Internet Infrastructure Ignorance
While at Internet Identity Workshop 2005 this past week, one of the interesting issues that came up several times related to name spaces. Specifically, there were numerous times where people voiced their opinions about how name spaces "should" map onto the Internet, and they used DNS as an example of how things "should" be. The problem is that they demonstrated, by their words and arguments, that they were ignorant of how DNS works. The infrastructure of the Internet has become so transparent, that it seems to me people have begun to make gross assumptions about it's architecture, and this is what is the root of many of the security and privacy issues that we are seeing today.
I was looking forward to the presentation by Drummond Reed about XRI/XDI. One of my concerns in any solid digital identity solution is the freedom to choose. I am not a big believer in compulsory community membership, but instead believe that true freedom is represented by our ability to move in and out of various communities at will, and to create new communities as we want. I really like this thought from "The Meaning of Life - Part II":
Groups also serve as symbols in the social world. Groups with different beliefs than your group provide you with viewpoints you wouldn't have otherwise considered. They also represent parts of your own mind that you are not focusing on. However, if you fear those parts of your mind, this representation can degenerate into projection, which is a bad thing.What does this have to do with DNS and digital identity? It is that I want the freedom to NOT have one name, one identity, or one reference across all communities. Yes, there might be some places where I would benefit from some level of federation. At Internet Identity Workshop 2005 I actually saw where OpenID is intended to not only provide Single Sign-On, but also is specifically designed to cause a level of federation across web sites. I DO NOT want this to be a requirement. I am ok with it being an option. It is this flexibility that I believe will allow a particular solution to become successful and ubiquitous.
So ... I really wanted to hear more about XRI/XDI and i-Names because I specifically wanted to learn if they were going to try to "root" the entire name space into one fixed community. My real question was: "Is XRI/XDI yet another Internet 'tax' like Domain Names (DNS), where you have to pay some entity on an annual basis to use the value of the technology?" Or, was XRI/XDI simply one solution that could be "rooted" anywhere, and allow for the emergence of various communites to use the technology, and have the naming relative to the community. To my relief, the latter was true. XRI/XDI is based on specified root servers, and so naming resolution is based on what root servers you choose. In the end, what this means is that my i-Name is only relative to the community. It is not necessarily a globally unique identifier for me. It also means that any community can set up their own root servers, and create name spaces of their own. In the end this means that =drummond.reed only refers to Drummond within the context of a particular community! Bingo! I like it!
What shocked me was the almost immediate upset expressed by numerous people at the conference. They wanted these names to be absolutely globally unique . .. so that no one would ever be able to get "my" name, and there would never be any ambiguity about who was being referred to by an i-Name. I fully understand the desire, however what shocked me was the references to DNS as having this characteristic! People actually believe that DNS provides an absolute unique identifier in any context! The DNS system has become so transparent, and ubiquitous that people no longer realize that it is simply one community for naming on the Internet ... and there is nothing locking people into using it. These people do not seem to realize that I can set up my own root servers, and resolve and DNS name to any IP address that I like! In fact, I'm quite surprised that the Open Source community has not stepped up to revolt against the "Intenet tax" imposed by ICANN and re-ignited the efforts of OpenNIC, AlterNIC, and many of the other early pioneers in creating a truly free naming system on the Internet.
DNS naming only works because our servers, workstations and laptops all obey the rules, and the default configurations imposed on us by our Operating Systems, ISPs, and DHCP servers. Anyone who has installed a DNS server could easily find the default InterNIC root server list in one of the files on their system ... /var/named/named.ca on my Fedora Core 4 install. I could go into my DNS server and define "www.amazon.com" to be any IP address that I want. If you then happened to route through my DNS server (by being on my network) then you would get *my* name resolution ... not InterNICs. If I was an ISP, or even an Internet Cafe, there is little that you could do, and in fact you would most likely just trust that the DNS server you were using was trustworthy. Another common hack used by trojan horses on the net is to modify your local hosts file. Most all systems have a hosts file that will resolve naming on your local machine without requiring DNS at all! If I put an entry in your hosts file for "www.amazon.com" then it will never even use DNS to attempt to resolve the name correctly.
There is nothing in DNS that stops me from adding other root servers, and creating my own free Top Level Domains (TLDs). It is only because people just fall in line with the DNS configuration that it works. It is only because we allow our machines to automatically join the ICANN community. It is only because of our ignorance and lack of education about how all of this works that we think that DNS names are globally unique in all situations. DNS names, and all naming, are the products of specific communities or contexts. Although these communities might grow to be so large that we can't seem to see anything else, there still is the something else. I actually like it that way.