, happy to participate and would have liked to have known about this Beyond just having seven people say? Have you heard about what this IAB thing is um so just whatever that means.

P

Anyway, right yeah apologies, it did was not you know, advertised in the and I guess the the venues that you participate in and probably should have sent it to the the verifiable credentials group. That makes a lot of sense um on the you know, uh tackling what the big high identity question is. I, don't think the intent is to try to Define like what is and or is not, and what are the circumstances that a person should or should not get an identity.

P

um uh I mean we'll. Certainly it's hard to avoid like talking about identity in this particular space, but I, don't think we're we're trying to to like establish. You know a canonical definition of what you know: capital Y identity. Is um that yeah, as you suggest, that seems like a pretty good way to to not make any forward progress and I think trying to limit our scope to things that are um a bit more manageable will help us make forward progress, hopefully um uh up in an already pretty wide, diverse space, So yeah.

P

Thank you for the suggestion. uh Yes go ahead. Hi.

N

Dick Clark, um like a number of other people here, I've, been involved in identity for a long time. A couple decades I participated in many many workshops that have lasted over days or weeks, trying to get people just all to understand on what is identity.

N

um You know the open, ID Foundation exists because I came and ran three Bops at IHF, and you know we decided to take our toys and go somewhere else, because we couldn't get anything started here.

N

um There's identity, work all over the place and a fair amount. You know an awful lot of that here.

N

It's unclear what you're wanting to do with this that doesn't turn into like a multi-week workshop, aren't just trying to understand a whole bunch of different parts of identity um like what is a credential you're, not going to get agreement on that. What's identity, you're not going to get agreement on that um that this seems you might have an idea of it. I think you've seen sort of the tip of the iceberg and the iceberg looks.

N

You know this thing you see is big and complicated right, but you're only seeing 10 of everything that's going on for.

P

Sure I'm willing to acknowledge that our our understanding of the situation may be very different from those who have been immersed in the space for a very long period of time, um I'm, confident or I'm hopeful. Rather that, like we, have the technical jobs of like trying to dig into like like widely used credential mechanisms and try to make sense of them. um Perhaps we'll not be so successful, uh but you know I, guess time will tell if this program proceeds so.

B

So I'm, just trying to understand, are you, like you, say, there's a lot of work in there. It's uh it's probably also a lot of problems um and we definitely don't try to solve them all, but we're trying to figure out. If there's anything, we can do in this community to help the problems or are you saying we shouldn't even try.

N

um A lot of people are solving on their problems. I think just trying to get a layout of what's Happening identity is a massive work effort right before you can even figure out where are there problems to solve, but for the people that are in the industry right we're all working on a lot of the problems right. It's not like there aren't people thinking about identity right there's!

N

You know, thousands of people have been working on identity for a long time and just the scope of trying to understand the lay of the land that that just seems hard to do in what is identity and credentials right that just that that first part seems tough.

P

To to give it sort of perhaps like or did you want to reply to that, give a like a kind of concrete example? So I mentioned the oauth example earlier, there are a number of like very, very similar Technologies, like privacy pass oauth, verifiable credentials. All these are kind of doing very similar things in the circumstances in which would you would use them how they're used?

P

Why, perhaps why they're misused or like we wanna present sort of like a clear picture for like the relationship between these types of things or that's one of the goals, at least proposed goals.

N

I mean this is why I have concerns you just listed three things that, to my mind, are very different than you think they overlap with each other. They.

P

Definitely overlap, oh.

N

Walk overlaps.

B

But are you like I think we need to have this discussion in the program or.

N

Are you.

B

Saying you don't even want to have that discussion.

N

um

B

Let's take, let's take.

N

It off yeah, let's go through the coupon yeah yeah I'm, not even sure it just comes across a little naive, like this is way more complicated than what you're phrasing and almost all of your descriptions are kind of come across I'm glad you're at the oauth meeting right, but ganap kind of overlaps with oauth sure.

B

Yeah I just wanted to say I feel like we need to have this discussion and if the end of the discussion is, we can't do anything here. We're closing the program. We're done.

