►
From YouTube: IETF 117 IAB Open
Description
IETF 117: IAB Open
The Internet Architecture Board (IAB) will hold an open meeting 20:00-21:00 UTC on 25 July 2023 providing an update on the the EDM program, several proposed programs, and all the usual updates on various administrative and operational topics.
D
B
Okay,
let's
right
away,
we
have
a
full
agenda
on
the
slide.
You
are
on
the
screen.
You
already
see
the
node
well,
it
applies
also
to
an
IB
meeting
because
we're
part
of
the
ietf
meeting
week.
I
hope
you
know
about
this.
It
gives
you
references
to
all
the
policies
you
should
know
about.
B
Yeah,
thank
you,
but
I
want
to
point
you
to
the
code
of
conduct.
It's
really
important
that
we
all
work
together
in
a
friendly
and
nice
way,
because
that
gives
us
the
best
outcome
and
makes
everybody
most
comfortable
next
slide.
B
So
the
the
previous
slide
that
you
didn't
know
is
mine
also
mentioned
that
you
need
to
log
into
meet
Echo,
because
we
want
you
on
the
blue
sheet,
that's
important
for
our
meeting
planning
for
all
kind
of
purposes,
legal
purposes
and
so
on.
So
we
want
to
have
a
good,
transparent
record
of
what
we're
doing
in
these
meetings,
and
so
please
join
the
media.
Echo
please
use
mid
Echo
also
for
joining
the
queue
and
again
be
nice,
and
also
note
that
this
is
recorded
in
live
stream.
B
B
We
established
this
kind
of
practice
of
of
asking
one
of
our
lives
or
managers
to
give
a
short
report
about
what's
happening
in
their
organization
and
I.
Believe
people
like
it.
So
we
continue
that
this
time
it
will
be
Martin
Thompson
about
w3c.
B
We
have
an
invited
talk,
so
that
will
be
Nick
Farrell
I'm
talking
about
fragmentation
centralization,
and
then
we
have
a
longer
time
slot
to
talk
about
one
of
the
proposed
programs
from
the
IB
new
proposed
programs
on
identity
management,
and
we
have
some
time
for
discussion
there
and
because
we
have
a
one
and
a
half
hour
slot
this
time
we
also
offered
Elliott
Lear
the
ISE
a
slot
to
talk
about
one
of
his
recent
drafts
that
he
processed.
B
B
Just
very
quick
reminder:
what
is
iob
open,
so
iob
open
is
kind
of
the
forum
for
the
IRB
to
mainly
talk
about
our
Technical
and
Architectural
work
and
also
a
little
bit
about
our
leaders
network.
But
what
we
really
want
to
do
with
this
session
is
to
First
give
you
a
little
bit
of
visibility
about
what
we're
doing,
but
then
also
get
feedback
from
you
from
the
community
about
our
work.
B
If
you,
if
you're
engaging
in
this
session
with
us
here
today,
that's
great
looking
forward
for
the
discussion,
but
you
can
also
reach
us
anytime,
you
can
reach,
send
us
an
email.
You
can
send
us
an
email
individually
to
all
the
IB
members.
You
can
talk
to
us
during
the
meeting
of
course,
and
then
there's
architecture
discussed,
which
is
a
little
bit
our
discussion
list.
B
This
is
skipping
part,
so
a
quick
update
about
any
kind
of
documents
we
published
recently
to
documents
and
if
you
have
been
a
follower
for
of
iob,
open
you've
seen
them
before,
and
so
finally,
we
published
the
maintaining
robust,
robust
protocol
document,
which
has
been
with
the
IB
for
a
very
long
time
now
and
I.
Think
now
we
got
like
a
good
State
here
and
then
a
new
document,
our
newer
newer
document
on
application,
Network
collaboration
using
past
English,
so
both
of
them
are
published.
Please
read
them,
I
really
like
them.
B
If
you
don't
like
them,
let
me
know
if
you
like
them.
Let
me
know
we
have
the
mtem
workshop
report,
which
is
ready
for
publication.
The
workshop
was
like
a
year
ago,
I
guess
so.
I
think
this
is
still
a
reasonable
time,
but
we
should
really
publish
it
and
then
there's
also
another
Workshop
report,
which
will
hopefully
come
out
very
soon.
There's
one
kind
of
document
in
the
go.
This
is
still
kind
of
more
or
less
the
first
version
of
your
document.
B
E
Yes,
security,
Enthusiast,
so
two
things,
two
things:
five
minutes
for
the
previous
part
is
really
short
surprising,
but
perhaps
that's
the
normal
way,
which
means
that
we
can't
really
discuss
things
in
the
in
the
equivalent
of
this
slide
on
the
web.
There
is
a
point
on
liaison
which
does
not
appear
here.
I
think
there
is
a
real
point
on
discussing
liaison
because
I'm
working
in
the
itu
I
made
the
point
in
pitg
yesterday
in
the
ATU
we
are
sending
these
ones
here.
We
never
get
answers.
E
The
fact
that
we
never
get
answers
means
that
it
is
like
from
the
ATU
or
some
people
in
the
ATU
a
way
to
say
we
can
continue
whatever
we
want,
which
is
not
good,
I,
think
we
should
discuss
about
that
and
how
we
are
more
proactive
to
give
answers
back
to
itu
I.
Don't
know
where
this
should
be
discussed,
but
it
should.
This
should
be
discussed
here.
E
Five
minutes
is
not
enough
and
finally,
on
the
MTN
Workshop
I
just
could
was
caught
by
surprise
this
morning,
when
I
saw
Eliot
answering
on
that
one
I
really
have
problems
with
these
reports.
I
really
have
problems
with
the
representativity
there.
I
I
disagree
with
a
number
of
things
there.
There
could
have
been
other
things
that
that
should
have
been
mentioned
here,
but
now
it's
too
late,
so
I
don't
know
how
we
process
these
things.
E
D
Yeah
thanks
a
lot
so,
like
I,
think
the
the
liaison
staff
we
do
have
our
office
hours
like
where
we
can
actually
talk
about
it.
It's
actually
in
the
slide
like
in
the
timing,
so
you
can
just
come
by.
We
can
certainly
talk
about
it.
There's
like
a.
We
cannot
do
this
in
five
minutes,
like
you
said
right,
so
so
there's
some
hours
you
can
come
by
and
like
for
the
document
itself,
yeah.
B
Also
on
the
on
the
itu
issue
that
you
mentioned,
this
is
something
that
we
are
discussing
actually
in
the
least
between
the
liaison
managers
or
coordinators
and
so
on.
So
this
is
this
is
ongoing,
but
it's
not
the
focus
of
this
meeting.
We
only
have
one
and
a
half
hours
but
like
come
talk
to
us.
That's
always
the
answer.
I
think
you
want
to
say
something
about
M10,
but
yeah.
F
Yeah,
so
real,
really,
really
briefly,
we
will
work
with
you
on
the
M10
report.
Obviously
we
want
to
address
all
Community
comments
and
the
representation
representation
points
are
very
valid
I
plan
on
fixing
that
it
probably
won't
be
this
week.
So
you
know
expect
an
answer
next
week,
but
we
will
absolutely
have
that
dialogue
with
you.
B
Yeah
so
definitely
I
mean
thank
you
for
any
feedback,
but
I
also
want
to
say
because
your
point,
your
higher
layer
point,
was
that
there's
not
enough
time
for
discussion,
so
the
M10
Workshop
has
been
out
for
Community
feedback
for
a
while
I
think
we
actually
I'm
pretty
sure.
I
personally
told
you
about
the
architecture,
discuss
mailing
list.
B
So,
if
you're
not
to
subscribed
to
this
one,
please
do
because
that's
where
we
have
all
the
discussion
we
so
like,
and
the
workshop
was
a
year
ago
right
so
like
there
were
opportunities-
and
we
mentioned
it
all
over
again,
but
we
definitely
take
still
your
feedback.
But
please
keep
also
in
mind.
This
is
a
workshop
report.
It's
not
like
a
generic
Agnes
of
the
pump
space.
It's
it's
in
order
to
reflect
what
happened
at
the
workshop.
No.
E
I
I
get
it
and
the
I
am
on
the
main
list.
I
was
really
surprised
why
it
followed
crack
I,
don't
know
why,
but
anyway,
that's
pretty
my
fault
fair
enough,
but
still
thank
you
for
your
best
to
address
that,
and-
and
that
was
my
feedback
anyway,
so
we'll
go
back
on
the
liaison
our
open
hour,
whatever,
please.
B
Come
on
Thursdays,
okay,
but
we
also
have
some
information
about
liaison's
here,
we're
just
in
the
middle.
So
let's
go
to
the
next
slide.
B
So
that's
the
part
about
program
updates.
This
is
just
a
quick
update
about
the
one
program
that
is
still
running
and
this
program.
The
goal
is
to
talk
about
availability,
deployability
and
maintain
obtainability
of
protocols
and
our
and
also
implementations
of
the
protocols.
B
There
I
may
already
mentioned
the
the
document
that
was
published
recently,
which
was
discussed
in
this
group.
There's
also
another
draft
about
or
a
new
draft
about
greasing.
So
that's
really
brand
new.
It
was
just
published
at
the
draft
deadline
a
few
weeks
ago.
Please
read
that
one,
it's
an
early
phase
and
there
is
also
a
draft
about
code
maintenance.
This
one
will
be
presented
tomorrow
and
today
in
dispatch
gen
dispatch.
B
B
So
if
you
want
to
join
the
EDM
program
first
of
all
in
the
mailing
list,
but
come
to
the
to
the
meeting,
it's
an
open
meeting,
it's
early,
but
it's
no
meeting
next
and
then
the
exciting
news
about
this
session
is
that
we
have
two
new
proposed
programs,
we're
talking
about
E
Impact
first,
because
that
was
really
just
recently
proposed.
B
It
should
be
a
venue
for
half
discussions
about
environmental
impacts
and
and
I
hope
we
figure
out
any
kind
of,
or
can
I
talk
about
any
kind
of
topics
which
are
not
yet
in
the
ietf
OR
irtf,
but
also
we
are
looking
for
things
that
we
can
identify
that
and
can
go
back
into
the
iitf
and
we
can
do
in
this
organization
again.
This
is
also
like
all
technical
programs.
B
It's
open
to
everybody,
there's
a
mailing
list
you
can
subscribe
to,
but
we
are
in
the
process
of
creating
this
program,
so
we
didn't
fully
decide
yet
because
what
we
want
is
your
your
feedback
from
the
community
about
this
program.
The
scope
of
the
program,
so
please
provide
us
input
this.
This
is
the
point
of
time
right
now
and
then
the
other
proposed
program
is
later
on
the
agenda,
so
that
site
is
quite
empty
because
you
will
hear
more
about
it.
