<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:405149433;
mso-list-template-ids:-76649938;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1438594489;
mso-list-type:hybrid;
mso-list-template-ids:-1781626250 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:38.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:74.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:110.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:146.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:182.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:218.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:254.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:290.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:326.25pt;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Thanks, Scott. We will update and reissue ASAP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Fabricio Vayra</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#D6001C">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#75787B">|
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#D6001C">Perkins Coie LLP<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#75787B">PARTNER<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#75787B">D. +1.202.654.6255<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Hollenbeck, Scott [mailto:shollenbeck@verisign.com]
<br>
<b>Sent:</b> Monday, June 18, 2018 8:42 AM<br>
<b>To:</b> Vayra, Fabricio (WDC) <FVayra@perkinscoie.com>; 'accred-model@icann.org' <accred-model@icann.org><br>
<b>Subject:</b> RE: Version 1.6 of the Accreditation and Access Model<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Fab, Annex I contains text with factual errors describing OpenID/OAuth-based client authentication. I shared some text with Mason last Friday, but it looks like this one paragraph was missed or my suggested edits
were rejected:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“There is currently an Internet draft regarding the usage of federated client authentication (password and ID) based on OpenID and OAuth. However, theremay also be advantages to using digital certificates in
conjunction with, or as an alternative method to federated client authentication because each method allows a client to be identified and authenticated for different client-server interactions. First, the access to RDAP does not have to rely on the availability
of the identity provider which is a third-party required for federated authentication to work. A digital certificate can be used to identify and authenticate the client when establishing a secure connection to an RDAP server. Information encoded in the certificate
can be used to determine if a client is authorized for access to an RDAP server. Second, the digital certificates provide non-repudiation due to the nature of Public Key Infrastructure (PKI). Third, digital certificates could provide flexible and scalable
functionality. For instance, it could be used for enhanced access control such as role-based access control (RBAC) making decisions based on the attributes provided within the digital certificate. If the Internet community decides to adopt RBAC, there will
be some application development work that would be required for RDAP. Fourth, identity providers are usually not under the tight scrutiny of an independent third-party auditor and are generally not used to processing a large amount of validation requests.
Last but not least, when using digital certificates, the decision of whether or not to grant access is made entirely by the entity running the RDAP services instead of the identity provider which is a third party. Federated client authentication based on OpenID
and OAuth can be used to identify and authenticate a client for access to specific registration data elements because this service is performed directly within the RDAP application layer as part of processing an RDAP query. Fine-grained attributes, such as
the purpose of an RDAP query, can be encoded in the client’s identity and shared with the RDAP server software that needs to determine if a client is authorized for access to specific data elements. Both approaches leverage trusted third parties (Certificate
Authorities for digital certificates and Identity Providers for OpenID/OAuth) that can be used to make the secure attestations of a client’s identity and attributes that are needed to ensure that a client is authorized to receive the data they are requesting.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Specifically:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“First, the access to RDAP does not have to rely on the availability of the identity provider which is a third-party required for federated authentication to work”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Digital certificates also depend on a third party in the form of the CA that needs to be queried to determine if a certificate has been revoked.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“Fourth, identity providers are usually not under the tight scrutiny of an independent third-party auditor and are generally not used to processing a large amount of validation requests”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">A good bit of this document describes the procedures that would need to be put in place for accreditation to work. Those procedures, and the policies associated with accreditation, would need to include appropriate
safeguards for ALL credential issuers, be they issuers of certificates or OpenID credentials. It would be more correct to strike this text given the focus of the rest of the document. I don’t buy the “large volume” thing, either. Companies like Google and
Facebook use OpenID technology today and it seems to be working just fine.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“the decision of whether or not to grant access is made entirely by the entity running the RDAP services instead of the identity provider which is a third party”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Identity Providers DO NOT make access control decisions. Information is shared with the Relying Party (RP), and it’s the RP who makes access control decisions.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I’m willing to take another pass at this text if someone is willing to work with me.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Scott<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Accred-Model <<a href="mailto:accred-model-bounces@icann.org">accred-model-bounces@icann.org</a>>
<b>On Behalf Of </b>Vayra, Fabricio (Perkins Coie)<br>
<b>Sent:</b> Saturday, June 16, 2018 1:29 AM<br>
<b>To:</b> 'accred-model@icann.org' <<a href="mailto:accred-model@icann.org">accred-model@icann.org</a>><br>
<b>Subject:</b> [EXTERNAL] [Accred-Model] Version 1.6 of the Accreditation and Access Model<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Attached for discussion and additional comment is version 1.6 of the Accreditation and Access Model. This, following further comment and input from many parts of the community, is a much richer and robust model. Notably, this version
1.6 contains new:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="margin-left:2.25pt;mso-list:l1 level1 lfo3">Annex D: Accreditation Approach for Intellectual Property Owners and Agents<o:p></o:p></li><li class="MsoNormal" style="margin-left:2.25pt;mso-list:l1 level1 lfo3">Annex J: Lawful Bases for Access to WHOIS Data<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many thanks to those who made constructive contributions to further developing this model.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you again for your input and support.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Fabricio Vayra</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#D6001C">
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#75787B">|
</span></b><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#D6001C">Perkins Coie LLP<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#75787B">PARTNER<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#75787B">D. +1.202.654.6255<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"><br>
NOTICE: This communication may contain privileged or other confidential information. If you have received it in error, please advise the sender by reply email and immediately delete the message and any attachments without copying or disclosing the contents.
Thank you.</span><o:p></o:p></p>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
NOTICE: This communication may contain privileged or other confidential information. If you have received it in error, please advise the sender by reply email and immediately delete the message and any attachments without copying or disclosing the contents.
Thank you.<br>
</font>
</body>
</html>