[gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
Greg Shatan
gregshatanipc at gmail.com
Thu Jan 19 17:35:28 UTC 2017
I never thought I would agree with Stephanie on a privacy-related
matter.... 😂
But I do this time.
Greg
On Thu, Jan 19, 2017 at 11:44 AM, Gomes, Chuck <cgomes at verisign.com> wrote:
> Thanks for your thoughtful contributions to this discussion Stephanie.
>
>
>
> Chuck
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org] *On Behalf Of *Stephanie Perrin
> *Sent:* Wednesday, January 18, 2017 2:58 PM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] FW: Updated: Mp3, Attendance,
> AC Chat for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
>
>
>
> I will do my best to make the call next week, but am travelling so may not
> manage it. Since I am the one querying the suggestion that protecting the
> data and the names of the individuals under the rubric of privacy is a wee
> bit off base, believing instead that people should be accountable for what
> they are putting in their polling data, here is my view, for what it is
> worth.
>
> 1. ICANN is fundamentally an open, transparent multistakeholder
> organization where pdps are open to all. There is an expectation that
> there will be robust debate and that people will be accountable for the
> views they wish to express. IF a person wishes to watch what is happening
> and not participate, they can monitor and thereby not be forced to express
> a view. Participation in the working group should mean that one's
> expectations of privacy in terms of opinions expressed is very limited. I
> would like to hear the arguments for such an opinion, if anyone has
> advanced them.
>
> 2. In this respect, if an organization sends a representative to attend a
> pdp and they do not have the authority to speak for the organization
> without vetting/checking, they have a number of options: a) omit the
> survey b) fill it out in their own name with caveats that they do not
> represent the organization c) get the survey questions and consult on the
> answers. I don't really think it is acceptable for organizations to
> anonymously fill out the survey, just as I don't buy the privacy argument
> from individuals.
>
> 3. The data is useful to those of us who are trying to understand where
> people are coming from. As I have said numerous times, we all view these
> matters from our own perspectives and knowledge base. I am trying to
> understand the degree to which people still do not understand privacy
> concepts, which I think I can detect from their answers. (others may
> wonder why I still don't understand how the RDS works, fair enough says I!
> CHeck my data, it might help you detect necessary educational
> opportunities...) I am also interested in the variance across questions,
> cumulative totals per SG, etc etc).
>
> 4. At a rather fundamental level, data that is used by us even to form
> rough concepts of concensus should be accessible to all in my view. This
> is very controversial topic which has caused considerable conflict over the
> years, let us try to minimize any potential for later questions or distrust
> by ensuring all data is available.
>
> There are ways around this problem of disclosure vs non-disclosure.
>
> 1. Inform people that polling data will be available. Forwarned.
>
> 2. RElease data minus the name. However, folks will be guessing who is
> from what constituency, and frankly we must have the constituency data.
> Normally for disclosure of PI for people in groups we go by the rule of
> 4.....rarely are there 4 NCSG folks filling out the polls, so you can
> identify us anyway, this may be different for other groups. I think this
> one is a non-starter but there it is.
>
> 3. Seek consent. As discussed above, I don't think the privacy arguments
> hold water; it is bad policy to seek consent on something that you could
> not /should not protect in the first place. Also a non-starter in my view,
> but there it is.
>
> Again, I hope to make the call next week but wanted to start off this
> discussion on the list in case I don't make it.
>
> Cheers STephanie
>
> On 2017-01-18 10:45, Gomes, Chuck wrote:
>
> For those of you who were unable to attend this meeting, I encourage you
> to listen to the MP3 recording and/or review the transcript as well as the
> notes that Marika sent right after the meeting. We made quite a lot of
> progress; we discussed all of the remaining proposed purposes for the
> collection of thin data and there were no objections from anyone on the
> call to the conclusion that each of the purposes are legitimate for the
> collection of thin data.
>
>
>
> The third purpose, where we started for this meeting, is Domain Name
> Certification. We spent quite a bit of time talking about this. For those
> who feel that you do not understand this purpose fully, at about 14:50 into
> the call we had what I thought was a very good discussion designed to make
> sure everyone understands Domain Name Certification, so I encourage you to
> at least listen to that portion and the discussion following where we
> discussed whether it was an acceptable purpose. You will note that some
> thick data elements were also mentioned but we did not make any conclusions
> regarding thick data.