D
Sure
and
I
don't
know
like
just
to
go
for
this
right.
So
there's
a
lot
of
updates
like
on
the
liaison
front.
We
got
like
25,
listen
statements
since
the
last
ITF,
and
so
like
one
of
the
liaisins,
that's
a
3gpp,
so
we
had
a
meeting
on
Monday,
so
it
went
like
extremely
well
and
the
RFC
that
describes
a
relationship
is
pretty
out
of
date.
D
So
there's
going
to
be
some
work
to
update
that
bring
it
up
to
code
and
for
the
higher
bandwidth
discussions
with
the
liaison
So,
like
I,
think
Tommy
sent
out
a
mail
to
the
liaison
coordinators
for
all
the
liaisins,
like
that
we
are
going
to
have
in
office
hours.
So
it's
at
lunch
time
on
Thursday,
so
please
do
come
by.
D
We
can
certainly
discuss
and
like
go
through
the
Liaisons
and
see
what
requires
responses
and
and
I
think
like
I
think
this
is
something
we
discussed
at
the
last
office
hours
right.
So
sometimes
we
get
lessons.
It's
not
clear
like
which
of
them
require
actions
on
our
part.
I
think
that's
something
we
can
discuss
on
the
high
bandwidth
channel
for
sure.
Thank
you.
B
Yeah,
since
the
last
meeting
there
was
no
workshop
and
we
didn't
announce
one,
and
now
we
go
to
Martin
Thompson.
Where
is
he
yes?.
D
G
Only
three
of
them
anyway,
so
that's
me,
Martin
Thompson
I
only
have
three
slides.
There
should
be
relatively
brief.
G
A
number
of
you
might
already
know
what
the
w3c
does,
but
this
slide
sort
of
covers
briefly
the
sorts
of
things
that
they're
doing
it's
not
exhaustive,
they've
been
around
for
close
to
I,
think
30
years
working
on
the
web
and
various
technologies
that
associated
with
that
there's.
Some
important
things
to
note
here:
HTML
is
not
really
their
business.
G
At
this
point,
there
has
been
moved
to
a
group
called
The
what
working
group
and
there's
a
number
of
other
documents
in
that
sort
of
space
as
well,
but
they
look
after
HTML,
CSS,
fonts
SVG,
a
lot
of
things
you
would
use
on
the
web.
All
of
the
Dom
interfaces
in
particular
are
theirs.
There's
a
whole
bunch
of
work
on
accessibility,
internationalization
security,
XML
semantic
web
of
verify,
verifiable
credentials.
G
C
G
Web
that
you,
you
would
see
today,
so
if
there's
any
questions
on
this,
whether
or
not
something
is
w3c
or
not,
that
you
can
visit
their
website
and
and
see
what
sort
of
things
they're
working
on
or
talk
to
one
of
the
many
people
who
are
familiar
with
what's
going
on
over
there
to
see
what's
going
on
over
this,
give
you
a
profile
idea
next
place.
G
So
the
w3c
is,
unlike
the
ietf
membership
funded
organization.
It
is
recently
formed
into
an
independent
non-profit
I
think
they
followed
a
lot
of
the
iitf
LLC
thing
with
great
interest
and
managed
to
form
a
similar
sort
of
organization
earlier
this
year,
in
fact,
and
that
has
moved
from
a
somewhat
unusual
organizational
structure
into
a
more
conditional
one
with
an
independent
board.
G
I
think
someone
requested
that
I
mentioned
that
there
is
no
longer
a
beneficial
benevolent
dictator
for
life
as
part
of
the
organizational
structure,
it
is
now
much
more
Community
governance
and
very
much
aligned
with
the
the
style
of
governance
that
we
see
here
at
the
ITF.
Although
work
continues
on
that
one,
the
number
of
challenges
involved
in
that
one
there's
there's
a
large
team.
G
There
that's
involved
more
actively
in
the
in
the
work
that
goes
on
there,
but
otherwise
very
similar
in
terms
of
the
style
of
work,
though,
I
would
point
out
that
we
treat
mailing
lists
as
the
primary
venue
for
engagement
in
working
groups.
They
treat
GitHub
as
the
primary
venue
for
interactions
and
there's
a
bit
of
a
style
difference
there
in.
G
In
terms
of
of
how
they
work
there,
another
notable
difference
is
that,
while
the
ITF
requires
that
people
disclose
the
IPR
that
they're
aware
of
when
discussing
things,
the
w3c
requires
that
members
make
a
commitment
when
they
participate
in
the
working
group
to
provide
the
IPR
that
they
own
on
a
royalty-free
basis,
and
they
have
a
number
of
policies
around
that
sort
of
thing.
So
that's
something
some
an
interesting
difference.
Perhaps
next,
please.
G
G
We
see
a
lot
of
these
features
that
are
built
for
the
web
developed
in
in
two
places,
and
the
primary
pattern
that
we
see
here
is
that
the
w3c
will
look
at
the
the
interface
the
the
way
in
which
it
integrates
with
the
web
browser
and
the
security
applications
of
that
side
of
things,
whereas
the
iot
Air
Force
spend
time
on
the
protocols
and
the
security
of
the
protocols,
some
of
that
is
in
in
progress
in
privacy
passed.
G
There
is
an
ITF
working
group,
there's
no
formal
working
group
currently
in
the
in
the
w3c,
but
that
that
is
work
in
progress
over
there.
Other
interesting
things
is
that
HTTP
originally
sort
of
started
under
the
aw3c
umbrella,
but
it's
now
very
much
an
ITF
thing.
It
has
been
for
a
long
time
and
I
won't
say
anything
about
the
bottom
point
and
that's
all
I
have
I
think
it's
probably
good.
G
If
there's
questions,
if
people
have
questions
now,
we
have
a
couple
of
minutes
but
come
and
see
me
if
you
have
any
questions,
there's
also
Mark
Nottingham,
who
is
one
of
the
w3c
board
members
here,
I'm
sure
he'd
be
very
happy
to
help
you
out
and
understand
all
of
those
things
and
there's
a
number
of
other
people
floating
around
in
the
audience
like
Sam
who's
on
the
w3c
team
and
a
few
folks
who
have
who
are
active
participants
in
various
groups
in
the
w3cic
floating
around
in
the
audience
here
so
I
think
there's
plenty
of
people
around
who
know.
D
Yeah
I
would
like
to
introduce
you
to
Nick.
So
Nick
is
like
a
invited
like
talk
talker
today,
so
Nick
is
a
research
fellow
at
Berkeley
for
the
center
for
long-term
cyber
security.
So
we
read
this
interesting
paper
by
him
like
about
like
the
internet.
Like
you
know,
fragmentation
pretty
much
like,
and
we
thought
it
would
be
a
really
interesting
talk
to
have
here.
So
thank
you
very
much
for
taking
our
invite
Nick
and
looking
forward
to
your
talk
thanks.
Thank
you
thanks
for
having
me,
let
me
pull
it
up
fitting
it.
B
H
Okay,
fantastic
okay,
yeah,
my
name
is
Nick
Merrill
I'm,
a
research
fellow
at
the
UC
Berkeley
Center
for
long-term
cyber
security
and
I'm
here,
to
give
you
kind
of
four
years
of
work
in
20
minutes
so
by
Nature
I'm
going
to
have
to
elude
some
of
these
details
and
I've
tried
to
do
so
somewhat
strategically.
You
know
trying
to
get
take
my
best
guess
at
what
you
already
know.
H
H
So
this
is
about
fragmentation
and
centralization
on
the
internet
and
by
way
of
introduction,
you
know,
I
got
interested
in
this
work
in
about
2019
and
I
was
doing
my
postdoc
and
my
post-doctoral
advisor
Stephen
Webber
came
to
me
and
said:
what's
going
on
with
internet
fragmentation,
everyone's
talking
about
internet
fragmentation?
What
is
it?
H
Is
it
real
what
it
has
happening
specifically
and
mechanically,
and
what
is
the
direction
and
velocity
of
this
trend
over
time
if
it
is
indeed
real
and
at
that
time
there
were
these
headlines
like
the
Splinter
net
is
already
here,
the
Splinter
net
is
growing,
and
the
world
economic
Forum
I
think
that
the
Apex
of
this
was
the
WF
Wes
internet
fragmentation
and
overview,
and
in
all
of
these
there
was
this
kind
of
vague
and
data
free
sense
of
Internet
fragmentation,
but
begged
the
question.
H
Still
you
know
what
is
it
there's
a
lot
of
implicit
understanding,
but
explicitly
what
is
internet
fragmentation?
So
here's
my
own
frame,
the
intuitive
picture
behind
internet
fragmentation,
as
it
was
understood
by
policy
makers.
Not
the
ietf,
as
was
understood
by
the
non-technical
community
at
that
time,
is
that
a
supposedly
global
internet
is
becoming
increasingly
different
in
different
countries,
National
borders,
where
the
with
it
with
a
kind
of
the
area
of
interest.
H
And
of
course
there
are
consequences
here
for
freedom
of
speech,
investment,
technological
development,
political
relations,
which
we'll
talk
a
little
bit
about
more
later.
But
this
is
what
people
were
thinking
of
when
they
talked
about
internet
fragmentation
at
that
time.
So
how
do
we
measure
well?
I
did
some
work
basically
taking
proxy
measures
at
different
layers
of
the
internet
stack
and
I?
Don't
I've
decided
to
elude
this
the
details
on
this
with
this
audience
today
you
can
find
that
at
this
link
and
I
think
that
these
slides
are
available
somewhere.
H
H
What
I
found
is
that
the
internet
is
multi-polar
and
that
the
simple
story-
The
policymakers,
told
about
a
free
internet
versus
the
closed
internet
free
countries.
You
know
countries
with
free
internet
versus
countries
with
the
closed
internet
was
overly
simplified
and
to
take
a
very
simple
and
tightly
scoped
example.
Think
about
the
transition
between
ipv4
and
IPv6.
So
you
know
there
is
some
degree
of
Internet
fragmentation.
Some
you
know.
Ipv6
penetration
is
uneven
throughout
the
world
that
matters
a
great
deal
to
people
who
design
switchboards.
H
It
matters
a
great
deal
to
people
who
design
routers.
That's
not
necessarily
what
policy
makers
were
talking
or
thinking
about
right.
Of
course,
those
things
are
important.
They
come
off
of
someone's
balance
sheet
somewhere
and
there
are
kinds
of
policies
we
could
think
about.
That
can
move
the
needle
on
this,
but
that
wasn't
really
what
policymakers
were
talking
about.
They
had
different
questions
that
were
ultimately
about
different
kind
of
political
things.
Yeah.
D
H
So
what
were
we
talking
about?
So
we
looked
instead
to
talk
about
content
blocking,
because
we
felt
that
the
discussion
that
policy
makers
were
having
was
ultimately
discussion
about
politics,
and
we
felt
that
content
blocking
was
the
thing
we
could
measure
technically.
