Upcoming CIRA election, my thoughts on policy directions

Earlier I wrote about my first election campaign, for CIRA. Tomorrow (Sept 20th) there is an online town hall. If you are a cira member (cira.ca/memberships) you will get a link to the forum when it opens.

Are you a member? Check here.

So I started putting together my thoughts. CIRA is the (DNS) registration authority, and in turn a set of registrars sell you “my-cats-name.ca”. But it is also a vehicle to influence Internet policy in Canada, and has some money through its community investment program to foster those policies. So what are the policies I would like to influence?

I think that driving towards a goal of 100% encryption (TLS) is a good one. To this end I would create a measurement (perhaps via a partnership with Shodan.io) that showed what percentage of .ca domains are TLS-enabled:

  1. By default (e.g. http://domain does a 308 to https://domain, serves nothing else)
  2. Partially (e.g. some content is encrypted, some not)
  3. Not at all

In addition I would call out those who have, and do not have, CAA records. This is a very simple and useful backstop on something happening with a CA authority.

I would encourage all the registrars to support the dns-01 challenge type for ACME (e.g. Let’s Encrypt), and call out those specifically for their support:

  1. Via API
  2. Via UI
  3. Not at all

This would let the ‘invisible hand’ work its way, users would select registrars who had an API for DNS-01 since it would allow repeatable, automatable use of TLS for all sub-domains. A public chart of these 3 versus time, with a list of the c) not at all names would do wonders I think.

A partnership with, and support for, Let’s Encrypt, would also be useful. Making .ca domains ‘secure-by-default’ and ‘secure-easily’ would be a great goal. If every registrar ‘just worked’ with Let’s Encrypt that would be a great outcome.

On the note of TLS encryption, recently I’ve written of my conversion to TLS-based DNS. And of course I use DNSSEC (which CIRA broadly rolled out in 2014). So similarly I would encourage the registrars to support DNSSEC (with similar public metrics) and the recursive resolvers to support DNS over TLS. The majority of consumers use the recursive resolver of their ISP, so it would only take a few ISP adding support before we would have a significant positive impact.

On the other note of cyber-security, DNS and identity (human identity) comes to mind. Consider a spear-phishing attack. Lets say I register ‘rbc_.ca’ and I spear-phish you with this. We should be able to assist law enforcement in finding who registered that domain. This means knowing in a difficult to spoof way who is on the other end. It can’t be just paypal or a stolen credit card. This is tricky, there are privacy issues involved as well. But ultimately I believe that the true identity must be knowable. Similarly, the hot-top of external-election-influence. If someone registers a site which is promoting a political view or direction in Canada, and its part of the political process, we should be able to reverse who that is if needed.

I think that data becomes much more valuable when it is accessible and cross-joinable. To this end I would encourage all of the community investment projects, and CIRA’s own data, to participate in the Canadian Open Data Exchange, to make data sets publicly accessible.






Leave a Reply

Your email address will not be published. Required fields are marked *