On 5 November 2016 at 03:08, Karl Auerbach <karl@cavebear.com> wrote: walking chains of references is mind numbing, but it what web browsers do

all the time (as I mentioned, often hundreds of times a minute for each separate user's web browser) and also what DNSSEC user software can do within milliseconds.

​I consider myself a not-unsophistcated user of Internet-access software, to the point that I serve as informal tech support for ​far more people than I'd like. ​The page that Google Chrome provides when it's confused by a certificate instance is as oppressive as​ the Blue Screen of Death. The other browsers are even worse. We're generations away from the level of simplicity that would be needed to eliminate web-based scammers by digitally flagging them as such. ​ICANN has an interesst in accelerating this progress, for the sake of public trust and stability, but it certainly ought not to do this itself. That's what I meant by being part of alliances rather than engage in mission creep. ​

IGO name protection is not a DNS issue; it ought to be far outside ICANN's scope.

​Ought to, sure, but it's way too late​ for that debate now. ICANN got itself sucked into name protection long ago, and that can't be undone. So now telling the world that coke.foo needs (and has) elaborate protection mechamisms (even going beyond global trademark norms), but that redcross.foo has none of those protections and won't ever get them, is not an exercise in trust-building. And, as a non-treaty organization, ICANN is highly dependent on public trust. Unfortunately, thanks to choices already made by ICANN, the challenges here have been irreversibly rendered political rather than technical. And "Let them eat SSL" does not make for a winning political strategy. ​- Evan​