That
would
reveal
something
political.
H
So
what
we
did
was
take
this
IC
lab
data
set,
which
you
know
you
can
kind
of
follow
through
I.
This
is
an
old
version
of
the
slides.
That's
okay,
though
I'll
circulate
or
find
a
way
to
circulate
a
newer
version.
So
we
took
this
IC
lab
data
set.
H
That
kind
of
we
used
to
see
what
was
blocked
in
different
countries
where
there
was
evidence
of
you
know
some
kind
of
tampering
or
dropping
packets
along
the
wire
and
related
that
to
host
names,
and
we
took
those
host
names
and
ran
it
through
this
kind
of
this
commonly
available
data
set
that
categorizes
those
websites
by
the
kind
of
content
they
have,
and
this
data
set
actually
was
used
by
corporate
firewalls
for
kind
of
blocking.
H
You
know
restricting
access
to
gambling
websites
or
pornography
websites
or
other
kinds
of
things
like
that,
and
we
use
that
to
categorize,
basically
who's
blocking.
What
kinds
of
contents
you
can
see.
A
little
sample
of
the
data
set
here
we
can
see
is
that
different
countries
are
interested
in
blocking
different
things.
South
Korea
blocks
a
tremendous
amount
of
pornography.
Most
of
what
South
Korea
blocks
is
pornography,
and,
on
the
other
hand,
you
know
a
lot
of
the
content
that
you
see.
Blocked
in
Turkey
is
categorized
as
news
and
media
in
that
days.
H
So
our
hypothesis
here
is,
you
know,
we're
not
taking
a
normative
kind
of
view
of
what
should
or
shouldn't
be
blocked
or
whether
things
should
or
shouldn't
be
blocked.
What
we
tried
to
do
instead
was
take
a
descriptive
view
of
which
countries
blocked
similar
types
of
content,
which
countries
blocked
content.
That
was
in
a
similar
vein,
a
similar
that
was
categorized
similarly
to
others.
H
So
we
created
this
map,
and-
and
again
you
know,
if
you
follow
through
to
this
paper,
you
can
even
see
an
interactive
version
of
this
map.
You
can
explore
it,
see
a
force
diagram
and
all
other
kinds
of
neat
things,
and
what
we
find
first
of
all
is
that
there's
a
tight
cluster
here.
Most
countries
really
don't
block
much
and
they're
broadly
similar
to
one
another,
and
some
countries
are
outliers
Venezuela
blocks.
H
You
know
kind
of
idiosyncratic
content,
basically
things
that
are
about
the
the
regime
there,
and
then
there
are
other
countries
that
actually
have
surprising
similarities.
You
know
China
and
Hong
Kong.
You
can
see.
Hong
Kong
plays
this
position
between
China
and
kind
of
this.
This
main
block,
which
is
a
you,
know,
kind
of
provocative
observation
in
its
own
right.
H
But
what
really
kind
of
tickled
our
interest
about
this
was
that
when
we
correlated
these
similarities
to
other
facets
that
are
of
interest
to
to
political
scientists
like
military
alliances
and
trade
agreements,
what
we
found
is
that,
if
you're
in
a
military
alliance
with
someone,
you
probably
block
similar
content,
if
you're
in
a
trade
agreement
with
someone,
you
probably
block
similar
content,
you're
more
likely
to
be
in
a
trade
agreement
with
someone
that
you
block
similar
content
to,
then
you
are
with
someone
who
you
don't
and
what
we
concluded
from
this
basically
is
that
these
relationships
reflect
and
likely
go
on
to
shape,
maybe
a
two-way
Direction
causation.
H
So
one
way
of
thinking
about
this,
what
happens
when
you
visit
a
web
page-
and
this
is
a
wonderful
diagram
that
comes
from
David
Clark's
piece
control,
Point
analysis,
type
of
2012
paper-
and
you
know
don't
worry
about
this?
Okay,
don't
don't
try
to
don't
try
to
interpret
this
diagram?
The
point
is
it's
very
complicated.
H
There
are
a
lot
of
different
things
that
happen
when
you
try
to
visit
a
web
page,
but
one
thing
we
can
do-
and
this
is
building
off
of
David
Clark's
analysis
is
boil
this
down
to
a
few
key
control
points.
These
are
things
that
you
cannot
Route
Around
and
in
fact
we
did
this
work
in
conjunction
with
the
internet,
Society
for
the
boss,
pulse
internet
pulse
dashboard,
which
I'm
sure
a
lot
of
people
here
are
familiar
with.
H
We
contributed
kind
of
this
data
and
the
framework
for
the
centralization
part
of
the
internet
pulse
dashboard.
So,
in
order
to
do
that,
we
identified
these
key
control
points
certificate
authorities,
you
know
who
does
web
hosting.
Who
does
proxy
Services
you
think
of
that
as
content
distribution
networks?
So
people
like
cloudflare
DNS
servers?
You
know
din
cloudflare,
also
data
centers
top
level
domains.
H
All
of
that,
and
for
each
of
these
we
did
kind
of
a
mix
of
data
collection
and
manual
coding
processes
to
see
who
is
your
whose
jurisdiction
is
where,
and
what
jumped
out
is
this
right
away?
Is
that
the
jurisdiction
for
the
companies
that
run
a
lot
of
these
Services
is
the
United
States
and
in
fact
we
can
create
this
kind
of
diagram.
The
proportion
of
each
of
these
control
points
who's
provided
by
us-based
corporations.
So
we
look
at
the
market
share,
let's
say
of
of
cdns,
we
say
Okay
of
that.
H
You
know
of
the
cloud
flare
right.
You
have
70
of
the
market,
your
jurisdiction
is
the
United
States
and
we
sum
up
the
market
shares
of
all
of
those
providers
who
are
based
in
the
United
States
to
create
the
summary
statistic,
which
is
the
proportion
for
each
control
Point
whose
jurisdiction
is
the
United
States.
So
you
can
see
here
a
number
where
the
overwhelming
majority-
in
fact,
in
some
sense,
even
the
totality,
is
based
in
in
the
United
States.
H
So
let's
talk
about
a
few
top
level
domains.
We
all
know
about
top
level
domains
here.
Quite
a
lot
of
these
top
level
domains
are
administered
by
registry,
backends
or
registrars
who
are
in
the
U.S,
and
this
is
you
know,
has
been
relevant
to
U.S
interests
before
who
here
is
out
of
curiosity,
who
here
is
familiar
with
the
operation
in
our
sites?
H
Okay,
very
few
people,
okay,
great!
Well,
here's
a
very
interesting
tidbit
for
you
and
the
new
version
of
the
slide
will
have
a
reference
to
some
work
on
this
immigration.
Customs
and
enforcement
ice
has
been
running
since
2006.
This
program
called
operation
in
our
sites.
What
they
do
is
basically,
when
someone
is
kind
of
you
know,
running
a
foul
of
intellectual
property,
let's
say
or
something
else,
then
ice
can
go
and
seize
from
the
domain
registered.
The
domain
registry
back
end
that
website.
H
So
this
has
been
used,
for
you
know
clear
web
drug
marketplaces.
This
has
been
used
for
people
selling
counterfeit
seat
belts,
very
wide
variety
of
things
that
has
been
enforced
against.
What's
fascinating
about.
It
is
first
it
exploits
the
fact
that
registry
back
ends
are
based
in
the
U.S
and
uses
this
kind
of
of
seizure
process
to
take
advantage
of
this,
and
second,
this
whole
process
happens
without
due
process.
H
So
this
is
actually,
you
know,
forfeiture
civil
forfeiture
without
due
process
and
in
some
cases,
Isis
down
the
Civil
forfeiture
process
on
U.S
citizens,
which
isn't
you
know
if
you're
not
from
the
US,
that's
not
supposed
to
happen,
but
the
conditions
of
recourse-
and
you
know
if
you
know
anything
about
ice.
You
know
the
conditions
of
recourse
or
not
always
so
clear,
oh
dear,
something
has
happened.
A
H
Next
slide,
please
so
proxy
services,
so
you
may
be
familiar
with
content
distribution
networks,
cloudflare
Akamai
things
like
that
Amazon
cloudfront.
You
can
see
that
the
overwhelming
majority,
almost
all
cdns,
are
run
by
U.S
companies
by
market
share
the
cdn's
not
saying
every
CDN
in
the
world,
but
the
cdns
that
people
use
97.6
are
based
in
the
United
States
next
slide,
please.
H
So
if
you've
ever
tried
to
use
Tor,
which
I
imagine
many
people
in
this
room,
have
you
know
that
it's
a
huge
pain
to
use
in
practice,
because
you're
constantly
getting
captured
and
the
reason
you're
constantly
getting
captured-
is
that
these
cdns
have
decided
that
it's
simply
not
worth
their
time
to
allow
tour
traffic
in
Tor
traffic
tends
to
be
malicious.
It's
you
know,
broadly
implicated
in
DDOS
attacks
makes
it
hard
for
them
to
do
the
kind
of
DDOS
mitigation
that
their
customers
pay
them
for,
so
they
just
block
it
now.
H
This
has
a
kind
of
some
interesting
consequences
that
we
could
discuss
later.
You
know
you
know
Tori.
You
probably
know
that
it
was
largely
funded
by
the
U.S
Department
of
Defense.
For
kind
of
you
know
International
interests
of
the
United
States,
so
there's
this
interesting
kind
of
conflicting
sets
of
Interest
here
between
the
Department
of
Defense
and
private
corporations
in
the
US,
who
aren't
necessarily
cooperating
fully,
but
that's
a
topic
for
another
time.
H
Next
slide,
please
we
we
did
instead
actually-
and
this
is
some
forthcoming
work
in
Duke
Law
review-
which
again
the
the
newer
version
of
the
slides
you'll,
have
a
reference
to
that
in
the
Duke
Law
review.
Oh
previous
slide,
please
in
this
Duke
Law
review
piece
we
have
coming
up
you'll.
We
kind
of
make
this
argument.
That's
you
know
a
basically
an
Anti-Trust
or
Monopoly
argument.
What
we
show-
and
you
can
see
from
this
diagram-
is
that
content
distribution
networks
are
not
only
overall
domiciled
in
the
United
States.
H
There
are
a
few
players
who
really
dominate
the
market
and
almost
all
of
the
market
is
dominated
by
the
top
three,
and
you
know
this
graph
I
would
say
you
can
look
at
it
a
few
ways.
Cloudflare
has
a
huge
market
share
in
part
because
the
long
tail
of
internet
companies
use
cloudflare,
but
don't
count
out
fastly
in
cloudfront
and
Optima
Akamai
in
particular,
as
a
favorite
of
really
really
big
content
providers
like
HBO,
Max
or
whatever.
