Ben Laurie blathering

27 Jun 2008

ICANN Create Domain Cash Cow

Filed under: Rants — Ben @ 12:45

Back when I used to serve on Nominet’s Policy Advisory Board, I used to find myself regularly arguing against the creation of new subdomains under .uk. Why? Because the only point I can actually see for creating a new subdomain is so that the registrars can make a huge pile of money while everyone scrambles to register in the new domain in order to protect their brand names.

Does anyone else benefit in any way? No. The registrants do not benefit: they already had domain names, they didn’t need any more. The public do not benefit: one domain name is quite sufficient for any Internet service.

So, given the complete pointlessness of doing this, I am not in the slightest surprised to hear that that most pointless of organisations, ICANN, has decided to allow approximately a zillion new TLDs.

In their usual egotistical style, they bill this piece of stupidity as…

Biggest Expansion to Internet in Forty Years Approved for Implementation

The only thing this expands is the wallets of registrars and, presumably, ICANN’s coffers. The Internet itself is not expanded one iota by this dumb move.

I guess the interesting thing to watch here is who manages to figure out the best TLDs to persuade people they need to register to protect themselves. “.trademark” sounds promising to me. “.name” would also be good. I invite your suggestions – perhaps we should form a consortium to register them, too.

Think I can get .ben? That would be cool.

24 Jun 2008

Information Card Foundation Launched

Yet another industry alliance launches today: the Information Card Foundation (yes, I know that’s currently a holding page: as always, the Americans think June 24th starts when they wake up).

I have agreed to be a “Community Steering Member”, which means I sit on the board and get a vote on what the ICF does. Weirdly, I am also representing Google on the ICF board. I guess I brought that on myself.

I am not super-happy with the ICF’s IPR policy, though it is slightly better than the OpenID Foundation’s. I had hoped to get that fixed before launch, but there’s only so many legal reviews the various founders could put up with at short notice, so I will have to continue to tinker post-launch.

It is also far from clear how sincere Microsoft are about all this. Will they behave, or will they be up to their usual shenanigans? We shall see (though the adoption of a fantastically weak IPR policy is not the best of starts)! And on that note, I still wait for any sign of movement at all on the technology Microsoft acquired from Credentica – which they have kinda, sorta, maybe committed to making generally available. This is key, IMO, to the next generation of identity management systems and will only flourish if people can freely experiment with it. So what are they waiting for?

(More news reports than you can shake a stick at.)

22 Jun 2008

Can Haz Blogroll

Filed under: General — Ben @ 13:41

I’ve been meaning to put one of these up for years. Literally.

Anyway, I finally got around to it.

20 Jun 2008

Using OpenID Responsibly

Filed under: Identity Management,Security — Ben @ 12:46

Some guy called Thomas asks the very reasonable question (where “this problem” is the OpenID phishing problem):

Too much of all of this discussion around OpenID focuses around whether or not it’s OpenID’s job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.

Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?

So, the answer to this is: you should only accept OpenID logins from providers that use unphishable authentication. How can you know what authentication they use? Well, right now you can’t, but a group of us are about to work on the OpenID Provider Authentication Policy Extension (a.k.a. PAPE) which will enable you to find out.

Until then, my answer continues to be “just say no”, if you are a website maker. If you are an OpenID user, then the answer is to find a provider that supports unphishable authentication – at least you will be safe, even if the rest of the world continues to suffer.

19 Jun 2008

FF3: Better Late Than Never

Filed under: Open Source — Ben @ 14:38

Apparently there’s a launch party for Firefox 3 in London, open to all. Tonight.

Powered by WordPress