[gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
Gomes, Chuck
cgomes at verisign.com
Thu Jan 19 16:44:30 UTC 2017
Thanks for your thoughtful contributions to this discussion Stephanie.
Chuck
From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Stephanie Perrin
Sent: Wednesday, January 18, 2017 2:58 PM
To: gnso-rds-pdp-wg at icann.org
Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
I will do my best to make the call next week, but am travelling so may not manage it. Since I am the one querying the suggestion that protecting the data and the names of the individuals under the rubric of privacy is a wee bit off base, believing instead that people should be accountable for what they are putting in their polling data, here is my view, for what it is worth.
1. ICANN is fundamentally an open, transparent multistakeholder organization where pdps are open to all. There is an expectation that there will be robust debate and that people will be accountable for the views they wish to express. IF a person wishes to watch what is happening and not participate, they can monitor and thereby not be forced to express a view. Participation in the working group should mean that one's expectations of privacy in terms of opinions expressed is very limited. I would like to hear the arguments for such an opinion, if anyone has advanced them.
2. In this respect, if an organization sends a representative to attend a pdp and they do not have the authority to speak for the organization without vetting/checking, they have a number of options: a) omit the survey b) fill it out in their own name with caveats that they do not represent the organization c) get the survey questions and consult on the answers. I don't really think it is acceptable for organizations to anonymously fill out the survey, just as I don't buy the privacy argument from individuals.
3. The data is useful to those of us who are trying to understand where people are coming from. As I have said numerous times, we all view these matters from our own perspectives and knowledge base. I am trying to understand the degree to which people still do not understand privacy concepts, which I think I can detect from their answers. (others may wonder why I still don't understand how the RDS works, fair enough says I! CHeck my data, it might help you detect necessary educational opportunities...) I am also interested in the variance across questions, cumulative totals per SG, etc etc).
4. At a rather fundamental level, data that is used by us even to form rough concepts of concensus should be accessible to all in my view. This is very controversial topic which has caused considerable conflict over the years, let us try to minimize any potential for later questions or distrust by ensuring all data is available.
There are ways around this problem of disclosure vs non-disclosure.
1. Inform people that polling data will be available. Forwarned.
2. RElease data minus the name. However, folks will be guessing who is from what constituency, and frankly we must have the constituency data. Normally for disclosure of PI for people in groups we go by the rule of 4.....rarely are there 4 NCSG folks filling out the polls, so you can identify us anyway, this may be different for other groups. I think this one is a non-starter but there it is.
3. Seek consent. As discussed above, I don't think the privacy arguments hold water; it is bad policy to seek consent on something that you could not /should not protect in the first place. Also a non-starter in my view, but there it is.
Again, I hope to make the call next week but wanted to start off this discussion on the list in case I don't make it.
Cheers STephanie
On 2017-01-18 10:45, Gomes, Chuck wrote:
For those of you who were unable to attend this meeting, I encourage you to listen to the MP3 recording and/or review the transcript as well as the notes that Marika sent right after the meeting. We made quite a lot of progress; we discussed all of the remaining proposed purposes for the collection of thin data and there were no objections from anyone on the call to the conclusion that each of the purposes are legitimate for the collection of thin data.
The third purpose, where we started for this meeting, is Domain Name Certification. We spent quite a bit of time talking about this. For those who feel that you do not understand this purpose fully, at about 14:50 into the call we had what I thought was a very good discussion designed to make sure everyone understands Domain Name Certification, so I encourage you to at least listen to that portion and the discussion following where we discussed whether it was an acceptable purpose. You will note that some thick data elements were also mentioned but we did not make any conclusions regarding thick data.
Once we finished our deliberation on Domain Name Certification, there was just minimal discussion on the other remaining purposes so you may not find the balance of the recording very informative.
Near the very end of the recording we alerted everyone to an agenda topic we will have next week about whether raw poll data should be shared with the WG and, if so, in what way. Those not on the call may benefit from listening to that discussion in preparation for next week.
Happy listening.