You
know,
they'll
tend
to
use
document.
H
But
you
know
the
point
remains,
no
matter
how
you
slice
it
they're
very
small
handful
of
companies
that
absolutely
control
this
market.
So
that's
a
concern,
at
least
for
antitrust
in
the
US
and
the
fact
that
this
is
overwhelmingly
a
kind
of
a
us-based
story.
Tells
you
a
lot
about
kind
of
where
the
control
of
the
internet
is
remember
again:
content
distribution
networks,
sit
between
user
queries
and
server
responses.
H
If
the
CDN
doesn't
want
to
show
you
something,
the
user
is
not
going
to
get
it
and
there's
some
interesting
research
recently
about
how
dominant
cdns
really
are
with
respect
to
end
users.
Experience
of
the
internet,
something
like
76
of
all
user
requests
to
cdns,
can
be
delivered
to
those
users
without
traversing
the
Tier
1
isps
at
all.
H
A
lot
of
these
cdns
have
totally
cut
the
tier,
the
traditional
kind
of
tier
one
public
core
of
the
internet
out
of
the
picture,
and
that
again
is,
you
know,
becomes
relevant
for
the
kind
of
competition
story,
because
policy
makers
tend
to
think
of
the
tier
one
isps
as
competitive.
There
is
an
efficient
market
for
bandwidth,
I'm
sure
many
people
here
have
heard
how
efficient
the
market
for
Transit
is
from
people
like
Bill
Woodcock.
Now
it's
true
that
that
market
is
for
Transit
is
efficient
among
Tier
1
isps.
H
The
important
caveat
is
that
Tier
1
isps
are
not
relevant
from
the
perspective
of
cdns
next
slide,
please
so
the
finding
there,
then,
is
that
U.S
organizations
effectively
control
the
global
internet
through
their
control
over
these
key
control
points
and
my
takeaway
from
this.
What
I
surmise
is
that
what
we
observe
is
internet
fragmentation
is
not
a
response
to
a
global
internet
so
much
as
a
response
to
a
U.S
controlled
internet.
It
is
that
fundamental
U.S
control
that
drives
a
lot
of
the
fragmentation.
H
Behavior
we
observe,
and
although
I
didn't
get
a
chance
to
get
into
it,
it
is
unclear
fundamentally
what
we
mean
by
fragmentation.
Some
people
consider
you
know
EU
gdpr,
to
be
kind
of
fragmenting
because
it
produces
different
versions
of
websites
in
different
countries,
which
is
in
some
sense
in
the
front
affront
to
a
global
internet,
and
while
that
is
the
case,
I
think
that
the
differing
opinions
of
Europeans
the
legitimacy
in
their
minds
of
sovereignty
shows
in
some
sense.
You
know,
proves
out
this.
This
thesis
in
some
sense
next
slide.
H
Please,
okay,
next
slide!
Please
we'll
ignore
this
for
now,
okay,
so
well!
This
is
this
is
an
old
side.
You
can
ignore.
What's
on
the
stream,
maybe
previous
slide,
we
give
something
give
people
something
to
look
at
so
I'll
I'll
share
with
you
kind
of
where
my
mind
is
on
these
questions.
Now,
I
I
hope
you
know
to
get
feedback
from
from
you
about
these
questions
and
and
kind
of
what
you
think
about
them.
H
H
These
cdns,
in
particular,
might
be
very
appealing
targets
for
sophisticated
apt
attacks,
which
could
be
you
know,
very,
very
destructive
indeed,
depending
on
the
nature
of
those
attacks.
Whatever
we
might
do
to
mitigate
those
problems
requires
us
to
really
understand
both
the
politics
and
the
economics
of
the
the
market
for
these
core
internet
services.
We
understand
I
think
far
too
little
about
what
the
market
looks
like
for
things
like
DNS
servers
and
things
like
content,
distribution
networks.
H
How
does
this
Market
fit
together
and
what
are
the
incentives
that
people
in
this
market
deal
with
and
what
drives
behaviors
of
Market
participants?
This
isn't
the
only
question
we
could
ask,
but
it's
something
that
we
surely
need
to
know.
If
we
want
to
make
any
progress
on
this
and
to
illustrate
this
point,
you
know
I've
been
working
with
a
little
bit
with
Scott
Schenker
at
UC
Berkeley,
who
has
some
really
interesting
proposals
around
what
he
calls
the
inter
Edge?
H
Basically,
these
composable
extensions
used
to
be
called
the
extensible
internet
extensions
to
kind
of
TCP
that
provide
a
lot
of
the
services
that
cdns
provide
things
like
ddrs
mitigation
and
con.
You
know
caching,
things
like
that
can
be
provided
by
these
decentralized
nodes.
Now,
if
we
want
these
sorts
of
things
to
catch
on,
we'll
have
to
understand
first
of
all,
who's
the
customer
who's
going
to
use
these
and
second
who's
the
provider.
And
what
are
those
providers?
H
Second,
another
question
specific
question:
that's
been
on
my
mind
recently
is:
what
exactly
is
the
nature
of
the
relationship
between
Telecom
providers
and
content
distribution
networks?
So
a
puzzling
example
and
something
that's
been
puzzling
me
lately,
and
if
anyone
here
has
any
insights,
please
tell
me
it's
that
at
t
a
telecom,
in
fact,
my
telecom
owns
HBO,
another
service
I
like
I,
enjoy
to
use,
and
my
collaborator
teaches
near
chania.
H
Okay,
a
few
people
I
did
not
know
that
ATT
had
a
CDN
and
I
published
a
lot
of
UPS
about
CEs.
This
was
news
to
me
right
so
I
thought.
Well,
surely
their
HBO
Max
is
going
to
use
HBO
it's
going
to
use
ATT
and
CDN,
and
certainly
that
would
make
sense.
It's
vertically
integrated
IP.
You
know
platform,
content,
delivery
and
I'm
an
ATT
customer.
H
If
they're
going
to
deliver
because
anyone's
going
to
use
that
CD-
and
it's
me
so
I
opened
up,
you
know
Chrome
and
did
a
little
digging
and
where
were
these
packets
come
from
Akamai,
so
I
did
a
little
Googling
at
Akamai
and
ATT
have
a
relationship
with
each
other.
What
is
the
nature
of
the
relationship
between
Akamai
and
ATT?
H
Why
is
it
that
ATT
would
bother
having
a
CDN
only
to
go
and
use
Akamai
for
their
content?
Delivery
is
the
CDN
no
good?
Are
they
not
good
at
competing
with
Akamai?
Are
they
white
labeling
their
own
transit?
To
aquamide
and
that's
why
it
looks
like
ahmai-
is
Akamai
white
labeling
their
service
to
at
T,
so
that
at
T
can
use
their
kind
of
retail
relationships
with
small
to
medium
Enterprises.
H
What's
going
on
the
fact
that
I
can't
answer,
this
question
shows
us
how
little
we
know
about
how
this
Market
fits
together
and
if
we
don't
understand
how
this
Market
fits
together,
I'm
very
pessimistic
about
our
ability
to
do
anything
to
enhance
this
kind
of
problem
of
centralization
I'm,
let
alone
to
do
anything
about
the
fragmentation
that
results
from.
So
that's
the
end
of
my
20
minutes
and
you
know
I
hope
we
still
have
some
time
for
questions.
If
anyone
has
any
I'd
love
to
hear
them,.
D
Thanks
a
lot
nick
Elliot
I
think
you
are
online
first,
we
kind
of
kicked
you
off.
So
if
you
want
to
go
ahead,
go
ahead.
K
It's
a
great
presentation,
Nick
and
not
surprising
your
your
advisor
Stephen
or
whoever,
actually
here
today
and
I,
even
Workshop
called
itat,
and
we've
been
talking
about
bundling
economics
which
was
really
enjoyable
just
one
or
two
points
that
I
think
we
have
to
be
really
careful
about
definitions
in
terms
of
what
we
mean
by
control
points
cdns
and
are
are
really
difficult
to
characterize
in
that
regard,
because
on
one
hand
anybody
can
start
a
CDN.
All
it
requires
is
money.
K
If,
if
Elon
Musk
wanted
to
break
out
another
40
billion
dollars,
he
could
have
the
best
CDN
in
the
world,
probably
assuming
he
could
hire
anybody.
But
it's
not,
and
in
fact
the
proof
point
for
that
is-
is
cloudflare's
own
existence
that
they
were
they
weren't
there.
They
came
into
the
market.
They
they
delivered
a
good
service
and
the
same
is
truth
fastly,
and
that
is
actually
a
technical
relation,
which
is
no
particular
CDN
is
required
for
the
internet
to
function.
It's
the.
K
H
Thank
you
yeah
great
comment.
Thank
you
yeah.
You
know.
Listen,
that's
really
interesting.
Point
I
I
tend
to
agree,
and
that
makes
it
even
I
agree
with
you
about
that
that
Point,
by
the
way,
I'm
sorry
I
have
nowhere
to
look
you're
like
the
booming
voice
of
God
here
in
this
room.
H
So
so
look
I
I
think
that
while
I
agree
that
proposition
that
anyone
can
come
along
and
make
a
CDN
with
enough
Capital
makes
it
even
more
puzzling
to
me
that
a
t
and
other
telecoms
Comcast
have
cdns.
Yet
nobody
seems
to
use
them.
Why,
in
my
data,
can
I
not
see
anyone
using
these
18t
or
comcast
cdns?
If
it's
so
easy
to
make
and
telecoms
already
have
the
infrastructure
that
delivers
The
Last
Mile
hop
to
my
home?
Why
is
nobody
using
this
CDN
infrastructure?
H
Why
is
it
that
these
big
cdns
still
have
this
market
dominance
in?
In
that
context,
that's
a
puzzle.
I
haven't
yet
figured
out.
L
I,
don't
think
it
had
a
number
on
it,
but
where
it
really
aligned
with
my
realization
in
listening
to
a
lot
of
conversation
about
fragmentation
over
the
last
year,
or
so
when
it's
become
very,
very
popular
to
talk
about
most
the
time
when
people
are
talking
about
it,
they
don't
mean
what
we
think
they
mean
they
mean
things
are
getting
complicated,
it's
just
a
complex,
it's
a
statement
about
complexity
and
that
resonated
when
you
were
talking
about
how
the
internet
used
to
be
or
is,
and
is
still
very
U.S
Centric,
but
that's
changing.
L
So
it
feels
like
fragmentation,
but
maybe
what
it
is
is
there's
just
a
plurality
of
approaches
to
content
and
other
things
like
that
for
better
or
worse
right.
So
that
was
just
my
comment,
but
then
I'd
add
a
question
to
you
or
to
others.
This
comes
actually
from
the
Gaia
session
earlier
today.
There's
a
really
interesting
presentation
on
not
just
companies
that
are
dominated
in
the
U.S,
but
even
when
you
have
supposedly
a
Global
Network
for
your
content
distribution.
