<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Dear Mikey:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As Stephanie notes, the EWG plans to issue its final report at (before?) ICANN London in June. At that point the community will find out exactly what the EWG proposes, with hopefully a full explanation of why. Then the GNSO, the Board, and the community will need to decide whether the EWG’s proposals are good ones or not. I assume that there will be a formal public comment period for the EWG’s final report; the GNSO should confirm that in Singapore. I’m an expert on WHOIS, and I found the EWG’s interim report to be so impenetrable that it resisted interim comment (sorry, Stephanie!).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>When the EWG was formed, ICANN said “The working group's results will feed into the GNSO's bottom-up, policy development process where all community interests will be encouraged to participate in the decision-making.” If I have any personal advice for the GNSO, it is not to accept any fait accomplis. The EWG is to propose policies, and I suggest that those proposals shouldn’t be allowed to take on a life of their own and be considered done deals or the only alternatives. Part of the process should be a careful exploration of the implications and impacts of the proposed policies, and what alternative proposals may be proposed. The EWG is doing some due diligence, but it has to finish its work soon and the GNSO will need to assume responsibility for further diligence and studies.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Where are things with establishing a registration data policy? That is an interesting question. The EWG’s initial report did not do a good job IMHO at proposing policies. Here’s how SSAC061 put the problem; I think it is worth reiterating:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“The EWG, in parallel to proposing a new model for the purpose of registration data, discussed several ‘system designs’ for access to the data and proposed one model, calling for a centralized registration data repository. That approach poses a quandary: policies are expressions of goals and should articulate the problems the community designed them to solve. Until proposed registration data policies and their justifications are stated clearly, it is not possible to comment definitively on their security and stability consequences. And until the community accepts the policies, it is difficult to discuss whether proposed delivery options will satisfy the goals in a suitably secure and stable manner.…</span> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Improving and ensuring security and stability require balancing risks, benefits, and costs. While it is understood that the EWG Initial Report is a first attempt by the EWG to address these issues, the SSAC does not believe adequate explanations of the perceived benefits, risks, or costs, or how they were balanced has been provided. The EWG Initial Report describes some proposed solutions but does not always discuss why those solutions are justified. Instead, the report focuses on a specific outcome: a specific system with many features. The EWG Initial Report did not state what alternatives it considered and rejected and did not indicate the EWG’s methodology for developing its recommendations. Some of the items in the EWG’s list of “Desired Features and Design Principles” (pages 20-27) may be seen within the community as new policies, and some are feature requests and implementation choices that may be only some of the possible ways to execute on the policies. If the ICANN community does not accept some of the proposed policies, the features and implementation choices will necessarily change. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The SSAC believes a centralized meta-registry (e.g., the ARDS) is not the only solution to problems stated by the WHOIS Review Team, and it is unclear whether that specific solution will create net improvements when weighed against the risks. “ <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf">http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf</a> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I personally will read that EWG final report to see if the EWG proposes a coherent set of WHOIS policies and under what basis the EWG justifies them. Based on the EWG’s November interim report and its response to the initial public comments, the EWG apparently believes that the centralized model (ARDS) is the way to go. I personally believe that that idea should receive robust debate and due diligence.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Among other things, SSAC recommended that a risk assessment be carried out. “The EWG agrees that risk/impact assessment should be conducted” (<a href="https://www.icann.org/en/groups/other/gtld-directory-services/summary-response-initial-12nov13-en.pdf">https://www.icann.org/en/groups/other/gtld-directory-services/summary-response-initial-12nov13-en.pdf</a>), but AFAIK that risk assessment has not yet been planned because we first need to see what the EWG final report says. And then see above -- the scope of any risk assessments may be dependent on what the GNSO thinks. For example, if it is determined that the centralized ARDS idea is a non-starter for overriding policy or legal reasons, then why would anyone do a risk assessment of its implementation? In any case, I suggest the GSNO track and help direct the creation of risk assessments at the appropriate points.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In the meantime, ICANN has issued an RFI on behalf of the EWG: "to identify any organizations capable of accrediting users of the new [centralized] Registration Directory Service (RDS) now under consideration to replace the current WHOIS system....With this Request for Information, the EWG seeks to solicit responses from organizations that currently issue system access credentials to authorized members of their own community, using defined acceptance criteria...The purpose of this RFI is purely informational – that is, to inform the development of policies and procedures that may follow the EWG's Final Report. As a result, potential Respondents responding to any future RFP for the EWG Project will not be bound by the estimates, prices, or other information provided in response to this RFI."