Chuck
From: gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Nathalie Peregrine
Sent: Wednesday, January 18, 2017 6:57 AM
To: gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
Cc: gnso-secs at icann.org<mailto:gnso-secs at icann.org>
Subject: [EXTERNAL] [gnso-rds-pdp-wg] Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
With updated apologies
From: "owner-gnso-secs at icann.org<mailto:owner-gnso-secs at icann.org>" <owner-gnso-secs at icann.org<mailto:owner-gnso-secs at icann.org>> on behalf of Nathalie Peregrine <nathalie.peregrine at icann.org<mailto:nathalie.peregrine at icann.org>>
Date: Wednesday, January 18, 2017 at 11:52 AM
To: "gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>" <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>>
Cc: "gnso-secs at icann.org<mailto:gnso-secs at icann.org>" <gnso-secs at icann.org<mailto:gnso-secs at icann.org>>
Subject: [gnso-secs] Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
Dear all,
Please find the attendance of the call attached to this email and the MP3 recording below for the Next-Gen RDS PDP Working group call held on Wednesday, 18 January 2017 at 06:00 UTC.
MP3: https://audio.icann.org/gnso/gnso-nextgen-rds-pdp-18jan17-en.mp3[audio.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__audio.icann.org_gnso_gnso-2Dnextgen-2Drds-2Dpdp-2D18jan17-2Den.mp3&d=DwMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=KzV067Eeyuj3JRSZjh52PCELr7QkhUBq7VIagMYGQHQ&s=uyVJrYZT_qdZJbfPUPpqgfDfWFEr8V_cPaLxcsC8WHg&e=>
The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page:
http://gnso.icann.org/en/group-activities/calendar<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-2Dactivities_calendar-23nov&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8_WhWIPqsLT6TmF1Zmyci866vcPSFO4VShFqESGe_5iHWGlBLwwwehFBfjrsjWv9&m=weT6ABypO2mbhE1dWs5uImJ38Mh2plfgTgH1L07rZf0&s=EHJpg8atZYvWGJ5XfS368jdC7F4jfuSw2xjKnh_5bn8&e=>
** Please let me know if your name has been left off the list **
Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
Wiki page: https://community.icann.org/x/tarDAw[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_tarDAw&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=F8D7r-W_wECDv1_jEDzbEWNFadeWG_alTD0XBlxPtBQ&s=RaRFcjj5cgZxXRr3idDQZOPXm8sHAdt_QG2T3G_mqU8&e=>
Thank you.
Kind regards,
Nathalie
---------------
AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017
Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call on Wednesday 18 January 2017 at 06:00 UTC.
Nathalie Peregrine:Meeting page: https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_EbTDAw&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=9uxit6N-giqXHRfYH-5VIR7I-CJjYrAxWqkj2PJDjGc&e=
Michele Neylon:good morning people
Michele Neylon:it's good middle of the bloody night :)
Chuck Gomes:Morning?!!
Benny / Nordreg AB:Good Afternoon ;-)
Alex Deacon:Hi all...
Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone
Maxim Alzoba (FAITID):Good morning all.
Michele Neylon:MUTE yourselves please
Fabricio Vayra:good morning
Tapani Tarvainen:Decent hour in Finland, too
Farell FOLLY (africa 2.0):Morning All
Michele Neylon:6am is an hour
Tapani Tarvainen:8am here
Michele Neylon:I'm not sure if it's decent or desiarable
Maxim Alzoba (FAITID):not thaat horrible - 9am
Farell FOLLY (africa 2.0):6 am here !
Benny / Nordreg AB:Currently in Bangkok 1 PM
Benny / Nordreg AB:so not to bad
Stephanie Perrin:1 am here. I am not at my perkiest I must admit.
Benny / Nordreg AB:So a silent Stephanie today? ;-)
Stephanie Perrin:Not likely...just delayed, I suspect....:-)
Marika Konings:no, I haven't seen anything
Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is -5C outside and the weather is freezing rain (-:
Lisa Phifer:Actually, question 3 assessed level of support for several listed purposes, not just Domain Name Certification
Stephanie Perrin:Yes Sam, if the power goes out again I may be extra quiet....
Alex Deacon:1995 - earlier if you count the RSA days :)
Fabricio Vayra:@Alex - Nice!