L
All
of
the
traffic
is
still
going
through
the
U.S
so
they're
talking
about
like
the
fact
that
there
are
very
few
ixps
in
on
the
continent
of
Africa,
for
example,
and
if
you're
in
one
country
and
the
content
you're
requesting
is
in
the
same
country,
it's
still
highly
likely
that
your
traffic
is
going
all
the
way
around
the
world
and
back
again
and
we
couldn't
in
the
Gaia
conversation.
L
Nobody
really
had
a
good
answer
as
to
why,
because
it
seems
more
efficient,
they're
all
these
kinds
of
incentives
that
we
would
think
would
exist
to
keep
content
local
when
possible.
Irrespective
of
whether
or
not
there's
a
mandate
for
Content
localization,
which
is
something
that's
a
trend
as
well
and
so
coming
up
with
actual
incentives
and
trying
to
solve
that
problem
might
solve
a
lot
of
other
problems
too.
So
I
just
wanted
to
bring
that
forward
here
and
wonder
if
you
had
thoughts
on
it,
because
I
think
it's
related.
H
Yeah
I
have
so
many
thoughts
on
that.
So
I
have
a
two
dueling
observations.
First,
obviously,
there's
a
tremendous
strategic
advantage
to
having
all
the
traffic
route
through
your
country.
Okay,
this
shouldn't
need
to
be
said,
but
yes
there's
a
tremendous
number
of
metadata
attacks
and
other
things
and
reasons
why
you
might
want
traffic
to
route
through
you
now.
Here's
another
interesting
observation:
let's
say
that
there
exists
some
country
that
doesn't
have
any
kind
of
boomerang
routing
whatsoever
and
in
fact
such
country
exists.
China
has
very
little
Boomerang
routing.
H
If
you
send
a
packet
domestically
from
China
to
China,
it
will
route
only
through
China
and
it
will
not
go
internationally
at
all,
and
the
reason
is
that
China
only
has
three
as
that
connected
to
the
rest
of
the
Internet.
It's
called
the
Great
bottleneck
of
China,
analogies
of
the
Great
Farm,
so
there's
some
great
work
on
kind
of
how
that's
architected
and
how
those
as
work
and
why
they
work.
H
But
one
really
interesting
thing
is
that
it
creates
this
asymmetry
in
when
it
comes
to
attacking
internet
infrastructure,
so
it's
often
assumed
or
presumed
that
no
one
would
ever
dare
attack
something
like
a
DNS
server
or
a
Content
distribution.
Network
work
because
doing
so
would
be
too
much.
That
would
cause
too
much
blowback
for
the
attacker.
You
know
if
you
were
to
go
and
attack
something
you
you
would
suffer
the
consequences
of
such
a
great
degree.
H
It
wouldn't
be
worth
the
attack,
but
the
absence
of
any
Boomerang
routing
actually
makes
that
calculus
look
a
lot
different.
There
is
absolutely
no
incentive
to
go
into
against.
You
know
leveraging
some
kind
of
attack
against
the
CDN.
If
you
don't
rely
on
that
CDN
and
if
that
outage
in
that
CDN
wouldn't
affect
you,
those
kinds
of
asymmetries
are
actually
very
powerful
and
we
should
absolutely
be
cognizant
of
them
when
we
think
about
what
it
means
for
the
internet
to
be
stable.
H
Globally,
stable
internet
means
some
kind
of
balance,
between
Boomerang
routing
and
perhaps,
and
and
not
there's
some
notion
of
sovereignty.
That
needs
to
be
balanced
against
interdependence,
and
this
is
actually
mimicked
in
debates
about
trade
throughout
the
20th
century.
There
was
this
kind
of
thesis
of
globalization
that
interdependence
would
would
prevent
conflict,
because
that
interlinkage
exactly
would
disincent
anyone
from
attacking
anyone
else.
It
would
be
too
active
and,
as
we
do
think
about
the
very
real
need
for
sovereignty,
I
think
that
it's
equally
important.
H
We
balance
that
need
for
sovereignty
against
a
real,
realistic
need
for
interdependence
and
the
role
that
interdependence
plays
in,
hopefully
decreasing
conflict
and
disincenting
conflict.
E
So
in
fact,
you
just
made
the
segue.
So
first
of
all,
thank
you.
It
was
very
insightful
and
very
good
presentation,
but
this
is
a
good
segue.
You
finished
on
on
sovereignty,
because,
in
fact,
what
we
see
is
a
lot
of
concerns
on
fragmentation
coming
from,
let's
say,
regulation
and
Hyper
regionalization.
E
So
how
regulations,
including
the
EU,
is
under
the
name
of
we
call
the
Strategic
autonomy,
how
they
actually
weaponizing
a
number
of
a
number
of
assets
that
are
going
to
really
have
a
problem
at
the
end,
so,
for
example,
take
Dora,
for
example,
the
the
new
called
the
digital
operational
resiliency
act
that
is
really
about
Cloud
providers
in
the
FSI
sector.
So
so
my
question
here
is:
is
a
little
bit
underrepresented
into
your
presentation,
but
maybe
have
you
have
you
done
some
work
and
research
on
that
part?
H
That's
a
great
question:
you
know:
I
I
haven't
really
looked
specifically
at
the
role
of
regulation
in
part
because
it's
hard
to
measure
causal
relationships
between
regulations
and
the
effects
on
the
internet.
That
doesn't
mean
it's
impossible.
It
just
means
I,
haven't
figured
out
a
way
to
do.
It
I
think
that
it's
a
critical
question,
especially
with
guy
assuming
you're
talking
about
the
EU
Gaia
project.
E
No,
it
was
not
the
Gaya
project,
because
I
don't
think
this
one
is
going
anywhere.
I
think
it
was
the
other
one
which
is
the
Dora
d-o-r-a
another,
so
so
how
the
EU
is
weaponizing
its
instruments
to
let's
say
precisely,
to
fight
us.
Okay
in
certain
ways,
so
it
goes.
It
goes
down
to
even
weaponizing
its
auditing
capabilities
to
the
FSI
so
that
they
are
less
incentivized
to
go
for
U.S
companies
on
what
they
do
right.
H
Yeah,
so
you
know,
there's
this
theory
in
political
science
called
hegemonic
stability,
Theory
and
really
it
should
probably
be
called
something
more
like
hegemonic,
openness,
Theory.
But
the
idea
is
that
in
global
trade-
and
it
I
think
it
was
the
late
18th
century
into
the
20th
century.
You
know
Britain
and
Then,
followed
by
the
U.S.
It
was
this
hegemon
that
basically
ran
world
trade
and
into
the
21st
century
with
the
financial
system
more
or
less.
This
is
true
of
the
US
and
in
the
internet.
I'd
argue
you.
H
H
Why
is
it
that
a
hegemon
can
dominate
this
internet
yet
there's
still
this
open
and
somewhat
Global
flow
of
data,
and
this
theory
that
has
a
pretty
satisfying
explanation
for
this
phenomenon,
which
is
basically
that
as
long
as
a
hegemon
exists,
it
actually
benefits
the
hegemon
to
have
a
very
open
system,
because
in
that
situation
everyone
else
can
kind
of
you
know,
do
whatever
they
want
and
the
you
know
the
hegemon,
whoever
they
are,
gets
to
benefit
from
their
Central
position
and
extract
some
rent.
H
Basically,
from
that,
Central
position
also
influence
some
soft
power
weaponized
into
interdependence,
as
Abe
Newman
would
say,
and
all
those
other
things
now
what
happens
when
the
hegemon
declines?
Well,
it
turns
out
that
when
the
hegemon
declines,
there
tends
to
be
a
very,
very
uncomfortable
chaotic
period
and
until
the
new
hegemon
emerges,
in
which
case
openness
happens
again.
H
So
what
I
wonder
what
I
ask
myself
is
kind
of
what
happens
if
these
sorts
of
of
regulations,
these
sorts
of
incentives,
end
up
being
successful,
what
if
they
end
up,
really
challenging
the
hegemon
in
a
real
and
Lasting
way
such
that
you
know
in
this
case
the
US
no
longer
is
the
Edgemont
over
the
Internet.
What
does
the
internet
look
like?
Well,
hegemonic
stability,
Theory
would
say
it
wouldn't
necessarily
be
a
very
open
internet
that
may
be
counter
to
some
of
our
expectations.
H
That
may
be
counter
to
some
of
our
probably
ideological
preferences.
But
this
is
the
prediction
of
that
theory,
and
you
know
if
we
observe
something
else,
it
would
be
a
serious
challenge
to
that
theory,
which
is
more
or
less
you
know,
proved
out,
at
least
in
trade
and
finance.
So
what
are
we
to
make
of
this?
Well,
you
know.
My
overall
kind
of
theory
is
that
the
internet
is
both
something
countries
fight
on
and
over
meaning
it's
country.
It's
something
that
the
countries
use
to
struggle
against
one
another.
H
It's
a
mechanism
for
for
international
kind
of
competition
cooperation,
but
it's
also
something
that
Nations
struggle
to
control
it's
a
domain
of
conflict
as
well
as
a
mechanism
for
for
conflict
and
competition.
So
you
know,
as
this
plays
out
we'll
kind
of
see
if
there
is
a
weight
of
challenging
this
hegemon,
and
if
there
is
a
way
of
challenging
the
hedgemont.
Does
that
decrease
the
openness
or
stability
of
the
internet?
D
Yeah
I
think
Andrew.
Your
next
go
ahead,
like
I
think
the
queue
is
like
hopelessly
reordered
but
like
I,
think
we
have
a
memory
so.
J
Thank
you,
Andrew
kampling,
409,
Consulting,
really
interesting
presentation,
I'm
sure
you're
only
scratch
the
surface
of
four
years,
but
you
put
out
some
really
fun
points.
Two
questions
really
did
you
consider?
J
Have
you
considered
as
we're
in
the
ITF
how
maybe
standards
are
used
to
reinforce
control
points,
because
I
can
certainly
think
of
some
standards
being
developed
here,
which
are
arguably
strengthen
the
role
of
cdns
to
randomly
pick
on
one
as
you
just
talk
about
cdns
so
be
usually
get
your
view
on
that,
and
also
have
you
considered
whether
sdos
as
a
whole?
L
H
What
a
great
question
I
haven't
looked
into,
that
I
haven't
thought
about
it,
they
probably
are
I
would
love
to
look
into
it.
You
know
there
was
so
much
like
outside
of
iitf
kerfuffle
about
new
IP
and
kind
of
how
standards
you
know
whatever
itu
yeah
I
would
love
to
look
into
that.
I.
Really
wonder
what
the
answer
to
that
question
is
I,
wonder
how
to
think
about
that
yeah.
