Widely known as one of the “Fathers of the Internet,” Vint Cerf is the co-designer of the TCP/IP protocols. He serves as chairman of the board of the Internet Corporation for Assigned Names and Numbers (ICANN) and was founding president of the Internet Society as well as honorary chairman of
the IPv6 Forum.
Today, Cerf is the chief Internet strategist for MCI WorldCom. His latest
pet project is called the Interplanetary Network (IPN), a NASA-supported
project that aims to create an Internet that reaches into space.
Internetnews.com sat down with Cerf during a recent E-mail
Technology show to talk about what companies can do about spam, Internet
security and IPv6.
Q: What advice do you give companies with regards to the future of
Internet?
There are side effects of international domain names and multilingual
content and it’s already starting to be clear that we don’t have a good
handle on that. For example, the Germans are using umlauts [two dots above a
vowel] in their domain names, which sometimes are mapped into Cyrillic
[Russian Alphabet] Unicode.
The problem here is that the text representations that are going on
internally are not Unicode representations. They are 8-bit maps from the
Unicode set. And so by extracting from the Unicode set and then mapping that
into an 8-bit code you have the same glyph represented by two things.
Software that it is used today to manipulate text material isn’t fully in
sync with the multilingual environment requiring more than one language or
script in the same message. So we have to start rethinking our MIME
[Multipurpose Internet Mail Extension] code schemes and everything else
because they are now in the scope.
Q: What are your feelings about the controversial “Do-Not-Spam” List?
“From” fields do nothing, for all practical purposes. So that doesn’t
help you a whole lot.
It’s an amazing mark of the gentler time of the origins of the e-mail in
the early 1970s and the homogeneity of the community — when no one thought
that it would be necessary to be assured the correctness of the “From”
field. So we never put anything in there in the beginning that would
validate that. And of course digital signatures hadn’t been invented yet.
So we now confront the problem of identifying the origins of e-mail. And
you move into the awkward column that you introduce identification and
authenticity of source. That doesn’t inhibit spam necessarily because
someone could legitimately sign up and send spam. And because there is such
a modest cost associated in the sending of spam, the motivation for sending
spam is very high.
There are suggestions by some that people should pay for mail. When we
started MCI mail in 1982, we charged a dollar for each message. Even
[National Review magazine founder] William F. Buckley had an account. We
finally put that system to sleep because it was hard to have a service that
no one else was paying for. The side effect of that is spam.
My guess is that as we increase the use of all communications — not just
e-mail — for commerce, that the need to authenticate source, and validate
integrity of content will increase.
Q: Is the answer white-listing or black-listing?
White-listing — accepting e-mail only from a list of the following
people — is probably as close as you can get to the reasonable practice of
handling the problem. Now we’re seeing kind of white and black lists or
white and gray lists that look at where the e-mail came from and the things
in between are what you painfully manually filter through.
Spam filters that are going in some of those e-mail packages seem to be
remarkably good at detecting that which really is spam.
I don’t think purely technical means are the path best taken. So I’ve
been jokingly suggesting another possibility. As we identify these people
who are sending out these spam e-mails… we resort to public flogging
Q: Seriously though, who should be responsible for spam? What is the
role of the ISP?
I am unhappy with the thought that an ISP in a literal sense should be
responsible for filtering out spam. First of all, we are running packets at
10 billion bits per second and we can’t look at them that fast, let alone
move them that fast. We get 2 to 3 million spams per day.
What one would want to avoid is some situation where you are held
accountable for not successfully filtering all of the spam out — or
worse — what if you filter something out that wasn’t spam and have someone
sue for damages. This is really a hard problem. You could probably argue
that this is the equivalent of the Turing Halting Problem (defining the
terminating program task). No algorithm that I can fathom can guarantee
something is or is not spam just by looking. In spite of all of that, e-mail
is still potentially a powerful and enabling tool.
Q: And the future of communication?
Probably, we will see more direct applications communicating with each
other communicating in forms other than e-mail.
Because when you Internet-enable a thing, you need to build an efficient
command and control language to manage it. So lots of devices that are on
the Net will use some command and control protocols like SNMP (Simple
Network Management Protocol) or SIP (Session Initiation Protocol) as a
peer-to-peer style interaction. It’s very popular because these are the
ports that are open to get e-mail in and out, whereas lots of ports get open
and closed for a second and secured. Even port 25 is under attack.
The same problem showed up with DNSSEC (DNS security extensions) and
signing the zone files. At the very beginning, not too many are signing
these things so if you see an unsigned packet then you just ignore it and
reject it.
At some point you have to archive critical mass so quickly that the bulk
of the time that you refuse something or reject it, you are doing so with a
high probability that it is a reasonable position.
Q: What about IPsec?
IPsec is a very good thing to have virtually everywhere. Essentially it
eliminates a whole series of higher layer attacks that you can make in the
absence of cryptographic security. So the TCP hacks that were highlighted
would be completely silenced by that end-to-end communication. The problem
is getting these NAT (Network Address Translation) boxes in the architecture
and the translation of the address space that somehow get in the way.
Getting rid of NATs is part of an important crusade for me and the only way
to get there is to use IPsec. But IPsec is no the only answer. You also have
TLS (Transport Layer Security) transport, SSL or SSH and then
cryptographically signing.
Q: What is your opinion of some of the new hardware/software
combinations like semiconductor manufacturers working with Microsoft’s No
Execute?
It’s an interesting idea. It has the awkward problem that you are bound
to the piece of equipment. And if you ever had an electric book that you
couldn’t move from one laptop to another or you upgraded your equipment and
all of a sudden it’s like losing your wallet and you have to go get
everything re-issued again. There is a binding subtype that is inconvenient
and Americans don’t handle inconvenient very well.
Q: With all of its troubles and critics, has ICANN outlived its
purpose?
We need ICANN. If we were to go back and start over again, we would
still end up with a similar thing. Many of the debates that occur take
political positions without understanding that there is a technology that
has limits.
The standards are too permissive and we need to add procedures to the
registration of domain names to avoid overlap. In the example of the
umlauts, there are two ways to spell the same thing and they mean the same
thing, but you have to make a decision: should I allow two people to
register two treated different representations of the same word. The Germans
map it as distinct. Some other administrations don’t get into that argument.
I’m by no means suggesting that ICANN knows what the answer is to that.
I’m only saying that ICANN is asking people who are going to register in
that way to think their way and hire extra language speakers to determine
whether a restriction on a reservation would be advisable.
Q: Will the boom times ever return?
I feel like we just barely scratched the surface. With Tim Berners-Lee
and his work on the Semantic Web, XML-encoded documents of that sort,
eBusiness will be increasingly regularized and that will allow some
substantial efficiencies. So here we’ve seen running up to 2000 all the big
investment opportunities and the Y2K problem. Now what I’m expecting is the
companies paying attention to inter-corporate exchange where up to now they
were focused on intra-corporation efficiencies.
Q: And the Interplanetary Network (IPN)?
We have the lower two layers of the five layer case running on the two
rovers on Mars. We’re hoping to put a telephone satellite in orbit by the
end of the decade connecting the two planets together.