>
>
>
> Once we finished our deliberation on Domain Name Certification, there was
> just minimal discussion on the other remaining purposes so you may not find
> the balance of the recording very informative.
>
>
>
> Near the very end of the recording we alerted everyone to an agenda topic
> we will have next week about whether raw poll data should be shared with
> the WG and, if so, in what way. Those not on the call may benefit from
> listening to that discussion in preparation for next week.
>
>
>
> Happy listening.
>
>
>
> Chuck
>
>
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Nathalie
> Peregrine
> *Sent:* Wednesday, January 18, 2017 6:57 AM
> *To:* gnso-rds-pdp-wg at icann.org
> *Cc:* gnso-secs at icann.org
> *Subject:* [EXTERNAL] [gnso-rds-pdp-wg] Updated: Mp3, Attendance, AC Chat
> for Next-Gen RDS PDP WG on Wednesday, 18 January 2017 at 06:00 UTC
>
>
>
> *With updated apologies*
>
>
>
> *From: *"owner-gnso-secs at icann.org" <owner-gnso-secs at icann.org> on behalf
> of Nathalie Peregrine <nathalie.peregrine at icann.org>
> *Date: *Wednesday, January 18, 2017 at 11:52 AM
> *To: *"gnso-rds-pdp-wg at icann.org" <gnso-rds-pdp-wg at icann.org>
> *Cc: *"gnso-secs at icann.org" <gnso-secs at icann.org>
> *Subject: *[gnso-secs] Mp3, Attendance, AC Chat for Next-Gen RDS PDP WG
> on Wednesday, 18 January 2017 at 06:00 UTC
>
>
>
> Dear all,
>
>
>
> Please find the attendance of the call attached to this email and the MP3
> recording below for the Next-Gen RDS PDP Working group call held on
> Wednesday, 18 January 2017 at 06:00 UTC.
>
> *MP3:* https://audio.icann.org/gnso/gnso-nextgen-rds-pdp-
> 18jan17-en.mp3[audio.icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__audio.icann.org_gnso_gnso-2Dnextgen-2Drds-2Dpdp-2D18jan17-2Den.mp3&d=DwMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=KzV067Eeyuj3JRSZjh52PCELr7QkhUBq7VIagMYGQHQ&s=uyVJrYZT_qdZJbfPUPpqgfDfWFEr8V_cPaLxcsC8WHg&e=>
>
> The recordings and transcriptions of the calls are posted on the GNSO
> Master Calendar page:
>
> http://gnso.icann.org/en/group-activities/calendar
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_en_group-2Dactivities_calendar-23nov&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8_WhWIPqsLT6TmF1Zmyci866vcPSFO4VShFqESGe_5iHWGlBLwwwehFBfjrsjWv9&m=weT6ABypO2mbhE1dWs5uImJ38Mh2plfgTgH1L07rZf0&s=EHJpg8atZYvWGJ5XfS368jdC7F4jfuSw2xjKnh_5bn8&e=>
>
>
>
>
>
> ** Please let me know if your name has been left off the list **
>
>
>
> Mailing list archives:http://mm.icann.org/pipermail/gnso-rds-pdp-wg/
>
>
>
> Wiki page: https://community.icann.org/x/tarDAw[community.icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_tarDAw&d=DgMF-g&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=F8D7r-W_wECDv1_jEDzbEWNFadeWG_alTD0XBlxPtBQ&s=RaRFcjj5cgZxXRr3idDQZOPXm8sHAdt_QG2T3G_mqU8&e=>
>
>
>
> Thank you.
>
> Kind regards,
>
> Nathalie
>
>
>
> ———————————————
>
>
>
> *AC Chat Next-Gen RDS PDP WG Wednesday 18 January 2017*
>
> Nathalie Peregrine:Dear all, welcome to the Next-Gen RDS PDP WG call on
> Wednesday 18 January 2017 at 06:00 UTC.
>
> Nathalie Peregrine:Meeting page: https://urldefense.