If
you're
interested,
please
reach
out
I'd
love
to
to
talk
about
that
idea.
More
thanks.
D
Nick
Rich
you're
up
next.
I
Rich
Souls
I
guess
I
work
at
the
fourth
largest
CDN
I'm,
your
HBO
providers.
I'm
just
curious,
though,
how
you
determine
that
various
telcos
don't
use
their
cdns.
I
You
said,
for
example,
ATT
who
no
longer
owns
HBO.
It
has
the
CDN
but
HBO
renowned.
It
wasn't
delivered
over
the
HP
I.
I
I
N
H
I
Be
probably
too
detailed
to
get
into
here,
I'd
love
to
talk
with
you
offline.
H
H
You
know
they're
a
partner
also
of
Internet
Society,
a
lot
of
pulse
metrics
come
from
them
and
we
work
with
them
to
get
this
Corpus
of
CDN
usage,
and
you
know
we
kind
of
looked
at
the
CDN
usage
to
determine
kind
of
the
popularity
of
these
cdns
and
what
we
found
was
that
you
know
18
team
Comcast
wasn't
in
that
data
set
which
forced
us
to
ask.
You
know
why,
and
there
are
a
couple
explanations
we
could
come
up
with,
but
there's
no
resolution
on
that
question.
Yet
thank.
D
You
thank
you
thanks,
Mark
you're
up
next.
Thank
you.
O
Hi
Mark
Nottingham
I've
spent
about
25
years
working
for
the
top
three
reputable
cdns
in
your
list,
I'll.
Let
you
interpret
that
and
also
deploying
them
in
private
companies,
including
Yahoo
and
Merrill
Lynch
I'm.
Also,
a
law
student
I'm
also
and
I
serve
as
an
expert
to
the
CMA
in
the
UK,
although
I
can't
represent
them.
Of
course,
so
I
have
thoughts,
probably
too
many
for
the
mic
line,
but.
O
H
O
Some
thoughts,
especially
I,
guess
from
more
from
the
competition
law,
standpoint,
great
and
and
I
think
there
was
a
question
about
standards,
bodies
of
point
of
control.
Just
as
an
aside,
that's
also
a
very
interesting
question
to
me:
I
tend
to
think
of
it
more
in
terms
of
what
is
the
role
of
technical
standards
in
Internet
governance,
which
is
kind
of
a
bigger
question.
D
D
Thanks
Chris
hear
it.
F
C
P
Yeah
all
right,
hello,
everyone
Chris,
representing
the
IAB
talking
about
a
new
proposed
program.
We
call
hudis
a
holistic
human
oriented
discussions
on
identity
systems,
as
you
may
have
seen
on
the
email
that
went
out
to
the
architecture,
discuss
list
the
I
guess.
The
primary
motivation
for
this
is
to
try
to
get
our
heads
around
the
very,
very
large
and
vast
ecosystem
that
involves
things
like
authentication,
technology,
credential
technology
identities
where
credentials
like
a
specific
type
of
technology
that
binds
like
an
identity
to
a
particular
user.
P
In
this
case,
and
then
an
identity
is
whatever
like
that,
could
be
anything
an
email
address,
a
phone
number.
What
I
I
don't
know
an
account
name,
there's
all
sorts
of
different
types
of
identities.
That's
part
of
the
problem
here
that
the
way
these
two
things
I
guess
overlap
and
the
I
guess
the
scope
and
size
of
the
ecosystem
is
a
just
a
kind
of
big
and
complicated,
like
the
slide
that
we
just
saw
earlier
in
the
last
presentation.
P
For
some
of
these
things,
we
kind
of
we
know
how
they
work
and
function,
and
some
of
the
Technologies
are
like
have
a
ton
of
energy
and
momentum
in
the
industry,
and
the
standardization
space
like
things
in
w3c
with
web
often
are
very
well
understood.
Past
keys
in
practice
like
they're,
taking
web
off
and
actually
getting
them
more
widely
deployed
is
great.
P
So
we,
the
intent,
is
not
to
kind
of
like
take
energy
out
of
those
particular.
You
know,
groups
and
communities
and
put
it
elsewhere
instead
is
try
to
get
our
head
around.
You
know
the
the
I
guess,
the
the
overlap
between
all
these
different,
like
Technologies
as
they're,
used
in
practice,
so,
and
probably
to
also
seek
some
clarity
on
how
some
credential
and
a
credential
mechanisms
and
types
of
identities
are
used
or
misused
in
practice.
P
So
some
of
the
goals
proposed
goals,
because
everything's
up
for
a
proposal
here
is
to
kind
of
just
go
out
and
look
about
what
the
landscape
looks
like
for
this
particular
type
of
technology
and
have
discussions
with
the
experts
that
are
in
this
community,
as
well
as
outside
the
community.
Who
may
be
developing
these
particular
Technologies,
bring
them
into
the
room
and
try
to
make
sense
and
develop
a
clear
mental
model
for
how
this
stuff
works?
P
It
would
also
be
useful
in
developing
that
mental
model
to
get
a
more
clear
understanding
of
how
these
are
used
and
I've,
also,
in
parentheses,
noted
how
they
are
misused.
So
the
the
canonical
example
that
I
like
to
go
to
here
is
people
misusing
IP
addresses
as
a
type
of
identity
for
a
user.
That's
like
a
practice
that
does
exist,
and
we
should
try
to
get
away
from
that
and
understanding.
Why
that's
the
case
and
what
is
the
gap
that
exists?
That
put
us
in
that
situation?
P
The
first
place
would
be
something
that
might
be
discussed
in
this
particular
program
and
if
there
are
gaps
that
like
clearly
emerge
that
are
well-defined,
that
can,
you
know,
be
filled
by
technical
work
to
dispatch
that
to
the
appropriate
places
in
the
ietf
such
that
we
can,
you
know,
develop
Technical
Solutions
and
get
them
out
into
the
world.
P
So
concretely,
some
possible
outputs
may
be
to
like
document
some
of
these
use
cases
to
put
them
down.
In
writing,
or
in
a
document
like
an
RFC,
doesn't
have
to
be
an
RFC.
Just
a
single
piece
of
literature
that
someone
could
look
at
a
GitHub
page
would
also
be
perfectly
fine,
in
my
opinion.
P
P
P
Ideally
have
people
come
in
from
outside
of
the
community,
like
I
said,
and
when
we'd
like
to
facilitate
sort
of
collaborations
with
these
groups,
maybe
even
in
the
form
of
IED
workshops
where
we,
you
know,
solicit
papers
or
position
papers
on
on
this
topic
and
have
people
come
to
the
same
room
and
discuss
and
again,
as
I
was
saying,
there's
a
possible
goal,
identify
places
where
we
can
actually
do
things
concretely
in
the
ITF,
so
I
think
I.
P
Think
the
the
questions
that
we're
interested
in
with
respect
to
the
actual
proposal
are
mostly
around
scope,
because
this
is
I
keep
saying
this
is
super
huge
and
complex,
so
I
I'm
sure
everyone
understands
that
by
now.
But
there
are,
there
are
reasonable
ways
you
could
refine
this
down
to
something:
that's
a
bit
more
manageable.
So,
for
example,
you
you
could
imagine
just
restricting
this
to
discussions
on
credential
systems
and
just
punting
everything
that
has
to
do
with
identity.
Don't
even
talk
about
it.
P
Just
focus
on
what
are
the,
what
are
the
different
types
of
credential
mechanisms
that
are
used
and
how
do
they
interact
in
practice
and,
as
are
there
any
like
obvious
gaps
that
exist
just
this
morning,
for
example,
I
was
sitting
in
the
the
oauth
working
group
and
listening
to
some
presentation
on
like
some
credential
mechanism,
that
has
like
selective
disclosure,
I'm,
like
gee
I,
sure
heard
about
selective
disclosure
and
other
contexts
like
privacy,
pass
and
other
contacts
in
the
w3c,
and
it's
there's
just
a
lot
of
overlap
happening,
and
you
know
we'd
like
to
have
a
place
for
these
different
groups
to
come
and
discuss
things.
P
Another
question
that
was
raised
on
the
list
was:
you
know:
what
is
the
the
scope
of
an
identity?
If
we're
to
consider
that
you
know,
does
it
pertain
to
only
humans
as
the
title
suggests,
or
does
it
you
know,
extend
to
like
machines
and
devices,
and
you
know
like
identities
and
credentialing
systems
that
are
used
to
get
two
devices
that
are
not
representative
of
humans
to
talk
to
one
another?
P
To
do
things
like
you
know,
do
some
computation
or
exchange
some
workload
or
whatever,
so
it
would
be
interested
to
hear
thoughts
on
that
if
people
have
them
and
yeah,
so
that
was
it
there's
not
really
much
to
this
other
than
like
we'd
like
to
hear
feedback
and
see
what
people
think
you
know.
Is
this
a
good
idea,
bad
idea?
What
should
the
scope
be,
and
you
know
take
any
questions
you
may
have
of.
P
Correct
yeah
and
there's
there's
a
GitHub
repository
that
has
the
draft
text
there.
It
could
use
some
wordsmithing
based
on
the
feedback
we've
already
received
on
the
list,
so
we
do
intend
to
do
that
which
need
to
get
her
on
to
doing
it
and
but
yeah
I
guess
we'll
start
with
Justin.
Thank
you.
M
Hi
Justin,
richer,
so
I
think
that
this
is
a
fantastic
set
of
questions
to
be
asking
here
at
the
ITF.
M
The
scope
is
definitely
a
hard
one,
because
if
you
ask
10
identity
professionals,
what
identity
is
you'll
get
at
least
17
answers,
and
and
like
you
need
to
this
work
is
going
to
have
to
embrace
that,
because
identity
means
a
lot
of
things
that
are
contextual,
and
it's
often
that
context
that
people
actually
care
about
and
identity
is
usually
or
I,
would
say
at
least
many
times
a
tool
that
people
are
using
to
solve
something
in
a
particular
context.
Identity
is
the
thing
that
most
fits.
M
The
the
type
of
you
know
a
small
part
of
the
problem
that
they're
actually
after
that
said.
I
do
think
that,
because
of
that,
it
makes
sense
to
have
you
know,
sort
of
a
a
wider
effort
in
the
iitf
to
look
at
identity
systems.
I
do
think
that
there
is.
M
There
is
space,
And
discussion
and
probably
desire
for
machine
identity
and
stuff,
like
that,
I'm,
not
sure
if
it
actually
belongs
in
the
same
spot-
and
you
know
I
I,
don't
know
because
people
and
computers
are
in
fact
different.
I
know
it's
kind
of
a
weird
thought
for
most
of
the
folks
in
this
room,
yeah
I
see
you
shaking
your
head
regardless,
regardless
it
is.
It
is
an
important
set
of
questions.
