At the DC workshop, the Q&A is going on as I type this. Verisign is being grilled about their "user survey." Verisign tries to spin Sitefinder as a pro-user service that was accepted well. Secsac members are raising doubts about what kinds of questions were asked, and are trying to drill down to what was actually asked. Verisign refuses to release the questions asked, though.
I've submitted two questions to the SECSAC's comment address. Both were read; thanks!
- How many of the respondents to the surveys quoted (which included users from Germany and China) do not speak English?
Answer: "don't know." I'm actually starting to wonder what language was used for the survey questions in these countries.
- Verisign says it does not use the wildcard to collect personal data. What about the third-party (Overture) web bug placed on the Sitefinder site?
Answer: Web bug exists. Planning to do minimum information only. (?) Opt-out? No. Consistent with privacy practices. Crocker explicitly speechless.
Some interesting discussion between Crocker and Verisign people on whether this is a registry service change. Crocker insists that core of registry function was changed. Gomes emphasizes RFC compliance. Counsel to Verisign steps in and notes that some terminology ("registry service") is loaded with legal meaning.
Several people ask why a user survey is thought to be relevant for security and stability and presented at this meeting. No conclusive answer.
Question about service survey conducted -- can Verisign make data available? Answer: Results are in the slides; data are proprietary.
Closing question from Rick Wesson: Further undisclosed testing with non-delegation records? Long silence. "If move forward, testing needed, to provide secure and stable service." Crocker: Good. Rick: No. Crocker: Good that we understand situation.