> proofpoint.com/v2/url?u=https-3A__community.icann.org_x_EbTDAw&d=DwIFaQ&c=
> FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_
> FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=
> WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=9uxit6N-giqXHRfYH-5VIR7I-
> CJjYrAxWqkj2PJDjGc&e=
>
> Michele Neylon:good morning people
>
> Michele Neylon:it's good middle of the bloody night :)
>
> Chuck Gomes:Morning?!!
>
> Benny / Nordreg AB:Good Afternoon ;-)
>
> Alex Deacon:Hi all...
>
> Abdeldjalil Bachar Bong:Bonjour à tous / hello to everyone
>
> Maxim Alzoba (FAITID):Good morning all.
>
> Michele Neylon:MUTE yourselves please
>
> Fabricio Vayra:good morning
>
> Tapani Tarvainen:Decent hour in Finland, too
>
> Farell FOLLY (africa 2.0):Morning All
>
> Michele Neylon:6am is an hour
>
> Tapani Tarvainen:8am here
>
> Michele Neylon:I'm not sure if it's decent or desiarable
>
> Maxim Alzoba (FAITID):not thaat horrible - 9am
>
> Farell FOLLY (africa 2.0):6 am here !
>
> Benny / Nordreg AB:Currently in Bangkok 1 PM
>
> Benny / Nordreg AB:so not to bad
>
> Stephanie Perrin:1 am here. I am not at my perkiest I must admit.
>
> Benny / Nordreg AB:So a silent Stephanie today? ;-)
>
> Stephanie Perrin:Not likely...just delayed, I suspect....:-)
>
> Marika Konings:no, I haven't seen anything
>
> Sam Lanfranco npoc/csih:Stephanie is probably quiet because it is -5C
> outside and the weather is freezing rain (-:
>
> Lisa Phifer:Actually, question 3 assessed level of support for several
> listed purposes, not just Domain Name Certification
>
> Stephanie Perrin:Yes Sam, if the power goes out again I may be extra
> quiet....
>
> Alex Deacon:1995 - earlier if you count the RSA days :)
>
> Fabricio Vayra:@Alex - Nice!
>
> Sam Lanfranco npoc/csih:Question: What percentage of DN Certificate
> Requests turn out to be bogus?
>
> Maxim Alzoba (FAITID):current WHOIS data is not 100% true .. should we
> assume that not all 100% are good?
>
> Abdeldjalil Bachar Bong:I need some clarification about the first
> question as iam newcomer in this WG ,Thanks my second do you have some
> resources for no-English speaker ?
>
> Benny / Nordreg AB:or .se / .nu where there are no info in whois for
> private persons
>
> Lisa Phifer:@Geoff, with respect to thin data elements, which elements
> are consulted for this authentication?
>
> Michele Neylon:My current bugbear is a particular company who insists on
> sending us their requests
>
> Michele Neylon:not to our clients
>
> Daniel K. Nanghaka:The challenge with the WHOIS is that there is no
> appropriate verification method for the users - there should be a way to
> validate sensitive data
>
> Stephanie Perrin:How often do you need to authenticate for these
> certificates?
>
> Benny / Nordreg AB:at least once per year
>
> Stephanie Perrin:Do you rely on what is in WHOIS, OR do you call the
> technical/administrative contact?
>
> Benny / Nordreg AB:per domain/ certificate
>
> Stephanie Perrin:what data do you trust? IN other words, how do you
> verify the data?
>
> Michele Neylon:domain validated certs are the cheapest ones
>
> Michele Neylon:they're also the fastest ones to get issued
>
> Michele Neylon:the level of "trust" is negligible
>
> Stephanie Perrin:But what are they worth?
>
> Michele Neylon:Stephanie - to whom?
>
> Stephanie Perrin:To anyone who is relying on the certificate....
>
> Maxim Alzoba (FAITID):hhmm .. and if the mailbox was compromised ?
>
> Michele Neylon:FYI - they're also used by valid users like me :)
>
> Michele Neylon:I'm using one on michele.blog
>
> Alex Deacon:You could argue that Domain Validation certs are good for
> encryption only. they provide zero value from an authentication/identity
> point of view.
>
> Stephanie Perrin:I would have no clue what I am using. I think I speak
> for most consumers....