N

uh Yeah I just worry about the the having a discussion on this is probably a you know a whole enough. There's an awful lot of work in trying to have a discussion. That's actually going to conclude.

P

Okay thanks dick.

Q

uh Peter Castleman um I'm working on standards, mostly in the oauth area um and so very excited to see this I think this is great um in terms of the questions around scope. You know I think if we think about this program as a kind of integration point to bring different communities together to exchange ideas.

Q

I think that's actually really helpful, because otherwise I find myself sort of traveling from working group to working group to figure out what is it that you're doing and how does that fit with what I'm doing and is there an opportunity so I think as an integration point in a kind of a Clearinghouse? For those conversations, that's really really good.

Q

um You know I think you might want to think about defining. You know whether it's credential or identity system think about maybe framing it in terms of the outcome that you want with identity systems right so with an identity system. Often the goal is something along the lines of making sure that the right person has access to the right thing at the right time and that actually, then opens up the conversation about all the technology building blocks that you need. You know to Grant's earlier comment about the big eye that might be yet another right.

Q

If you can focus on the technology pieces, that's helpful, but also then um yeah. It just helps us structure the conversation because to Dick's point, it's a big big topic right um and then on the second one my perspective there I identity goes well beyond humans. From my perspective, at least we're seeing so much challenges around managing devices workloads and this configuration right. But you mentioned oh you're, using an IP address, which is an identifier for advice on a network for a human.

Q

Well, maybe some of that's because we didn't, maybe we don't have proper human identity systems, but maybe we also don't have proper systems for machine identity, and so we end up sort of merging these things inappropriately. So I I'd prefer a broader scope because again it allows us to uh you know at least connect these silos and have these conversations in one place. Yeah.

P

I mean I think as a on one of the earlier slides, like bringing people together either in the form of a workshop or in the program itself. To have this discussion is, is like one of our one of the goals that was like primarily identified, um uh and we didn't explicitly list.

P

You know sort of the use cases that we would want to Target and and or to help use to frame these discussions, because we're are hoping that you know the contributors who do come and facilitate and or contribute to these discussions would kind of bring the use cases that are important to them, authentication, authentication being like, perhaps the most obvious one um uh but yeah I. Think uh using as like the you know, the integration point for all these different communities is a perfectly reasonable way to think about this.

P

um So yeah.

Q

And then just opening Beyond human uh identity would be would help that conversation a time.

P

Sure yeah it would. It would be a shame if there was like you know uh effectively. Forks of, like you know, people thinking about the same topic just with different um I guess, uh like you know, this is the human group. This is the this. Is the machine identity group or whatever, um but we have to be cognizant of, like you know, trying to make like meaningful forward progress and like have productive conversations, um uh so I I, perhaps with some right balance we can. We can increase the scope but I.

P

There is the risk of like just slowing things down by just trying to do all the things sure.

Q

All depends on the outcome. You want, of course, of course,.

G

Martin yeah Martin Thompson, uh when I suggested that we limit this to talking about humans on the list. I think a number of people jump down my throat um I understand that this is an ieb program that you're proposing here and there's. There's always the possibility that we can really sort of get into the weeds and have a very broad scope on anything. So I think that's, um certainly something that a program could could consider as within bounds for discussion.

G

uh Even if the stated Charter or the the goals for that program were somewhat narrower and my sort of goal here is to ensure that when we talk about these things, we have something more of a focus on, for instance, the the effect that the the systems that we're talking about have on people as opposed to the machines so um back to Peter's example of the IP address using that as a proxy for an identifier for a person.

G

That's a really great example of something that I think we should be um talking about, but I don't care about the IP address as a proxy for identifying a server or or something a piece of Machinery, um because I think that broadening the scope in that particular way would be just a I mean we already heard it's an ocean that we're looking to boil with a magnifying glass as it is uh I would rather not get too far into into the other things.

G

I'm also surprised that no one has mentioned the um identity layer of the internet yet and I wanted to be the first um I think that's not necessary, but um I just wanted to be the first. So that's all I have to say.

P

um Yeah thanks Lauren, uh the the name uh despite being kind of cute I guess um uh for the program uh has human oriented, particularly because that was like the the primary focus um but uh I I. That said, like I I'm, personally, not opposed to expanding the scope, but um I think you make some weird arguments as to you know where we should place our Focus to start hi.

