Re: [Ianaplan] [CWG-Stewardship] ICG request concerning IANA trademark and iana.org domain name

[John C Klensin <john-ietf@jck.com>]

--On Saturday, June 20, 2015 14:46 -0700 Dave Crocker
<dhc@dcrocker.net> wrote:

> On 6/20/2015 2:40 PM, Marc Blanchet wrote:
>> so you are in some ways saying that the 3 organisations should
>> « co-own » the trademark and provide a license to ICANN/PTI
>> for its use?
 
> I was careful not to suggest a solution, nevermind not
> suggesting that one.

Same disclaimer, amplified by my reaction to the part of Marc's
note that Dave didn't quote:

>> Looks like more towards the IETF trust
>> owning the trademark, as it was discussed before.

Let me see if I can restate the problem in a way that is closer
to the way we talk about and analyze protocols.  From that point
of view, this --whether there is a problem or not and what
responses are appropriate if there is-- is entirely about trust
and threat models.  In order to develop those models, let's try
to go back to where this set of discussions more or less started
and remember two very important things:

 (1) While IANA has three natural constituencies (or customers)
that, for convenience, we've been calling the protocol,
address/numbers, and names communities (obviously not
necessarily in that order), the various organizations,
constituencies, putative stakeholders, etc., who make up ICANN
is a much more complicated picture with the ICANN customers not
even being a proper subset.

 (2) The present situation is one in which the parties don't
really need to trust each other if they assume that, were
something sufficiently egregious and harmful to the Internet to
be proposed or occur, NTIA would step in and apply some sort of
correction.  That obviously requires trusting the US Government
to be responsive and exercise good sense.  There have been
sufficiently few serious problems, at least since the first
three or four years of ICANN's existence, that we can't prove
that would occur (or that it would not).  Still, it appears to
have been a reasonable hypothesis, complemented by the equally
plausible one that some tendencies toward bad behavior have been
deterred by the possibility of the US Government stepping in.

The "IETF Trust owns the trademark and domain name" approach
requires that everyone trust the IETF and the IETF Trust.  Seems
reasonable to me, but know the folks who make up that body and
the mechanisms we have in place to prevent those people from
getting out of control.  I also share the norms of the IETF
community about what is good for the Internet (and the
assumption that "the good of the Internet" is a primary
objective) that the IETF Trust presumably does as well.
Someone with roots in one of those other ICANN constituencies,
or in a part of the names community that has different
objectives, might trust them less, especially (for example) if
they were concerned that some future IETF or IETF Trust might
use the IANA domain or trademark as a control point to enforce a
much more conservative policy toward delegation of confusing
combinations of names than whatever policy the ICANN names
community and name-marketing efforts were inclined to use at the
time.

Similarly, while having the name and domain jointly owned by the
three customer groups and licensed back to ICANN seems obvious,
it requires that other ICANN constituencies (and others more
generally) trust those three actors about everything the
constituencies care about that might interact with those names
(or those names and IANA itself used as a leverage point) and
that the three customer groups trust each other and believe that
the risk of two of the three outvoting the other one on a policy
that might prove adverse is acceptable.

One could invent other scenarios, but each one would pose a
different set of "who needs to trust whom" questions.

If one makes the assumption that all of the groups involved
agree about objectives and priorities and can be trusted to act
positively and in good faith for all time, then the distinctions
above (and others that are under discussion) make no difference:
there will be no egregiously bad acts and either there will be
no problems or they will be easily sorted out.   My experience
with ICANN and its assorted elements and constituencies in the
last 16 years or so suggests that would be a really bad
assumption, but YMMD.

That brings us back to Dave's question and point...

> Within the IETF, the preference has been to say that there is
> no problem, or that it isn't worth attending to.  I'm
> addressing that.

I'm not sure that has been the preference, even though it is
clear that, even if it is not, some conditions have led to a
"don't react strongly" response or lack thereof.

> Before we can worry about how to deal with this, we have to
> agree that it needs to be dealt with.