>
> Michele Neylon:what Alex said
>
> Michele Neylon:they're a step up from a self-signed cert
>
> Stephanie Perrin:Thanks Alex, that is kind of where I was heading....
>
> Daniel K. Nanghaka:This is where Domain verification comes in strongly -
> and the Domain validated certificates should be placed in the page of the
> Domain to prove that the domain is validated. The Company should have a
> respective data handler who will be responsible for domain validation and
> certificate authentication.
>
> Michele Neylon:Daniel - which company?
>
> Benny / Nordreg AB:Unsure how you will make that happen Daniel?
>
> Maxim Alzoba (FAITID):The company
>
> Maxim Alzoba (FAITID):in some movies it was the name for one of the
> agencies
>
> Alex Deacon:@stephanie - it depends on the type of cert.
>
> Daniel K. Nanghaka:@Michele - the company that that owns the Domain
>
> Daniel K. Nanghaka:Yes, the biggest challenge is that many companies
> take these certificates for granted
>
> Michele Neylon:Daniel - what makes you think they're a company? these
> days a LOT of the domain validated certs are for individiuals not companies
>
> Michele Neylon:https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__letsencrypt.org_&d=DwIFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6
> sJms7xcl4I5cM&r=PDd_FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_
> uTSDzgqG&m=WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=
> gUMAlV9Le_Uk-WKSJISZI3A_tCUNIGZECo84Qr5k-w0&e=
>
> Michele Neylon:see also https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__motherboard.vice.com_read_google-2Dwill-2Dsoon-2Dshame-
> 2Dall-2Dwebsites-2Dthat-2Dare-2Dunencrypted-2Dchrome-2Dhttps&d=DwIFaQ&c=
> FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=PDd_
> FX3f4MVgkEIi9GHvVoUhbecsvLhgsyXrxgtbL10DTBs0i1jYiBM_uTSDzgqG&m=
> WjwIlN9HqKqst0hBUakd2-JJXpDPPFOkSb7qA5DRdFM&s=
> pFgFCnrUIsQEyD06VMwyJjHMCAjk5hpZrorKO9I0cCU&e=
>
> Maxim Alzoba (FAITID):letsencrypt ... they relay on publicsuffix, for
> exumple and the latter uses whois ...
>
> Maxim Alzoba (FAITID):*example
>
> Maxim Alzoba (FAITID):the only other source of info ... is LEA
>
> Alex Deacon:@maxim - you lost me. what info does LEA have?
>
> Maxim Alzoba (FAITID):Law Enforcement Agency
>
> Alex Deacon:i know what lea stands for....
>
> Stephanie Perrin:I must be missing something here. If I am a legitimate
> rep of a company requesting a cert, why could you not ask for a whole mess
> of non-publically available data, signed by the company, to validate my
> request?
>
> Maxim Alzoba (FAITID):current internet users will surely suffer (and
> services too ) if certificates are no more
>
> Michele Neylon:Stephanie - because it's time consuming and a pain in the
> neck?
>
> Stephanie Perrin:If you are looking for a phone number is that part of
> thin data? I did not think so.
>
> Michele Neylon:it doesn't scale
>
> Alex Deacon:@stephanie - a CA needs a way to "bind" (associate) an
> org/user with a domain. WHOIS does this today.
>
> Michele Neylon:phone numbers are "thick"
>
> Stephanie Perrin:That is what I thought. So we are talking about thick
> data here. And if only some registrants want certs, then why should all
> registrants have to put their thick data in WHOIS?
>
> Lisa Phifer:Note that handout is now displayed, showing this purpose and
> related thin data elements
>
> Stephanie Perrin:So what percentage of registrations want/need certs?
>
> Michele Neylon:Stephanie - see the link I posted above
>
> Benny / Nordreg AB:Soon every active domains with a website
>
> Michele Neylon:what Benny said :)
>
> Stephanie Perrin:We are talking about a purpose for collection. I will
> certainly argue about disclosure. you are collecting for a valid
> purpose. We need to discuss how you are going to use and disclose it.
>
> Abdeldjalil Bachar Bong:@Maxim I need more information when you said
> the current internet user will sufer if we don't have more certifications
>
> Stephanie Perrin:As far as I can see though, you are not collecting any
> separate data elements solely for the purpose of domain certs. validation
>
> Michele Neylon:Stephanie - in thin?