A

I'm Kalia my handles identity, woman and I have convened the internet identity Workshop since 2005 twice a year, so it is a forum in which you and folks looking at this are welcome to come and share and get input and feedback on and I'll just name building on Dick's Point um about three years ago. I did work for a client to identify all all identity standards in sdos and other industry associations that I could related to human-centric Identity and I identified 1500 of them. Okay.

A

So when he's saying the scope of what you're trying to do just the sense making part is significant. No.

P

Sure so.

A

No.

P

Disagreement there um I I, anticipate like there's going to be a no like uh 1500 was a bit higher of a number than I was expecting, uh but the actual ones that are used in practice, like I, mean we're going to have to try to keep things small to start and just focus on some pretty important ones, but um uh perhaps like a a total, complete, exhaustive picture or of the landscape may not be a a goal that we can accomplish in this type of program, um and it I don't know if it's worth our time, but um well today, I learned great.

R

uh Joe salloway I I tend to agree that scoping this work is going to be really important. I also think we can't completely, you know, I think Martin's Point was was good in that you we're gonna.

R

Maybe focusing on machines is not the right thing to do, but there's going to have to be some aspect of that, because more and more in there's just a lot of work in that area, and so we won't be able to separate it completely.

R

um But that's my thinking thanks.

I

Joe.

S

Hi Heather Flanagan, um so I've also one of the many people that have worked in the identity space for a while and uh I'm. Actually, the coordinator of one of the groups you mentioned in the in the proposed uh program, Charter and I'm like and I still didn't hear about this wait a minute.

S

um I think it would be more useful for the iib to say I mean you use the the the uh we kept saying we and I kept wondering who we was. uh If you're going after a program, it's actually scoped to what can we the IAB, do or what can we, as the ITF, do in this space? I? Think that's interesting. I think there are enough. Other identity focused standards, organizations that are looking at scale that um I know.

S

You said you didn't want to take the energy from the room, but you're going to find it's all the same people so um coming at it with a bit more Focus to what can you accomplish here would be very helpful.

P

Great, that seems to be like a pretty uh unanimous comment that we're getting so. That seems like perfectly good feedback to fold into the proposed uh Charter.

B

Yeah I mean also we're trying to figure out to identify what and why we're creating a program is because we on the iav are not all identity experts. We need to have the discussion with the identity experts, which are not members of the IAP, and so that's why we're proposing a program. Thank you.

D

Thank you Christina like if you can take it off with Chris that'll, be awesome. The Q was close. So thank you. uh Elliot um floors. Yours.

K

Well,.

D

Hello again.

K

um I'm speaking to you this time as the independence submissions editor, um there's a new RFC out I'd like to talk about. We mentioned a couple of other things relating to this node uh Revelations, all right. So uh before 2013 the world was a very different place.

K

um We actually accepted a certain amount of vulnerabilities as a uh as the culture. Can you back up, please. Thank you. um The slide. The the graph on the right is from the Gordon lobe model and Enterprises could use that to figure out how much to invest it's. It's a pretty fundamental component in the economics of information security that basically says that uh your optimal investment point is um your expected loss over e, so about uh 37 of what you think your your expected losses and people would basically run with.

K

You know some notion of that if they had a notion of their expected loss- and we assume that some observations uh would would take place and that they'd be limited by locality um and uh there was uh you know some positive Network management benefit to uh observation in terms of understanding, Network performance and quality of service, and even and even some security benefits as well. In terms of you know, looking for uh various forms of attacks, um uh it was still subject, but a lot of this was still subject to abuse.

K

Obviously um we saw some service providers and some behaviors we didn't like in the ietf and- and there were grumblings about that- and in fact I would say Speedy sort of had its Beginnings uh through those grumblings next slide. Please.

K

um What we found was an attacker that had near infinite resources in the form of an NS in the NSA, and we couldn't really quantify losses. The whole reason we couldn't quantify losses was because, well you know, how do you qualify, something that the NSA has gotten in terms of you know? You know their visibility. The.

