[gnso-acc-sgb] Distributed certification ?

["Bertrand de La Chapelle" <bdelachapelle@xxxxxxxxx>]

Dear all,

Following Milton's request during our last conference call, just a few
elements regarding the notion of a possible "distributed certification"
approach. (Note : This is just a contribution to framing the debate in terms
of logic rather than a formally elaborated proposal from France).

Any certification scheme faces the same conundrum : how to organize
certification in a flexible and at the same time verifiable/enforceable
manner :
- strongly centralized and formalized mechanisms with a priori evaluation of
applicants (whoever is agreed they should be) are more easily verifiable and
provide more enforceable requirements; but they are not very flexible and
responsive;
- self-certification with a posteriori verification is potentially very
flexible but opens up a lot of loopholes (as mentionned in various posts)
and probably does not provide sufficient enforceability.

In addition, as the example of local LEAs illustrates, each category of
possible third parties has a number of layers, according to internal
hierarchies. This goes also for bank headquarters and bank branches for
instance. This probably calls for chains of certifications rather than
single, centralized mechanisms.

Moreover, it seems that the different categories of actors do not have the
same needs in terms of technical modalities of access and types of data
treatment. And there maybe is not a single regime that provides the best
solution for all. In any case, nobody has argued that WHOIS is the single
tool to support the "legitimate activities" mentionned in the GAC's
principles (see separate post on the GAC's position).

Isn't it worth therefore exploring a notion of "distributed certification
regimes" ?  The analogy here is the DNS itself, with the existence of
different TLDs with different requirements for registration and the layered
structure of registries, registrars and registrants.

Different networks could be put in place progressively to address certain
types of threats or needs, with specific certification procedures, the level
of control of which would depend on the level of access (full bulk
data-mining capacity or mere single query web-based access for instance).
Master certificators could have the possibility under certain rules to
sub-accredit some actors they are regularly working with and have the
possibility to monitor in a certain way.

Specific access systems (for instance web-based) could be designed for the
different needs by the different communities. We could think of an analogy :
university libraries provide extensive access to copyrighted material under
specific agreements with publishers and with their own accreditation
procedures. This allows both good quality access to scholars and the respect
of copyrights. We seem to treat whois services as if the only option were
full access or no access. This does not take into account the incredible
flexibility in terms of treatment available for digital data.

Finally, the question of monitoring (appropriate traceability of usage for
instance, as was mentionned during the call) might be a key component to
guarantee enforceability of provisions for certification and to suppress
accreditation in case of abuse.

This is just a suggestion and it's up to the group to evaluate whether it is
an interesting possibility to explore. And apologies again if as a late
coming observer, I propose ideas that have already been explored and
discarded in the past.

Best

Bertrand
--
____________________
Bertrand de La Chapelle
Délégué Spécial pour la Société de l'Information / Special Envoy for the
Information Society
Ministère des Affaires Etrangères / French Ministry of Foreign Affairs
Tel : +33 (0)6 11 88 33 32

"Le plus beau métier des hommes, c'est d'unir les hommes" Antoine de Saint
Exupéry
("there is no better mission for humans than uniting humans")