It
is
a
wide
set
of
questions
and
there's
a
lot
of
people
that
we
can
hopefully
pull
in.
M
C
Brent
zundel
I
chair
the
verifiable
credentials
working
group
at
w3c,
the
decentralized
identifiers
working
group
at
w3c,
I
edited
and
wrote
the
presentation
Exchange
protocols
at
the
decentralized
identity
Foundation
where
I
sit
on
the
steering
committee.
This
is
a
very
interesting
set
of
questions.
C
I
do
want
to
warn
slightly
that
anytime
you're
talking
about
the
big
eye
identity,
the
conversation
will
inevitably
become
very
fraught
and
lead
to
almost
immediate
stoppage
of
any
possible
technical
progress
and
so
trying
to
determine
what
technical
progress
can
and
ought
to
be
made
should
be
a
an
almost
entirely
separate
conversation
from
the
big
eye.
What
is
identity?
Who
should
have
one?
Is
it
the
machine?
Is
it
the
human?
Is
it
generative?
C
Is
it
whatever
all
of
that
to
say,
happy
to
participate
and
would
have
liked
to
have
known
about
this
Beyond
just
having
seven
people
say?
Have
you
heard
about
what
this
IAB
thing
is
so
just
whatever
that
means.
P
Anyway,
right
yeah
apologies,
it
did
was
not
you
know,
advertised
in
the
and
I
guess
the
the
venues
that
you
participate
in
and
probably
should
have
sent
it
to
the
the
verifiable
credentials
group.
That
makes
a
lot
of
sense
on
the
you
know,
tackling
what
the
big
high
identity
question
is.
I,
don't
think
the
intent
is
to
try
to
Define
like
what
is
and
or
is
not,
and
what
are
the
circumstances
that
a
person
should
or
should
not
get
an
identity.
P
I
mean
we'll.
Certainly
it's
hard
to
avoid
like
talking
about
identity
in
this
particular
space,
but
I,
don't
think
we're
we're
trying
to
to
like
establish.
You
know
a
canonical
definition
of
what
you
know:
capital
Y
identity.
Is
that
yeah,
as
you
suggest,
that
seems
like
a
pretty
good
way
to
to
not
make
any
forward
progress
and
I
think
trying
to
limit
our
scope
to
things
that
are
a
bit
more
manageable
will
help
us
make
forward
progress,
hopefully
up
in
an
already
pretty
wide,
diverse
space,
So
yeah.
P
N
Dick
Clark,
like
a
number
of
other
people
here,
I've,
been
involved
in
identity
for
a
long
time.
A
couple
decades
I
participated
in
many
many
workshops
that
have
lasted
over
days
or
weeks,
trying
to
get
people
just
all
to
understand
on
what
is
identity.
N
N
There's
identity,
work
all
over
the
place
and
a
fair
amount.
You
know
an
awful
lot
of
that
here.
N
It's
unclear
what
you're
wanting
to
do
with
this
that
doesn't
turn
into
like
a
multi-week
workshop,
aren't
just
trying
to
understand
a
whole
bunch
of
different
parts
of
identity
like
what
is
a
credential
you're,
not
going
to
get
agreement
on
that.
What's
identity,
you're
not
going
to
get
agreement
on
that
that
this
seems
you
might
have
an
idea
of
it.
I
think
you've
seen
sort
of
the
tip
of
the
iceberg
and
the
iceberg
looks.
P
Sure
I'm
willing
to
acknowledge
that
our
our
understanding
of
the
situation
may
be
very
different
from
those
who
have
been
immersed
in
the
space
for
a
very
long
period
of
time,
I'm,
confident
or
I'm
hopeful.
Rather
that,
like
we,
have
the
technical
jobs
of
like
trying
to
dig
into
like
like
widely
used
credential
mechanisms
and
try
to
make
sense
of
them.
Perhaps
we'll
not
be
so
successful,
but
you
know
I,
guess
time
will
tell
if
this
program
proceeds
so.
B
So
I'm,
just
trying
to
understand,
are
you,
like
you,
say,
there's
a
lot
of
work
in
there.
It's
it's
probably
also
a
lot
of
problems
and
we
definitely
don't
try
to
solve
them
all,
but
we're
trying
to
figure
out.
If
there's
anything,
we
can
do
in
this
community
to
help
the
problems
or
are
you
saying
we
shouldn't
even
try.
N
A
lot
of
people
are
solving
on
their
problems.
I
think
just
trying
to
get
a
layout
of
what's
Happening
identity
is
a
massive
work
effort
right
before
you
can
even
figure
out
where
are
there
problems
to
solve,
but
for
the
people
that
are
in
the
industry
right
we're
all
working
on
a
lot
of
the
problems
right.
It's
not
like
there
aren't
people
thinking
about
identity
right
there's!
P
To
to
give
it
sort
of
perhaps
like
or
did
you
want
to
reply
to
that,
give
a
like
a
kind
of
concrete
example?
So
I
mentioned
the
oauth
example
earlier,
there
are
a
number
of
like
very,
very
similar
Technologies,
like
privacy
pass
oauth,
verifiable
credentials.
All
these
are
kind
of
doing
very
similar
things
in
the
circumstances
in
which
would
you
would
use
them
how
they're
used?
N
N
B
N
Yeah
I
just
worry
about
the
the
having
a
discussion
on
this
is
probably
a
you
know
a
whole
enough.
There's
an
awful
lot
of
work
in
trying
to
have
a
discussion.
That's
actually
going
to
conclude.
Q
Peter
Castleman
I'm
working
on
standards,
mostly
in
the
oauth
area
and
so
very
excited
to
see
this
I
think
this
is
great
in
terms
of
the
questions
around
scope.
You
know
I
think
if
we
think
about
this
program
as
a
kind
of
integration
point
to
bring
different
communities
together
to
exchange
ideas.
Q
I
think
that's
actually
really
helpful,
because
otherwise
I
find
myself
sort
of
traveling
from
working
group
to
working
group
to
figure
out
what
is
it
that
you're
doing
and
how
does
that
fit
with
what
I'm
doing
and
is
there
an
opportunity
so
I
think
as
an
integration
point
in
a
kind
of
a
Clearinghouse?
For
those
conversations,
that's
really
really
good.
Q
You
know
I
think
you
might
want
to
think
about
defining.
You
know
whether
it's
credential
or
identity
system
think
about
maybe
framing
it
in
terms
of
the
outcome
that
you
want
with
identity
systems
right
so
with
an
identity
system.
Often
the
goal
is
something
along
the
lines
of
making
sure
that
the
right
person
has
access
to
the
right
thing
at
the
right
time
and
that
actually,
then
opens
up
the
conversation
about
all
the
technology
building
blocks
that
you
need.
You
know
to
Grant's
earlier
comment
about
the
big
eye
that
might
be
yet
another
right.
Q
If
you
can
focus
on
the
technology
pieces,
that's
helpful,
but
also
then
yeah.
It
just
helps
us
structure
the
conversation
because
to
Dick's
point,
it's
a
big
big
topic
right
and
then
on
the
second
one
my
perspective
there
I
identity
goes
well
beyond
humans.
From
my
perspective,
at
least
we're
seeing
so
much
challenges
around
managing
devices
workloads
and
this
configuration
right.
But
you
mentioned
oh
you're,
using
an
IP
address,
which
is
an
identifier
for
advice
on
a
network
for
a
human.
Q
Well,
maybe
some
of
that's
because
we
didn't,
maybe
we
don't
have
proper
human
identity
systems,
but
maybe
we
also
don't
have
proper
systems
for
machine
identity,
and
so
we
end
up
sort
of
merging
these
things
inappropriately.
So
I
I'd
prefer
a
broader
scope
because
again
it
allows
us
to
you
know
at
least
connect
these
silos
and
have
these
conversations
in
one
place.
Yeah.
P
P
You
know
sort
of
the
use
cases
that
we
would
want
to
Target
and
and
or
to
help
use
to
frame
these
discussions,
because
we're
are
hoping
that
you
know
the
contributors
who
do
come
and
facilitate
and
or
contribute
to
these
discussions
would
kind
of
bring
the
use
cases
that
are
important
to
them,
authentication,
authentication
being
like,
perhaps
the
most
obvious
one
but
yeah
I.
Think
using
as
like
the
you
know,
the
integration
point
for
all
these
different
communities
is
a
perfectly
reasonable
way
to
think
about
this.
Q
And
then
just
opening
Beyond
human
identity
would
be
would
help
that
conversation
a
time.
P
Sure
yeah
it
would.
It
would
be
a
shame
if
there
was
like
you
know
effectively.
Forks
of,
like
you
know,
people
thinking
about
the
same
topic
just
with
different
I
guess,
like
you
know,
this
is
the
human
group.
This
is
the
this.
Is
the
machine
identity
group
or
whatever,
but
we
have
to
be
cognizant
of,
like
you
know,
trying
to
make
like
meaningful
forward
progress
and
like
have
productive
conversations,
so
I
I,
perhaps
with
some
right
balance
we
can.
We
can
increase
the
scope
but
I.
G
Martin
yeah
Martin
Thompson,
when
I
suggested
that
we
limit
this
to
talking
about
humans
on
the
list.
I
think
a
number
of
people
jump
down
my
throat
I
understand
that
this
is
an
ieb
program
that
you're
proposing
here
and
there's.
There's
always
the
possibility
that
we
can
really
sort
of
get
into
the
weeds
and
have
a
very
broad
scope
on
anything.
So
I
think
that's,
certainly
something
that
a
program
could
could
consider
as
within
bounds
for
discussion.
G
Even
if
the
stated
Charter
or
the
the
goals
for
that
program
were
somewhat
narrower
and
my
sort
of
goal
here
is
to
ensure
that
when
we
talk
about
these
things,
we
have
something
more
of
a
focus
on,
for
instance,
the
the
effect
that
the
the
systems
that
we're
talking
about
have
on
people
as
opposed
to
the
machines
so
back
to
Peter's
example
of
the
IP
address
using
that
as
a
proxy
for
an
identifier
for
a
person.
G
That's
a
really
great
example
of
something
that
I
think
we
should
be
talking
about,
but
I
don't
care
about
the
IP
address
as
a
proxy
for
identifying
a
server
or
or
something
a
piece
of
Machinery,
because
I
think
that
broadening
the
scope
in
that
particular
way
would
be
just
a
I
mean
we
already
heard
it's
an
ocean
that
we're
looking
to
boil
with
a
magnifying
glass
as
it
is
I
would
rather
not
get
too
far
into
into
the
other
things.
G
I'm
also
surprised
that
no
one
has
mentioned
the
identity
layer
of
the
internet
yet
and
I
wanted
to
be
the
first
I
think
that's
not
necessary,
but
I
just
wanted
to
be
the
first.
So
that's
all
I
have
to
say.
