[Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services

Greg Aaron greg at illumintel.com
Wed Feb 12 16:16:53 UTC 2014 

Dear Mikey:

 

As Stephanie notes, the EWG plans to issue its final report at (before?)
ICANN London in June.   At that point the community will find out exactly
what the EWG proposes, with hopefully a full explanation of why.  Then the
GNSO, the Board, and the community will need to decide whether the EWG's
proposals are good ones or not.   I assume that there will be a formal
public comment period for the EWG's final report; the GNSO should confirm
that in Singapore.  I'm an expert on WHOIS, and I found the EWG's interim
report to be so impenetrable that it resisted interim comment (sorry,
Stephanie!).

 

When the EWG was formed, ICANN said "The working group's results will feed
into the GNSO's bottom-up, policy development process where all community
interests will be encouraged to participate in the decision-making."  If I
have any personal advice for the GNSO, it is not to accept any fait
accomplis.  The EWG is to propose policies, and I suggest that those
proposals shouldn't be allowed to take on a life of their own and be
considered done deals or the only alternatives.  Part of the process should
be a careful exploration of the implications and impacts of the proposed
policies, and what alternative proposals may be proposed.  The EWG is doing
some due diligence, but it has to finish its work soon and the GNSO will
need to assume responsibility for further diligence and studies.

 

Where are things with establishing a registration data policy?  That is an
interesting question.  The EWG's initial report did not do a good job IMHO
at proposing policies.  Here's how SSAC061 put the problem; I think it is
worth reiterating:

"The EWG, in parallel to proposing a new model for the purpose of
registration data,  discussed several 'system designs' for access to the
data and proposed one model, calling  for a centralized registration data
repository. That approach poses a quandary: policies are expressions of
goals and should articulate the problems the community designed them  to
solve. Until proposed registration data policies and their justifications
are stated clearly, it is not possible to comment definitively on their
security and stability  consequences. And until the community accepts the
policies, it is difficult to discuss  whether proposed delivery options will
satisfy the goals in a suitably secure and stable  manner.. 

Improving and ensuring security and stability require balancing risks,
benefits, and costs.  While it is understood that the EWG Initial Report is
a first attempt by the EWG to  address these issues, the SSAC does not
believe adequate explanations of the perceived  benefits, risks, or costs,
or how they were balanced has been provided. The EWG Initial  Report
describes some proposed solutions but does not always discuss why those
solutions are justified. Instead, the report focuses on a specific outcome:
a specific system  with many features. The EWG Initial Report did not state
what alternatives it considered  and rejected and did not indicate the EWG's
methodology for developing its recommendations. Some of the items in the
EWG's list of "Desired Features and Design  Principles" (pages 20-27) may be
seen within the community as new policies, and some are feature requests and
implementation choices that may be only some of the possible  ways to
execute on the policies. If the ICANN community does not accept some of the
proposed policies, the features and implementation choices will necessarily
change.  

The SSAC believes a centralized meta-registry (e.g., the ARDS) is not the
only solution  to problems stated by the WHOIS Review Team, and it is
unclear whether that specific  solution will create net improvements when
weighed against the risks. " 

http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf 

 

I personally will read that EWG final report to see if the EWG proposes a
coherent set of WHOIS policies and under what basis the EWG justifies them.
Based on the EWG's November interim report and its response to the initial
public comments, the EWG apparently believes that the centralized model
(ARDS) is the way to go.  I personally believe that that idea should receive
robust debate and due diligence.

 

Among other things, SSAC recommended that a risk assessment be carried out.
"The EWG agrees that risk/impact assessment should be conducted"
(https://www.icann.org/en/groups/other/gtld-directory-services/summary-respo
nse-initial-12nov13-en.pdf), but AFAIK that risk assessment has not yet been
planned because we first need to see what the EWG final report says.  And
then see above -- the scope of any risk assessments may be dependent on what
the GNSO thinks.  For example, if it is determined that the centralized ARDS
idea is a non-starter for overriding policy or legal reasons, then why would
anyone do a risk assessment of its implementation?  In any case, I suggest
the GSNO track and help direct the creation of risk assessments at the
appropriate points.

