<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)"><span style="font-family:arial,sans-serif;color:rgb(34,34,34)">On 5 November 2016 at 03:08, Karl Auerbach </span><span dir="ltr" style="font-family:arial,sans-serif;color:rgb(34,34,34)"><<a href="mailto:karl@cavebear.com" target="_blank">karl@cavebear.com</a>></span><span style="font-family:arial,sans-serif;color:rgb(34,34,34)"> wrote:</span><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)"><span style="font-family:arial,sans-serif;color:rgb(34,34,34)"><br></span></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-">
<div class="gmail-m_-3651034605408707703moz-cite-prefix">walking chains of references is mind numbing, but it what web
browsers do all the time (as I mentioned, often hundreds of times a
minute for each separate user's web browser) and also what DNSSEC
user software can do within milliseconds.<br></div></span></div></blockquote><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)">I consider myself a not-unsophistcated user of Internet-access software, to the point that I serve as informal tech support for far more people than I'd like.</div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)">The page that Google Chrome provides when it's confused by a certificate instance is as oppressive as the Blue Screen of Death. The other browsers are even worse. We're generations away from the level of simplicity that would be needed to eliminate web-based scammers by digitally flagging them as such.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)">ICANN has an interesst in accelerating this progress, for the sake of public trust and stability, but it certainly ought not to do this itself. That's what I meant by being part of alliances rather than engage in mission creep.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)"></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">IGO name protection is not a DNS issue; it ought to be far outside
ICANN's scope.</div></blockquote><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)">Ought to, sure, but it's way too late for that debate now. ICANN got itself sucked into name protection long ago, and that can't be undone. So now telling the world that coke.foo needs (and has) elaborate protection mechamisms (even going beyond global trademark norms), but that redcross.foo has none of those protections and won't ever get them, is not an exercise in trust-building. And, as a non-treaty organization, ICANN is highly dependent on public trust.</div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)">Unfortunately, thanks to choices already made by ICANN, the challenges here have been irreversibly rendered political rather than technical. And "Let them eat SSL" does not make for a winning political strategy.</div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(11,83,148)">- Evan</div><br></div></div>
</div></div>