Sam Lanfranco npoc/csih:Question: What percentage of DN Certificate Requests turn out to be bogus?
Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should we assume that not all 100% are good?
Abdeldjalil Bachar Bong:I need some clarification about the first question as iam newcomer in this WG ,Thanks my second do you have some resources for no-English speaker ?
Benny / Nordreg AB:or .se / .nu where there are no info in whois for private persons
Lisa Phifer:@Geoff, with respect to thin data elements, which elements are consulted for this authentication?
Michele Neylon:My current bugbear is a particular company who insists on sending us their requests
Michele Neylon:not to our clients
Daniel K. Nanghaka:The challenge with the WHOIS is that there is no appropriate verification method for the users - there should be a way to validate sensitive data
Stephanie Perrin:How often do you need to authenticate for these certificates?
Benny / Nordreg AB:at least once per year
Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the technical/administrative contact?
Benny / Nordreg AB:per domain/ certificate
Stephanie Perrin:what data do you trust? IN other words, how do you verify the data?
Michele Neylon:domain validated certs are the cheapest ones
Michele Neylon:they're also the fastest ones to get issued
Michele Neylon:the level of "trust" is negligible
Stephanie Perrin:But what are they worth?
Michele Neylon:Stephanie - to whom?
Stephanie Perrin:To anyone who is relying on the certificate....
Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?
Michele Neylon:FYI - they're also used by valid users like me :)
Michele Neylon:I'm using one on michele.blog
Alex Deacon:You could argue that Domain Validation certs are good for encryption only. they provide zero value from an authentication/identity point of view.
Stephanie Perrin:I would have no clue what I am using. I think I speak for most consumers....
Michele Neylon:what Alex said
Michele Neylon:they're a step up from a self-signed cert
Stephanie Perrin:Thanks Alex, that is kind of where I was heading....
Daniel K. Nanghaka:This is where Domain verification comes in strongly - and the Domain validated certificates should be placed in the page of the Domain to prove that the domain is validated. The Company should have a respective data handler who will be responsible for domain validation and certificate authentication.
Michele Neylon:Daniel - which company?
Benny / Nordreg AB:Unsure how you will make that happen Daniel?
Maxim Alzoba (FAITID):The company
Maxim Alzoba (FAITID):in some movies it was the name for one of the agencies
Alex Deacon:@stephanie - it depends on the type of cert.
Daniel K. Nanghaka:@Michele - the company that that owns the Domain
Daniel K. Nanghaka:Yes, the biggest challenge is that many companies take these certificates for granted
Michele Neylon:Daniel - what makes you think they're a company? these days a LOT of the domain validated certs are for individiuals not companies
Michele Neylon:https://urldefense.proofpoint.com/v2/url?u=https-3A__letsencrypt.org_&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=gUMAlV9Le_Uk-WKSJISZI3A_tCUNIGZECo84Qr5k-w0&e=
Michele Neylon:see also https://urldefense.proofpoint.com/v2/url?u=http-3A__motherboard.vice.com_read_google-2Dwill-2Dsoon-2Dshame-2Dall-2Dwebsites-2Dthat-2Dare-2Dunencrypted-2Dchrome-2Dhttps&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=pFgFCnrUIsQEyD06VMwyJjHMCAjk5hpZrorKO9I0cCU&e=
Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix, for exumple and the latter uses whois ...
Maxim Alzoba (FAITID):*example
Maxim Alzoba (FAITID):the only other source of info ... is LEA
Alex Deacon:@maxim - you lost me. what info does LEA have?
Maxim Alzoba (FAITID):Law Enforcement Agency
Alex Deacon:i know what lea stands for....
Stephanie Perrin:I must be missing something here. If I am a legitimate rep of a company requesting a cert, why could you not ask for a whole mess of non-publically available data, signed by the company, to validate my request?
Maxim Alzoba (FAITID):current internet users will surely suffer (and services too ) if certificates are no more
Michele Neylon:Stephanie - because it's time consuming and a pain in the neck?
Stephanie Perrin:If you are looking for a phone number is that part of thin data? I did not think so.
Michele Neylon:it doesn't scale
Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an org/user with a domain. WHOIS does this today.
