> The really hard, unsolvable part is the unwillingness of the browser vendors to support an alternative domain name system. If Chrome, Firefox, and Safari all supported a new TLD outside of ICANN's control as a public service (let's call it "Let's Resolve" which would offer free domains and would be funded through donations), it would be very successful.
Not sure I understand your proposal. Say every single browser in the world supports Let's Resolve. byuu.org is registered with ICANN; but someone now wants to register byuu.org with Let's Resolve. Do you let them? What about the other way round? And what if someone attempts to register byuu.org with ICANN, while another attempts to register byuu.org with Let's Resolve at the same time, causing a race. Who wins?
Also, unique, meaningful and memorable identifiers are a scarce resource. Offering free domains just open up the floodgate of squatting and hoarding (at unprecedented ease).
Edit: Parent suggested a new TLD; I read it as a whole alternative system. Well, the new TLD idea was already implemented as .bit AFAIK, and it's pretty crap.
You probably need a system that allows both roots to function together. Maybe a different URL scheme:
http: and https: use ICANN, httplr: and httplrs: use LR
If not specified, browser tries LR first, then falls back on ICANN.
Doesn't feel as solid to me, but they could also register a placeholder TLD that would be use for redirecting requests to LR, or the other way around:
google.com.lrns would tell the browser to resolve google.com in the LR root (hardcoded), or google.com.icann would tell the browser to resolve google.com in the ICANN root. When falling back from one to the other, the browser would display the hostname with the fallback TLD on it.
Just some ideas off the top of my head, I haven't fully considered the implications yet.
As stated by another person, yeah I'd want it to not overlap with the existing ICANN TLDs. Not too hard to do, and we could fix one of the bigger annoyances of DNS and correct the ordering: bsnes.byuu.org -> #newtld.byuu.bsnes, for example could work, or even just #byuu -> #byuu.bsnes and only have a sole TLD for it.
I don't know how we stop squatters, maybe a one-time registration fee would be reasonable, but that would be discriminatory as $100 would be trivial for developers in the US, and impossible for service workers in Mozambique that just want a personal website.
It's not as though .com/.net/.org (and heck, even a lot of the new gTLDs) aren't absolutely filled to the brim with squatters already.
I mentioned Handshake in another comment. It has a good method for mitigating squatters. Names are won through a vickrey auction so they go to the highest bidder, and your funds are locked up for the duration of the auction (2 weeks) so it inhibits squatters from bidding on all the good names at once.
I think by "TLD outside of ICANN's control", GP meant a unique TLD that (currently) does not exist under ICANN. So it's not going to be byuu.org under ICANN vs byuu.org under LR, it's going to be byuu.lr (under LR) versus byuu.org (under ICANN)?
I agree. As long as there's scarcity, there's someone trying to exploit it.
I think it could be better to just accept that unique global names are not a great idea, and start identifying parties by certificates rather than name. Various chain of trust & reputation type arrangements can be used to ensure people won't confuse Their Bank (certificate issued by/for Their Bank) for Their Bank (certificate issued by & for scammer in Ukraine). Legit entities will have every reason to include information that minimizes likelihood of confusion.
Come on, I can have more than one James Smith in my phone's contact book too.. let's stop fighting over names.
> Various chain of trust & reputation type arrangements
The problem of course is that as you said, you still need authorities or a chain of authorities to tell you which one is the genuine Debian and which ones are trying to shove malware onto your machines. Today we go to debian.org, see the valid TLS cert, and assuming there’s no fraudulent issuance of debian.org cert and no attacker injected their cert into our device CA store, we can be reasonably sure the PGP key listed there is genuine.
You only need to look at .onion to see how well the keys without authorities idea turned out.
I don't have a problem with having authorities as long as we can choose which ones to trust (and have limitations on the scope of their authority), and form our own as necessary.
For example, I'll be happy to add and pin my government's authority for the services that they control. I'll be happy to add a group of FLOSS hobbyists issuing certs for open source projects, as long as they are transparent and can demonstrate that they have a handle on security. In both cases, there must be some way to limit the scope of their authority, and ideally do things like pinning the authority so that one can't sneakily take over the other in an attack that results from e.g. misconfigured scope.
I think establishing identity is something that we should learn to do. When John Smith gives me his phone number, I'm probably looking at his face and I know which John it is that is giving me their number. I should also be able to go to my bank and get their cert when I sign up for an account & credit card. I'd like to have additional confirmation of their identity (-> reputation) e.g. from my government, but I don't know if I want them to be automatically trusted just because there happens to be a chain that checks out.
If I'm looking at some entity that I cannot meet in person, I should be able to see who have vouched for their cert and make a judgement based on that.
Kinda like PGP I guess, at a larger scale and with better infrastructure (geek signing parties and wide open keyservers are not good enough). The system does not need to be centralized.
It should be possible to have certs signed by multiple parties, to help establish trust without having everyone agree on a single source of trust. (At this point, I'd like to use a term that sounds smaller and less powerful than authority)
I'm not particularly happy with the model where the chain of trust in every case is established starting at some international megacorps that do who know what, and countless issuers are directly or indirectly "trusted" from the get-go until someone points out their abuse and removes their certs.
The hope is to get a non-corrupt TLD in place that won't raise prices on you with no caps (and if possible while we're at it, won't charge you for certificate signing.) Ideally, a real winner would be a pay-once, own-for-life (say 100 years) TLD. I might be willing to drop $500 on a domain I know I'll never have to remember to renew.
Not sure I understand your proposal. Say every single browser in the world supports Let's Resolve. byuu.org is registered with ICANN; but someone now wants to register byuu.org with Let's Resolve. Do you let them? What about the other way round? And what if someone attempts to register byuu.org with ICANN, while another attempts to register byuu.org with Let's Resolve at the same time, causing a race. Who wins?
Also, unique, meaningful and memorable identifiers are a scarce resource. Offering free domains just open up the floodgate of squatting and hoarding (at unprecedented ease).
Edit: Parent suggested a new TLD; I read it as a whole alternative system. Well, the new TLD idea was already implemented as .bit AFAIK, and it's pretty crap.