<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="https://www.icann.org/en/news/announcements/announcement-2-10feb14-en.htm">https://www.icann.org/en/news/announcements/announcement-2-10feb14-en.htm</a> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So that’s an interesting thing. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>All best,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>--Greg<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> gnso-ssr-bounces@icann.org [mailto:gnso-ssr-bounces@icann.org] <b>On Behalf Of </b>Mike O'Connor<br><b>Sent:</b> Wednesday, February 12, 2014 8:41 AM<br><b>To:</b> GNSO SSR List<br><b>Subject:</b> [Gnso-ssr] discussion -- SAC061 -- SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>hi all,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>here’s a thread to talk about the SSAC comment on EWG initial report.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>here are a few questions. view them as a starting-point, not a rigid requirement. if you have a comment that falls outside of these questions, please go ahead and make your post. i’m just posting these to start conversation, not restrict it.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- what’s the current status of the EWG work?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- where are we in the process of establishing a registration data policy?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- who, if anybody, has taken these SSAC recommendations on board?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- is there anything that the GNSO, and/or the GNSO Council, should be doing in Singapore to help move this along?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- are there any other questions people would like to raise about this comment?<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><div><p class=MsoNormal><b>SAC061: SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services</b><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf">http://www.icann.org/en/groups/ssac/documents/sac-061-en.pdf</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><blockquote style='margin-left:30.0pt;margin-right:0in'><div><p class=MsoNormal>Recommendation 1: SSAC reiterates its recommendation from SAC055: The ICANN Board should explicitly <b>defer any other activity (within ICANN’s remit) directed at finding a ‘solution’ to ‘the WHOIS problem’ until the registration data policy has been developed and accepted in the community</b>. The EWG should clearly state its proposal for the purpose of registration data, and focus on policy issues over specific implementations.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Recommendation 2: The ICANN Board should ensure that a <b>formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.</b><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Recommendation 3: SSAC recommends that the EWG state more clearly its positions on the following questions of data availability:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><b>A. Why is a change to public access justified?</b><o:p></o:p></p></div><p class=MsoNormal>This explanation should describe the potential impact upon ordinary Internet users and casual or occasional users of the directory service.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><b>B. Does the EWG believe that access to data currently accessible in generic Top Level Domain (gTLD) WHOIS output should become restricted?</b><o:p></o:p></p></div><p class=MsoNormal>If so, what fields and to what extent exactly? Under the EWG proposal, queries from non- authenticated requestors would return only “public data available to anyone, for<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><b>C. Should all gTLD registries be required to provision their contact data into the Aggregated Registration Data Service (ARDS)? </b><o:p></o:p></p></div><p class=MsoNormal>There may be jurisdictions that prohibit by law the export of personally identifiable information outside the jurisdiction. If so, the ARDS may not be a viable way to deliver data accuracy and compliance across all gTLDs.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>D. Does the EWG propose <b>more types of sensitive registration data be provisioned into ARDS than are found in current gTLD WHOIS output?</b> <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Recommendation 4: The SSAC suggests that the EWG address this recommendation from SAC058: “SSAC Report on Domain Name Registration Data Validation”3:<o:p></o:p></p></div><div><p class=MsoNormal>As the ICANN community discusses validating contact information, the SSAC recommends that <b>the following meta-questions regarding the costs and benefits of registration data validation should be answered</b>:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>• <b>What data elements need to be added or validated to comply with requirements or expectations of different stakeholders?</b><o:p></o:p></p></div><div><p class=MsoNormal><b>• Is additional registration processing overhead and delay an acceptable cost for improving accuracy and quality of registration data?</b><o:p></o:p></p></div><div><p class=MsoNormal><b>• Is higher cost an acceptable outcome for improving accuracy and quality?</b><o:p></o:p></p></div><div><p class=MsoNormal><b>• Would accuracy improve if the registration process were to provide natural persons with privacy protection upon completion of multi-factored validation?</b><o:p></o:p></p></div></blockquote><div><div><p class=MsoNormal><b><o:p> </o:p></b></p></div><div><p class=MsoNormal><b><o:p> </o:p></b></p></div></div></div></div></div></body></html>