P
Yeah
thanks
Lauren,
the
the
name
despite
being
kind
of
cute
I
guess
for
the
program
has
human
oriented,
particularly
because
that
was
like
the
the
primary
focus
but
I
I.
That
said,
like
I
I'm,
personally,
not
opposed
to
expanding
the
scope,
but
I
think
you
make
some
weird
arguments
as
to
you
know
where
we
should
place
our
Focus
to
start
hi.
A
I'm
Kalia
my
handles
identity,
woman
and
I
have
convened
the
internet
identity
Workshop
since
2005
twice
a
year,
so
it
is
a
forum
in
which
you
and
folks
looking
at
this
are
welcome
to
come
and
share
and
get
input
and
feedback
on
and
I'll
just
name
building
on
Dick's
Point
about
three
years
ago.
I
did
work
for
a
client
to
identify
all
all
identity
standards
in
sdos
and
other
industry
associations
that
I
could
related
to
human-centric
Identity
and
I
identified
1500
of
them.
Okay.
A
P
A
P
Disagreement
there
I
I,
anticipate
like
there's
going
to
be
a
no
like
1500
was
a
bit
higher
of
a
number
than
I
was
expecting,
but
the
actual
ones
that
are
used
in
practice,
like
I,
mean
we're
going
to
have
to
try
to
keep
things
small
to
start
and
just
focus
on
some
pretty
important
ones,
but
perhaps
like
a
a
total,
complete,
exhaustive
picture
or
of
the
landscape
may
not
be
a
a
goal
that
we
can
accomplish
in
this
type
of
program,
and
it
I
don't
know
if
it's
worth
our
time,
but
well
today,
I
learned
great.
R
Joe
salloway
I
I
tend
to
agree
that
scoping
this
work
is
going
to
be
really
important.
I
also
think
we
can't
completely,
you
know,
I
think
Martin's
Point
was
was
good
in
that
you
we're
gonna.
I
S
Hi
Heather
Flanagan,
so
I've
also
one
of
the
many
people
that
have
worked
in
the
identity
space
for
a
while
and
I'm.
Actually,
the
coordinator
of
one
of
the
groups
you
mentioned
in
the
in
the
proposed
program,
Charter
and
I'm
like
and
I
still
didn't
hear
about
this
wait
a
minute.
S
I
think
it
would
be
more
useful
for
the
iib
to
say
I
mean
you
use
the
the
the
we
kept
saying
we
and
I
kept
wondering
who
we
was.
If
you're
going
after
a
program,
it's
actually
scoped
to
what
can
we
the
IAB,
do
or
what
can
we,
as
the
ITF,
do
in
this
space?
I?
Think
that's
interesting.
I
think
there
are
enough.
Other
identity
focused
standards,
organizations
that
are
looking
at
scale
that
I
know.
S
You
said
you
didn't
want
to
take
the
energy
from
the
room,
but
you're
going
to
find
it's
all
the
same
people
so
coming
at
it
with
a
bit
more
Focus
to
what
can
you
accomplish
here
would
be
very
helpful.
P
Great,
that
seems
to
be
like
a
pretty
unanimous
comment
that
we're
getting
so.
That
seems
like
perfectly
good
feedback
to
fold
into
the
proposed
Charter.
B
D
K
K
I'm
speaking
to
you
this
time
as
the
independence
submissions
editor,
there's
a
new
RFC
out
I'd
like
to
talk
about.
We
mentioned
a
couple
of
other
things
relating
to
this
node
Revelations,
all
right.
So
before
2013
the
world
was
a
very
different
place.
K
We
actually
accepted
a
certain
amount
of
vulnerabilities
as
a
as
the
culture.
Can
you
back
up,
please.
Thank
you.
The
slide.
The
the
graph
on
the
right
is
from
the
Gordon
lobe
model
and
Enterprises
could
use
that
to
figure
out
how
much
to
invest
it's.
It's
a
pretty
fundamental
component
in
the
economics
of
information
security
that
basically
says
that
your
optimal
investment
point
is
your
expected
loss
over
e,
so
about
37
of
what
you
think
your
your
expected
losses
and
people
would
basically
run
with.
K
You
know
some
notion
of
that
if
they
had
a
notion
of
their
expected
loss-
and
we
assume
that
some
observations
would
would
take
place
and
that
they'd
be
limited
by
locality
and
there
was
you
know
some
positive
Network
management
benefit
to
observation
in
terms
of
understanding,
Network
performance
and
quality
of
service,
and
even
and
even
some
security
benefits
as
well.
In
terms
of
you
know,
looking
for
various
forms
of
attacks,
it
was
still
subject,
but
a
lot
of
this
was
still
subject
to
abuse.
K
K
What
we
found
was
an
attacker
that
had
near
infinite
resources
in
the
form
of
an
NS
in
the
NSA,
and
we
couldn't
really
quantify
losses.
The
whole
reason
we
couldn't
quantify
losses
was
because,
well
you
know,
how
do
you
qualify,
something
that
the
NSA
has
gotten
in
terms
of
you
know?
You
know
their
visibility.
The.
F
K
So
This
Is
Us
in
2013.,
just
show
of
hands
in
the
room.
How
many
people
were
there
in
the
room
for
that
good
number,
I'd
have
to
say
we
were
pretty
pissed.
We
were.
We
were
stunned
at
just
the
scope
of
the
the
effort
put
in
to
by
the
by
the
NSA,
and
it
it
led
to
action.
K
It
led
to
Bruce
schneier,
showing
up
and
really
sort
of
giving
a
startling
talk,
and
it
led
to
the
pervasive
surveillance
as
considered
an
attack.
Rfc
I
think
it's
7258
and
it
led
to
a
lot
more
encryption
on
the
internet.
Next
slide.
Please
so
RFC
9446
reflects
on
a
lot
of
things.
It
reflects
first
of
all
on
how
it
was
at
the
time.
So
Bruce
talks
a
little
bit
in
this
about
what
it
was
like
to
report
the
story,
and
he
almost
describes
what
you
come
away
thinking.
K
He
has
PTSD
a
little
bit
when
you
read
his
really
well
written
essay,
and
but
it's
it's
something
worth
reading,
because
there
was
a
human
cost
to
reporting
the
story
in
the
first
place.
K
Stephen
Farrell
talks
about
our
response
more
technically
as
well
as
I
made
me
a
little
bit
culturally,
then
farzana
body
talks
about
the
human
rights
implications
or
in
some
cases
you
know
where
we
made
advances
and
where
we
really
we
haven't
gone
as
far
as
perhaps
she
would
have
liked,
and
why
and
then
Steve
bellovan
puts
us
all
in
a
historical
perspective.
You
almost
get
a
get
the
feeling
of
you
know.
K
All
of
this
has
happened
before,
and
all
this
will
happen
again,
but
I
want
to
highlight
that
we
do.
We
have
raised
the
bar,
so
next
slide
please.
K
So
why
is
this
document
important
right?
Retrospectives
are
awfully
boring
and
not
worth
doing
unless
we
learn
something
so
when
I
I,
when
I
search
for
authors
for
this
document,
I
ask
them
to
answer
a
few
questions
right.
Did
we
react?
Well?
Is
there
are
there
things
we
could
do
better?
If
we
have
these
sorts
of
events
in
the
future,
what
accomplishments
did
we
achieve?
What
is
left
to
be
done
by
us
or
by
others
right
and
then
how
has
the
threat
environment
evolved
since
then?
K
So,
for
instance,
a
good
example
of
that
will
come
up
in
just
a
moment
now,
a
hint
to
you
as
a
community,
the
internet,
the
the
independent
submissions,
editor,
always
asks
the
question
by
the
way.
Why
is
this
document
important?
If
you
come
to
me
with
a
document,
and
you
can't
answer
that
question
you're
going
back
empty-handed
next
slide,
please,
okay!
So
a
couple
of
key
points.
K
First
of
all,
nothing
happened
overnight,
other
than
outrage
when,
when
we
were
in
the
room,
it
took
a
lot
of
time
a
lot
of
commitment,
a
lot
of
effort,
a
lot
of
consensus
and
a
lot
of
code
to
get
things
done
in
terms
of
change.
It
was
a
sea
change
within
the
community,
but
it
took
time
for
that
sea
change
to
take
effect.
K
The
second
point
I
want
to
make
is
that
it
was
helped.
I
think
also
that
there
were
there
was
opportunity.
Seen
in
terms
of
certain
players
saw
that
there
was
opportunity
to
benefit
from
improved
security,
and
they
took
advantage
of
that.
K
So
they
have
we
caught
a
Tailwind
off
of
that
as
a
community,
but
a
key
Point
here
I'll
say
is
that
a
lot
of
the
data
that
we're
concerned
about
is
still
accessible
a
lot
of
the
it's
maybe
accessible
to
in
concentrated
form,
in
fact,
and
so,
even
in
the
short
term.
If
an
attacker
knows
where
to
attack,
they
may
get
more
information
than
the
NSA
got.
K
Let's
a
good
example
might
be
if
they
attack,
if
they're
able
to
attack
one
or
two
social
networks
right
or
Amazon,
so
infrastructure
attacks.
The
other
point
I
want
to
make
is
infrastructure.
Attacks
are
serious.
You
know
the
threat
environment
has
changed.
Perhaps
this
is
only
grown
with
with
iot,
of
course,
I'm
an
iot
person,
so
I'd
have
to
say
that.
K
So
these
are
things
to
think
about
next
slide.
Please
this
last
one
is
a
little
bit
of
an
advertisement
right.
This
was
an
important
document,
I
think
to
do
and
I'd
like
the
community
to
consider
it.
You
know
even
talk
about
it.
I
wish
I
could
be
there
to
talk
with
you
about
it
in
terms
of
how
we
how
we
performed
what
we
could
do
better.
K
You
know
what
we
did
well
right
and,
and
that
threat
model
is,
is
something
we
should
always
stay
focused
on
and
what's
the
next
biggest
problem
and
we've
talked
about
centralization
and
fragmentation
today,
just
a
hint
you'll
be
seeing
a
little
bit
of
a
little
bit
of
work
coming
out
along
the
lines
of
centralizations
real
soon
now
my
priorities
that
I've
taken
on
are
those
three
things
and
I
take
I've
used
them
expansively.
K
If
you
submit
something
as
for
an
independent
submission,
of
course
it
won't
be
as
standard
and
it
won't
have
Community
consensus,
but
that
doesn't
necessarily
mean
it's
uninteresting.
It
might
be
very
interesting
and
I
think
you'll
find
this
document
is,
and
that's
it
thanks
very
much.
K
F
K
B
Well,
one
minute
for
open
mic,
no
I
think
you
had
enough.
Okay!
Thank
you.
Everybody
for
the
session,
everybody
who
was
on
the
stage
contributing,
but
also
provided
feedback
to
us,
see
you
next
time.