[gnso-rds-pdp-wg] Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
Nathalie Peregrine
nathalie.peregrine at icann.org
Wed Jan 18 10:52:50 UTC 2017
Dear all,
Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Wednesday, 18 January 2017 at 06:00 UTC.
MP3: https://audio.icann.org/gnso/gnso-nextgen-rds-pdp-18jan17-en.mp3
The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:
http://gnso.icann.org/en/group-activities/calendar<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-2Dactivities_calendar-23nov&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8_WhWIPqsLT6TmF1Zmyci866vcPSFO4VShFqESGe_5iHWGlBLwwwehFBfjrsjWv9&m=weT6ABypO2mbhE1dWs5uImJ38Mh2plfgTgH1L07rZf0&s=EHJpg8atZYvWGJ5XfS368jdC7F4jfuSw2xjKnh_5bn8&e=>
** Please let me know if your name has been left off the list **
Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
Wiki page: https://community.icann.org/x/tarDAw[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_tarDAw&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=F8D7r-W_wECDv1_jEDzbEWNFadeWG_alTD0XBlxPtBQ&s=RaRFcjj5cgZxXRr3idDQZOPXm8sHAdt_QG2T3G_mqU8&e=>
Thank you.
Kind regards,
Nathalie
———————————————
AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017
Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call on Wednesday 18 January 2017 at 06:00 UTC.
Nathalie Peregrine:Meeting page: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_EbTDAw&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=9uxit6N-giqXHRfYH-5VIR7I-CJjYrAxWqkj2PJDjGc&e=
Michele Neylon:good morning people
Michele Neylon:it's good middle of the bloody night :)
Chuck Gomes:Morning?!!
Benny / Nordreg AB:Good Afternoon ;-)
Alex Deacon:Hi all...
Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone
Maxim Alzoba (FAITID):Good morning all.
Michele Neylon:MUTE yourselves please
Fabricio Vayra:good morning
Tapani Tarvainen:Decent hour in Finland, too
Farell FOLLY (africa 2.0):Morning All
Michele Neylon:6am is an hour
Tapani Tarvainen:8am here
Michele Neylon:I'm not sure if it's decent or desiarable
Maxim Alzoba (FAITID):not thaat horrible - 9am
Farell FOLLY (africa 2.0):6 am here !
Benny / Nordreg AB:Currently in Bangkok 1 PM
Benny / Nordreg AB:so not to bad
Stephanie Perrin:1 am here. I am not at my perkiest I must admit.
Benny / Nordreg AB:So a silent Stephanie today? ;-)
Stephanie Perrin:Not likely...just delayed, I suspect....:-)
Marika Konings:no, I haven't seen anything
Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is -5C outside and the weather is freezing rain (-:
Lisa Phifer:Actually, question 3 assessed level of support for several listed purposes, not just Domain Name Certification
Stephanie Perrin:Yes Sam, if the power goes out again I may be extra quiet....
Alex Deacon:1995 - earlier if you count the RSA days :)
Fabricio Vayra:@Alex - Nice!
Sam Lanfranco npoc/csih:Question: What percentage of DN Certificate Requests turn out to be bogus?
Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should we assume that not all 100% are good?
Abdeldjalil Bachar Bong:I need some clarification about the first question as iam newcomer in this WG ,Thanks my second do you have some resources for no-English speaker ?
Benny / Nordreg AB:or .se / .nu where there are no info in whois for private persons
Lisa Phifer:@Geoff, with respect to thin data elements, which elements are consulted for this authentication?
Michele Neylon:My current bugbear is a particular company who insists on sending us their requests
Michele Neylon:not to our clients
Daniel K. Nanghaka:The challenge with the WHOIS is that there is no appropriate verification method for the users - there should be a way to validate sensitive data
Stephanie Perrin:How often do you need to authenticate for these certificates?
Benny / Nordreg AB:at least once per year
Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the technical/administrative contact?