Michele Neylon:phone numbers are "thick"
Stephanie Perrin:That is what I thought. So we are talking about thick data here. And if only some registrants want certs, then why should all registrants have to put their thick data in WHOIS?
Lisa Phifer:Note that handout is now displayed, showing this purpose and related thin data elements
Stephanie Perrin:So what percentage of registrations want/need certs?
Michele Neylon:Stephanie - see the link I posted above
Benny / Nordreg AB:Soon every active domains with a website
Michele Neylon:what Benny said :)
Stephanie Perrin:We are talking about a purpose for collection. I will certainly argue about disclosure. you are collecting for a valid purpose. We need to discuss how you are going to use and disclose it.
Abdeldjalil Bachar Bong:@Maxim I need more information when you said the current internet user will sufer if we don't have more certifications
Stephanie Perrin:As far as I can see though, you are not collecting any separate data elements solely for the purpose of domain certs. validation
Michele Neylon:Stephanie - in thin?
Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on certificates ... e-mail , online banking e.t.c.
Stephanie Perrin:certainly in thin, but even in thick...what new data elements are you looking for?
Michele Neylon:Stephanie - no new ones
Abdeldjalil Bachar Bong:Thanks @Maxim
Lisa Phifer:After we get rough consensus on purposes for collecting thin data, we'll move to Data Elements and examine the individual data elements needed by that purpose, and given that we can look at under what conditions that data should be disclosed for that purpose...
Stephanie Perrin:I seem to be the only one quibbling here. I am not arguing about the importance of encryption, or certification of sites. I am quibbling about whether authenticators, who arguably ought to be trusted parties, should be harvesting this data off an open WHOIS. If this is what they are doing as part of their functions, they could be autheticated to seek the data at a deeper level.
Lisa Phifer:@Sam, do study subjects not have any opportunity for anonymity, or does it depend on the study and the types of data involved?
Stephanie Perrin:It depends on the university ethics protocols. Certainly in Canadian unis you would not be able to disclose the personal data, you would have to bind users to the same privacy commitements.
Stephanie Perrin:ICANN would have to set a research protocol for this, that meets the highest standard, otherwise academic access could become one of those jurisdictional nightmares....
Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to the list of thin data elements for this purpose?
Stephanie Perrin:Is it not the case that every time you need thick data, you absolutely have to have access to the thin data to get at it??
Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query any WHOIS data, but beyond that you may not need other thin data elements (dates, etc) for a given purpose
Michele Neylon:Stephanie - yes
Stephanie Perrin:Thanks Michele
Michele Neylon:the thin tells you where to find the thick
Michele Neylon:(sort of)
Michele Neylon:(and I can't believe I just wrote that and it made sense to me)
Stephanie Perrin:It is indeed a worrying sign...
Stephanie Perrin:We have been at this a full year, I would point out....
Stephanie Perrin:Consumer protection is very limited. Yes it is a valid purpose. Disclosure is another matter...
Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick raw data from the polls? (-:
Maxim Alzoba (FAITID):just add checkbox - I do want my name shown
Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit less convenient than xls
Stephanie Perrin:I think it would be interesting to see both. I want to look for contradictions in responses. I also want to look for aggregates.
Maxim Alzoba (FAITID):NamesCon?
Tapani Tarvainen:(having written a number of pdf-to-text thingies...)
Maxim Alzoba (FAITID):Could we add example of report as a header to survey? like after you fill this - it is going to look like this and that?
Lisa Phifer:In short, we would need to get consent of all who responded
Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT pool of the local ISP
Michele Neylon:Stephanie is that you??
Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.
Michele Neylon:has someone hijacked her identity??
Michele Neylon:/me ducks
Lisa Phifer:@Maxim, generally not true of respondents taking survey from within corporate networks - in that case, IP is often static
Stephanie Perrin:Sadly I may not be on the call next week, depending on travel schedule
Maxim Alzoba (FAITID):@Lisa, agree - it depends
Maxim Alzoba (FAITID):Bye all
Benny / Nordreg AB:bye all
Daniel K. Nanghaka:bye
Patrick Lenihan:Thanks to Each and All!
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170119/baa28a15/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list