<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1553148731;
mso-list-template-ids:-2115107330;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Please excuse the much delayed response to this string of messages. Like David, I have been super busy and I wanted to have a little more time to respond, especially since
Verisign was mentioned.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks for raising this issue David. It presents an opportunity for the community to study what kinds of accountability mechanisms work - such as those that public companies
in the US must comply with. I think you’ll see from what follows that Verisign (and any public company) is highly motivated to put in place and enforce mechanisms to protect against anyone going “stark raving mad” and doing harm.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">As a US public company, Verisign has shareholders who ultimately control the company and can hold the company accountable. Those shareholders elect a Board of Directors,
who, under US law owe fiduciary duties to the shareholders to manage the company effectively. Any breach of those duties could result in lawsuits against the Board of Directors by the shareholders or removal and replacement of the Board by those same shareholders.
For example, if the Board has not provided oversight of important network functions then the Board might be liable in court or might be replaced by the shareholders. In addition, the Board appoints the executive officers of the company, who also have fiduciary
duties and under various regulatory regimes such Sarbanes Oxley and Dodd Frank, have additional obligations and in some cases personal liability should they fail to uphold their duties. So, if executive officers were negligent in hiring an employee, or failed
to establish proper network access controls, those officers could be sued in court, or replaced by the Board, or both. Furthermore, external and internal auditors review and investigate on a regular basis compliance with key controls designed to ensure effective
management of the company. Verisign is also subject to disclosure requirements under the Securities and Exchange Act and other regulations that require transparency of the company’s financial condition, compensation, risks, legal proceedings, and more. If
for example Verisign failed to disclose a particular risk to its network that should have been disclosed under the securities laws, then the shareholders or the SEC could bring legal actions against the company, its Board, or individual employees for damages
and to obtain management reforms. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Of course, ICANN has little or no such mechanisms in place, only the AoC (which can be ended by ICANN) and the IANA non-renewal threat, which is why we’re all here. While
no one expects ICANN to become a public US company, the accountability imposed on public companies like Verisign should inform the community as to what ‘good’ can look like. For Verisign, that accountability has led to an excellent operational record of 17
years of uninterrupted uptime for .COM.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I want to again thank David for bringing this important issue to our attention. What can the CWG learn from this? ICANN has stated clearly that it sees its obligations being
to the corporation, which has no members or shareholders, so the accountability mechanisms for public companies, or those with shareholders or members, are not available to us, and so we cannot expect ICANN to behave as if they were. What stops an ICANN employee
from going 'stark raving mad’ or a post-transition ICANN from going ‘stark-raving-greedy’? It's obvious that the accountability that drives Verisign and other US public companies would be welcome here. How can the CWG learn from this and apply similarly effective
accountability to ICANN?</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Chuck<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> cwg-stewardship-bounces@icann.org [mailto:cwg-stewardship-bounces@icann.org]
<b>On Behalf Of </b>David Conrad<br>
<b>Sent:</b> Friday, December 19, 2014 12:53 PM<br>
<b>To:</b> Milton L Mueller<br>
<b>Cc:</b> cwg-stewardship@icann.org<br>
<b>Subject:</b> Re: [CWG-Stewardship] NTIA's Role in Root Zone Management<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">[Sorry for the slow response — a bit busy]<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Milton,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE">
<div>
<div>
<div>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You are asserting that the RZM (currently, Verisign) can unilaterally change the root zone? But of
course this is not true because of its cooperative agreement with NTIA. </span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Actually, it is true. Technically, the only entity on the planet today who can change the root zone is Verisign. They <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Maintain the root zone database ("the root zone file");<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Hold the Zone Signing Key<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Run the hidden master from which the root server operators pull the root zone<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">This gives the Root Zone Maintainer the unilateral ability to both modify the root zone and have that zone published. Currently, there are NO technical limitations
on what they can do with the root zone, only administrative limitations — if Verisign went stark raving mad and (say) decided to remove all competing TLDs from the root zone, they could do so (for those resolvers that query the root servers while the edited
zone remained up). Of course, it is likely that in very short order, they would (a) no longer be the Root Zone Maintainer and (b) no longer be a viable going concern due to the myriad of lawsuits that would instantly appear. However, pragmatically speaking,
the fact that the Root Zone Maintainer would turn into a smoldering crater is a bit like closing the barn door after the horse has bolted. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE">
<div>
<div>
<div>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Perhaps that is what you mean by “legal repercussions.”</span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Yes. While it is true that the Root Zone Maintainer is under contractual terms to get explicit authorization from the Root Zone Administrator prior to making changes,
there is no technical mechanism by which that is enforced. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE">
<div>
<div>
<div>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In terms of how the accountability model changes, I think many of us are viewing the Verisign Cooperative
Agreement as a legacy arrangement that should disappear after the transition. </span>
<span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">An interesting assumption. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE">
<div>
<div>
<div>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Which means that the IANA functions operator would either be the contracter for the RZM function,
or the Contract Co would contract for it directly. Between those two options it’s clear that there are significant differences in the accountability model, and either of those is significantly different from the status quo, which relies on the NTIA. So again
I don’t quite grasp what you are asking about.</span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">I was asking about Jordan's response to the scenario in which the IANA Function Operator and the Root Zone Maintainer are merged (which again, I neither support
nor oppose), thus creating a single entity that receives, validates, and implements change requests. I gather he feels the accountability mechanism would be vastly different than if the IFO and RZM are separate. Since there is a single entity in both scenarios
that, pragmatically speaking, holds all the cards and that entity is restrained only by contractual terms which would presumably be essentially the same in both cases, I'm not seeing a whole lot of difference.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">Regards,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black">-drc<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
</div>
</body>
</html>