Benny / Nordreg AB:per domain/ certificate
Stephanie Perrin:what data do you trust? IN other words, how do you verify the data?
Michele Neylon:domain validated certs are the cheapest ones
Michele Neylon:they're also the fastest ones to get issued
Michele Neylon:the level of "trust" is negligible
Stephanie Perrin:But what are they worth?
Michele Neylon:Stephanie - to whom?
Stephanie Perrin:To anyone who is relying on the certificate....
Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?
Michele Neylon:FYI - they're also used by valid users like me :)
Michele Neylon:I'm using one on michele.blog
Alex Deacon:You could argue that Domain Validation certs are good for encryption only. they provide zero value from an authentication/identity point of view.
Stephanie Perrin:I would have no clue what I am using. I think I speak for most consumers....
Michele Neylon:what Alex said
Michele Neylon:they're a step up from a self-signed cert
Stephanie Perrin:Thanks Alex, that is kind of where I was heading....
Daniel K. Nanghaka:This is where Domain verification comes in strongly - and the Domain validated certificates should be placed in the page of the Domain to prove that the domain is validated. The Company should have a respective data handler who will be responsible for domain validation and certificate authentication.
Michele Neylon:Daniel - which company?
Benny / Nordreg AB:Unsure how you will make that happen Daniel?
Maxim Alzoba (FAITID):The company
Maxim Alzoba (FAITID):in some movies it was the name for one of the agencies
Alex Deacon:@stephanie - it depends on the type of cert.
Daniel K. Nanghaka:@Michele - the company that that owns the Domain
Daniel K. Nanghaka:Yes, the biggest challenge is that many companies take these certificates for granted
Michele Neylon:Daniel - what makes you think they're a company? these days a LOT of the domain validated certs are for individiuals not companies
Michele Neylon:https://urldefense.proofpoint.com/v2/url?u=https-3A__letsencrypt.org_&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=gUMAlV9Le_Uk-WKSJISZI3A_tCUNIGZECo84Qr5k-w0&e=
Michele Neylon:see also https://urldefense.proofpoint.com/v2/url?u=http-3A__motherboard.vice.com_read_google-2Dwill-2Dsoon-2Dshame-2Dall-2Dwebsites-2Dthat-2Dare-2Dunencrypted-2Dchrome-2Dhttps&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=pFgFCnrUIsQEyD06VMwyJjHMCAjk5hpZrorKO9I0cCU&e=
Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix, for exumple and the latter uses whois ...
Maxim Alzoba (FAITID):*example
Maxim Alzoba (FAITID):the only other source of info ... is LEA
Alex Deacon:@maxim - you lost me. what info does LEA have?
Maxim Alzoba (FAITID):Law Enforcement Agency
Alex Deacon:i know what lea stands for....
Stephanie Perrin:I must be missing something here. If I am a legitimate rep of a company requesting a cert, why could you not ask for a whole mess of non-publically available data, signed by the company, to validate my request?
Maxim Alzoba (FAITID):current internet users will surely suffer (and services too ) if certificates are no more
Michele Neylon:Stephanie - because it's time consuming and a pain in the neck?
Stephanie Perrin:If you are looking for a phone number is that part of thin data? I did not think so.
Michele Neylon:it doesn't scale
Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an org/user with a domain. WHOIS does this today.
Michele Neylon:phone numbers are "thick"
Stephanie Perrin:That is what I thought. So we are talking about thick data here. And if only some registrants want certs, then why should all registrants have to put their thick data in WHOIS?
Lisa Phifer:Note that handout is now displayed, showing this purpose and related thin data elements
Stephanie Perrin:So what percentage of registrations want/need certs?
Michele Neylon:Stephanie - see the link I posted above
Benny / Nordreg AB:Soon every active domains with a website
Michele Neylon:what Benny said :)
Stephanie Perrin:We are talking about a purpose for collection. I will certainly argue about disclosure. you are collecting for a valid purpose. We need to discuss how you are going to use and disclose it.