 

In the meantime, ICANN has issued an RFI on behalf of the EWG: "to identify
any organizations capable of accrediting users of the new [centralized]
Registration Directory Service (RDS) now under consideration to replace the
current WHOIS system....With this Request for Information, the EWG seeks to
solicit responses from organizations that currently issue system access
credentials to authorized members of their own community, using defined
acceptance criteria...The purpose of this RFI is purely informational - that
is, to inform the development of policies and procedures that may follow the
EWG's Final Report. As a result, potential Respondents responding to any
future RFP for the EWG Project will not be bound by the estimates, prices,
or other information provided in response to this RFI."

https://www.icann.org/en/news/announcements/announcement-2-10feb14-en.htm 

So that's an interesting thing.  

 

All best,

--Greg

 

 

 

 

From: gnso-ssr-bounces at icann.org [mailto:gnso-ssr-bounces at icann.org] On
Behalf Of Mike O'Connor
Sent: Wednesday, February 12, 2014 8:41 AM
To: GNSO SSR List
Subject: [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN's Initial
Report from the Expert Working Group on gTLD Directory Services

 

hi all,

 

here's a thread to talk about the SSAC comment on EWG initial report.

 

here are a few questions.  view them as a starting-point, not a rigid
requirement.  if you have a comment that falls outside of these questions,
please go ahead and make your post.  i'm just posting these to start
conversation, not restrict it.

 

- what's the current status of the EWG work?

 

- where are we in the process of establishing a registration data policy?

 

- who, if anybody, has taken these SSAC recommendations on board?

 

- is there anything that the GNSO, and/or the GNSO Council, should be doing
in Singapore to help move this along?

 

- are there any other questions people would like to raise about this
comment?

 

SAC061:  SSAC Comment on ICANN's Initial Report from the Expert Working
Group on gTLD Directory Services

 

http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf

 

Recommendation 1: SSAC reiterates its recommendation from SAC055: The ICANN
Board should explicitly defer any other activity (within ICANN's remit)
directed at finding a 'solution' to 'the WHOIS problem' until the
registration data policy has been developed and accepted in the community.
The EWG should clearly state its proposal for the purpose of registration
data, and focus on policy issues over specific implementations.

 

Recommendation 2: The ICANN Board should ensure that a formal security risk
assessment of the registration data policy be conducted as an input into the
Policy Development Process.

 

Recommendation 3: SSAC recommends that the EWG state more clearly its
positions on the following questions of data availability:

 

A. Why is a change to public access justified?

This explanation should describe the potential impact upon ordinary Internet
users and casual or occasional users of the directory service.

 

B. Does the EWG believe that access to data currently accessible in generic
Top Level Domain (gTLD) WHOIS output should become restricted?

If so, what fields and to what extent exactly? Under the EWG proposal,
queries from non- authenticated requestors would return only "public data
available to anyone, for

 

C. Should all gTLD registries be required to provision their contact data
into the Aggregated Registration Data Service (ARDS)?  

There may be jurisdictions that prohibit by law the export of personally
identifiable information outside the jurisdiction. If so, the ARDS may not
be a viable way to deliver data accuracy and compliance across all gTLDs.

 

D. Does the EWG propose more types of sensitive registration data be
provisioned into ARDS than are found in current gTLD WHOIS output? 

 

Recommendation 4: The SSAC suggests that the EWG address this recommendation
from SAC058: "SSAC Report on Domain Name Registration Data Validation"3:

As the ICANN community discusses validating contact information, the SSAC
recommends that the following meta-questions regarding the costs and
benefits of registration data validation should be answered:

 

. What data elements need to be added or validated to comply with
requirements or expectations of different stakeholders?

. Is additional registration processing overhead and delay an acceptable
cost for improving accuracy and quality of registration data?

. Is higher cost an acceptable outcome for improving accuracy and quality?

. Would accuracy improve if the registration process were to provide natural
persons with privacy protection upon completion of multi-factored
validation?

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-ssr/attachments/20140212/321b8b52/attachment-0001.html>

More information about the Gnso-ssr mailing list