[Systems] Who should legally hold sugarlabs domains/SSL certs, and who should decide who should hold them? (was Re: Fwd: Gandi donates large amount of account credit to Conservancy for VPS's, domain registration, and SSL certificates)

[Chris Leonard]

On Wed, Aug 1, 2012 at 1:26 PM, Bradley M. Kuhn <bkuhn at sfconservancy.org> wrote:
> Chris Leonard wrote at 09:12 (EDT):
>> Speaking for myself, I think the SLOBs would/should entrust domain
>> name registrations, certificates and DNS issues to our extremely
>> competent (albeit overworked) Infrastructure team, and to Bernie's
>> leadership on those issues.
>
> Just to be clear: those details would still be so-handled in any event,
> if you decide to have Conservancy be the domain-holder.
>
> What I'm talking about is just the legal holder of the domain being
> Conservancy.  We'd only set "Billing Contact" and "Administrative
> Contact" to Conservancy -- Bernie and the infrastructure team would
> decide "Technical Contact" for the domains.
>
> But, that said, it's not mandatory that a Conservancy project host its
> domains with Conservancy -- it's purely a Gandi-specific rule
> (apparently) that the SSL certificates Gandi generates be only for
> domains where the generating/paying account match the admin contact of
> the domain.
>
> The other option is for Sugar to just pay from its funds for SSL certs
> (which is what most projects typically did before the donation from
> Gandi was received).
>
> I think we may be on the same page, but it seemed your email *might*
> have conflated two issues: (a) who should decide if the domains be held
> by Conservancy in Conservancy's Gandi account, and (b) who should be the
> legal owner of the domains.
>
> Those are two independent questions that I want to be sure you consider
> independently.

Q1) Who should decide if the domains be held by Conservancy in
Conservancy's Gandi account.

A1) As mentioned, I would rely on Bernie's advice with regard to nitty
gritty details such as those he raised about his previous experience
with Gandi and their services to determine their suitability for Sugar
Labs various stakeholders and technical requirements.  The SLOBs
should (and likely will) rubber-stamp Bernie's recommendation with a
minimum of friendly kibbitzing and clarification of pet peeves and
technical bugaboos.

Q2) Who should be the legal owner of the domains?

A2) Bernie raised an interesting point about the importance of direct
hands-on manipulation of DNS records etc. by our Infrastructure Team,
the answer to which could influence that call or even the advisability
of going through SFC to Gandi for domains and certs at all.

On the one hand, Sugar Labs has (via the FSA with SFC) ceded control
of our money and power of attorney to SFC, so why worry about the
domain registry ownership as long as it is covered by similar
"amicable parting" protections.  I'm really not worried about SFC
handing the domain off to a non-profit confectionary research
operation.

On the other hand, from my industry experience, I view domain names as
intellectual property that should be treated like trademarks.
Unfortunately, for technical reasons, registration expiration
monitored so that they do not expire and fall prey to domain
registration vultures.  As a matter of setting a shining example for
others to think security, we should do a better job on certs too.
These are matters traditionally entrusted to the sysadmin types (along
with software licensing, where applicable).

I don't have a definitive opinions on this, maybe someone else has
some strong feelings about the matter?  I'm quite opened to being
convinced one way or the other by a well reasoned argument.

cjl