Abdeldjalil Bachar Bong:@Maxim I need more information when you said the current internet user will sufer if we don't have more certifications
Stephanie Perrin:As far as I can see though, you are not collecting any separate data elements solely for the purpose of domain certs. validation
Michele Neylon:Stephanie - in thin?
Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on certificates ... e-mail , online banking e.t.c.
Stephanie Perrin:certainly in thin, but even in thick...what new data elements are you looking for?
Michele Neylon:Stephanie - no new ones
Abdeldjalil Bachar Bong:Thanks @Maxim
Lisa Phifer:After we get rough consensus on purposes for collecting thin data, we'll move to Data Elements and examine the individual data elements needed by that purpose, and given that we can look at under what conditions that data should be disclosed for that purpose...
Stephanie Perrin:I seem to be the only one quibbling here. I am not arguing about the importance of encryption, or certification of sites. I am quibbling about whether authenticators, who arguably ought to be trusted parties, should be harvesting this data off an open WHOIS. If this is what they are doing as part of their functions, they could be autheticated to seek the data at a deeper level.
Lisa Phifer:@Sam, do study subjects not have any opportunity for anonymity, or does it depend on the study and the types of data involved?
Stephanie Perrin:It depends on the university ethics protocols. Certainly in Canadian unis you would not be able to disclose the personal data, you would have to bind users to the same privacy commitements.
Stephanie Perrin:ICANN would have to set a research protocol for this, that meets the highest standard, otherwise academic access could become one of those jurisdictional nightmares....
Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to the list of thin data elements for this purpose?
Stephanie Perrin:Is it not the case that every time you need thick data, you absolutely have to have access to the thin data to get at it??
Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query any WHOIS data, but beyond that you may not need other thin data elements (dates, etc) for a given purpose
Michele Neylon:Stephanie - yes
Stephanie Perrin:Thanks Michele
Michele Neylon:the thin tells you where to find the thick
Michele Neylon:(sort of)
Michele Neylon:(and I can't believe I just wrote that and it made sense to me)
Stephanie Perrin:It is indeed a worrying sign...
Stephanie Perrin:We have been at this a full year, I would point out....
Stephanie Perrin:Consumer protection is very limited. Yes it is a valid purpose. Disclosure is another matter...
Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick raw data from the polls? (-:
Maxim Alzoba (FAITID):just add checkbox - I do want my name shown
Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit less convenient than xls
Stephanie Perrin:I think it would be interesting to see both. I want to look for contradictions in responses. I also want to look for aggregates.
Maxim Alzoba (FAITID):NamesCon?
Tapani Tarvainen:(having written a number of pdf-to-text thingies...)
Maxim Alzoba (FAITID):Could we add example of report as a header to survey? like after you fill this - it is going to look like this and that?
Lisa Phifer:In short, we would need to get consent of all who responded
Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT pool of the local ISP
Michele Neylon:Stephanie is that you??
Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.
Michele Neylon:has someone hijacked her identity??
Michele Neylon:/me ducks
Lisa Phifer:@Maxim, generally not true of respondents taking survey from within corporate networks - in that case, IP is often static
Stephanie Perrin:Sadly I may not be on the call next week, depending on travel schedule
Maxim Alzoba (FAITID):@Lisa, agree - it depends
Maxim Alzoba (FAITID):Bye all
Benny / Nordreg AB:bye all
Daniel K. Nanghaka:bye
Patrick Lenihan:Thanks to Each and All!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170118/7e377e38/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Attendance RDS WG 18 January 2017.pdf
Type: application/pdf
Size: 33797 bytes
Desc: Attendance RDS WG 18 January 2017.pdf
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170118/7e377e38/AttendanceRDSWG18January2017.pdf>
More information about the gnso-rds-pdp-wg
mailing list