Yep.  Let me suggest that it does.  With the understanding that
my conclusion is based on my trust model which, as you know,
falls somewhere between "trust no one" and "clear organizational
models, like good fences, make good neighbors".  

First, as I've said on this list before, I don't like the whole
PTI model.  As others have pointed out, as long as PTI is an
ICANN subsidiary, overseen by people a majority of whom are
selected by ICANN, it may be desirable symbolically (more so for
the names community and maybe others than for the IETF and
probably the RIRs), but, should there be a real issue with
ICANN, I'm still unconvinced that it will accomplish anything
positive.  More important, it adds the sort of complexity that
makes it harder to identify an actual responsible party/entity
and hold it (or them) accountable.  Again, if there are never
any problems then it doesn't make any difference other than,
probably, more administrative overhead and an excuse to make
ICANN even bigger.  But, if there were, we have ambiguities in
which PTI management can blame ICANN management for not
supplying enough resources, ICANN management can blame the PTI
Board and management for not managing available resources well,
everyone can blame the ICANN Board for not providing adequate
oversight and, while that finger-pointing is going on, no one is
accountable and problems don't get solved.

As one example that could be very important to the IETF, we are
mostly moving forward without considering IPR rights in the
registries to be a big issue because we got very strong
commitments from NTIA personnel 16 or so years ago that it
wasn't going to be an issue and effectively incorporated those
commitments as requirements into the MOU.  Those commitments
that have been repeated in recent months by important ICANN
officers.  I'm concerned enough about getting the details locked
down that I'd prefer to have that in writing as part of the
transition agreement but that still depends on trust because,
before or after bylaws changes, ICANN leadership  could try to
unilaterally repudiate the commitments.  Is that worth worrying
about?  I don't know.  But, if the creation of PTI creates a new
entity that can make claims on IPR in the registries and their
contents, then the commitments and restrictions we need increase
and we need to trust an entity that has never existed before
(and that is more insulated from real accountability than ICANN
is) to not try to undo things to our disadvantage.

The same sort of reasoning applies to the domain name and
trademark issues, especially if there are claims (or even a
risk) of requirements for licenses from PTI to the IETF (and
others).  It shifts us from arrangements that have never been an
issue (and that we think are guaranteed by long-term precedent
as well as the potential for NTIA intervention), to one in which
there is potential to have to negotiate with a new body that
might, e.g., eventually decide that use of names was a leverage
point or revenue opportunity.   I don't think either of those
outcomes is terribly likely, but don't see any convincing reason
why IETF (or the RIRs) should assume either the risk or the
costs of trying to figure out how to define PTI (generally or
wrt this particular set of issues) with agreements that would
leave us protected against both future nonsense and the
potential for finger-pointing instead of solution-seeking if
there is an actual problem.

I still believe that IETF's most important protection is the
ability to walk away from ICANN (or PTI)-managed IANA if things
were to get sufficiently bad.  But, unless we reach the point
where these discussions become sufficiently burdensome that
walking away is the right alternative for the IETF community
(rather than continuing to discuss and tune procedures or run
the risks of not doing so), it seems necessary to try to arrange
things so that we do not need to pull that particular plug.

A month or two ago, I didn't see much point in PTI.  I saw some
risks but felt that it was appropriate for the IETF to be
flexible about the PTI idea as long as the (at that time)
missing details didn't create new problems or drag us into
situations that would make our environment significantly more
difficult without adding clear value.  Now we have with this
trademark and domain issue, including the claim of exclusivity,
and a sense that PTI isn't an names-only issue but something
that is necessarily proposed to be imposed on all three customer
groups and the broader community.  I therefore think the IETF
should go on record as clearly opposed to the PTI concept as
unnecessarily complicated and increasing the risks that a
transition that includes it will turn out to cause serious
problems.  I am mindful of Milton's "PTI or no transition"
prediction but it seems to me that we should not allow real or
imagined issues in the names community to force us into a
situation that we think may be damaging.

best,
    john