J

Enterprise.

F

Just.

K

Didn't know how next slide, please.

K

So This Is Us in 2013., um just uh show of hands in the room. How many people were there in the room for that good number, uh I'd have to say we were pretty pissed. um We were. We were stunned at just the scope of uh the the effort put in uh to uh by the by the NSA, um and it it led to action.

K

um It led to uh Bruce schneier, showing up and really sort of uh giving a startling talk, um and it led to uh the pervasive surveillance as considered an attack. Rfc I think it's 7258 um and it led to a lot more encryption on the internet. Next slide. Please so RFC 9446 reflects on uh a lot of things. It reflects first of all on how it was at the time. So Bruce talks a little bit in this about what it was like to report the story, and he almost describes what you come away thinking.

K

He has PTSD a little bit when you read his really well written essay, um and but it's it's something worth reading, because there was a human cost uh to reporting the story in the first place.

K

um Stephen Farrell talks about our response uh more technically as well as um I made me a little bit culturally, then uh farzana body uh talks about the human rights implications or in some cases you know where we made advances and where we really we haven't gone as far as perhaps she would have liked, um and why and then Steve bellovan uh puts us all in a historical perspective. You almost get a get the feeling of you know.

K

All of this has happened before, and all this will happen again, uh but I want to highlight that we do. We have raised the bar, so next slide please.

K

So um why is this document important right? Retrospectives are awfully boring and not worth doing unless we learn something so when I I, when I search for authors for this document, I ask them to answer a few questions right. Did we react? Well? Is there are there things we could do better? If we have these sorts of events in the future, what accomplishments did we achieve? uh What is left to be done by us or by others right um and then how has the threat environment evolved since then?

K

So, for instance, a good example of that will come up in just a moment now, a hint to you uh as a community, uh the internet, the the independent submissions, editor, always asks the question by the way. Why is this document important? If you come to me with a document, and you can't answer that question you're going back empty-handed next slide, please, okay! So um a couple of key points.

K

First of all, nothing happened overnight, other than outrage when, when we were in the room, it took a lot of time a lot of commitment, a lot of effort, a lot of consensus and a lot of code to get things done in terms of change. It was a sea change within the community, but it took time for that sea change to take effect.

K

um The second point I want to make is that um it was helped. I think also that there were there was opportunity. uh Seen in terms of certain players saw that there was opportunity to benefit from improved security, and they took advantage of that.

K

So they have we caught a Tailwind off of that as a community, but a key Point here I'll say is that a lot of the data that we're concerned about uh is still um accessible a lot of the it's maybe accessible to uh in concentrated form, in fact, um and so, even in the short term. If an attacker knows where to attack, they may get more information than the NSA got.

K

uh Let's a good example might be if they attack, if they're able to attack one or two social networks right or Amazon, um so infrastructure attacks. The other point I want to make is infrastructure. Attacks are serious. You know the threat environment has changed. Perhaps this is only grown uh with with iot, of course, I'm an iot person, so I'd have to say that.

K

um So uh these are things to think about uh next slide. Please um this last one is a little bit of an advertisement right. um This was an important document, I think to do and I'd like the community to consider it. You know even talk about it. I wish I could be there to talk with you about it in terms of how we how we performed what we could do better.

K

You know what we did well right um and, and that threat model is, is something we should always stay focused on and what's the next biggest problem and we've talked about centralization and fragmentation today, um just a hint you'll be seeing a little bit of a little bit of work coming out along the lines of centralizations real soon now um my priorities uh that I've taken on are those three things and I take I've used them expansively.

K

um If you submit something as uh for an independent submission, of course um it won't be as standard and it won't have Community consensus, but that doesn't necessarily mean it's uninteresting. It might be very interesting and I think you'll find this document is, and that's it thanks very much.

D

Thank you, Elliot.

K

Thanks.

F

To the.

B

Authors by the way, one.

K

Minute.

B

Well, one minute for open mic, no I think you had enough. Okay! Thank you. Everybody uh for the session, everybody who was on the stage contributing, but also provided feedback to us, see you next time.

C

Thank.

D

You thanks a lot thanks.