>
> Maxim Alzoba (FAITID):@Abdeldjalil lots of services redend on
> certificates ... e-mail , online banking e.t.c.
>
> Stephanie Perrin:certainly in thin, but even in thick...what new data
> elements are you looking for?
>
> Michele Neylon:Stephanie - no new ones
>
> Abdeldjalil Bachar Bong:Thanks @Maxim
>
> Lisa Phifer:After we get rough consensus on purposes for collecting thin
> data, we'll move to Data Elements and examine the individual data elements
> needed by that purpose, and given that we can look at under what conditions
> that data should be disclosed for that purpose...
>
> Stephanie Perrin:I seem to be the only one quibbling here. I am not
> arguing about the importance of encryption, or certification of sites. I
> am quibbling about whether authenticators, who arguably ought to be trusted
> parties, should be harvesting this data off an open WHOIS. If this is what
> they are doing as part of their functions, they could be autheticated to
> seek the data at a deeper level.
>
> Lisa Phifer:@Sam, do study subjects not have any opportunity for
> anonymity, or does it depend on the study and the types of data involved?
>
> Stephanie Perrin:It depends on the university ethics
> protocols. Certainly in Canadian unis you would not be able to disclose
> the personal data, you would have to bind users to the same privacy
> commitements.
>
> Stephanie Perrin:ICANN would have to set a research protocol for this,
> that meets the highest standard, otherwise academic access could become one
> of those jurisdictional nightmares....
>
> Lisa Phifer:@Rod, you propose adding Name Servers and Registrar to the
> list of thin data elements for this purpose?
>
> Stephanie Perrin:Is it not the case that every time you need thick data,
> you absolutely have to have access to the thin data to get at it??
>
> Lisa Phifer:@Stephanie, yes, you need at least Domain Name to query any
> WHOIS data, but beyond that you may not need other thin data elements
> (dates, etc) for a given purpose
>
> Michele Neylon:Stephanie - yes
>
> Stephanie Perrin:Thanks Michele
>
> Michele Neylon:the thin tells you where to find the thick
>
> Michele Neylon:(sort of)
>
> Michele Neylon:(and I can't believe I just wrote that and it made sense
> to me)
>
> Stephanie Perrin:It is indeed a worrying sign...
>
> Stephanie Perrin:We have been at this a full year, I would point out....
>
> Stephanie Perrin:Consumer protection is very limited. Yes it is a valid
> purpose. Disclosure is another matter...
>
> Sam Lanfranco npoc/csih:Q. Thin raw data from the polls, or Thick raw
> data from the polls? (-:
>
> Maxim Alzoba (FAITID):just add checkbox - I do want my name shown
>
> Tapani Tarvainen:Analyzing pdf is not impossible, it's just a bit less
> convenient than xls
>
> Stephanie Perrin:I think it would be interesting to see both. I want to
> look for contradictions in responses. I also want to look for aggregates.
>
> Maxim Alzoba (FAITID):NamesCon?
>
> Tapani Tarvainen:(having written a number of pdf-to-text thingies...)
>
> Maxim Alzoba (FAITID):Could we add example of report as a header to
> survey? like after you fill this - it is going to look like this and that?
>
> Lisa Phifer:In short, we would need to get consent of all who responded
>
> Maxim Alzoba (FAITID):P.s: my IP address is useless ... giant NAT pool
> of the local ISP
>
> Michele Neylon:Stephanie is that you??
>
> Tapani Tarvainen:+1 Stephanie. Don't really see any privacy issue here.
>
> Michele Neylon:has someone hijacked her identity??
>
> Michele Neylon:/me ducks
>
> Lisa Phifer:@Maxim, generally not true of respondents taking survey
> from within corporate networks - in that case, IP is often static
>
> Stephanie Perrin:Sadly I may not be on the call next week, depending on
> travel schedule
>
> Maxim Alzoba (FAITID):@Lisa, agree - it depends
>
> Maxim Alzoba (FAITID):Bye all
>
> Benny / Nordreg AB:bye all
>
> Daniel K. Nanghaka:bye
>
> Patrick Lenihan:Thanks to Each and All!
>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170119/5bb61545/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list