[Ssr2-review] ICANN SSR, Future Challenges answers

[Jennifer Bryce]

Dear SSR2 RT,

The below answers have been added to the Q&A Google doc: https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit?usp=sharing [docs.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_14eJwDGP-2DLvS9ltTmZoh1i19Fi0-5FpB2nJ4JYMsS7lsco_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=hxj2juBnL5SI2_a2ShzX2n6QIksiETU2ES0QpYAdac8&s=2ccPlHIHQA6bJ48H2PKPem1o_nHyeaJbMNxUNcVNbg8&e=>. Please let us know if you have any questions.

Review Team volunteers: Norm, Ram
Workstream: ICANN SSR
Topic 6: Perform an assessment of how effectively ICANN has implemented its processes around vetting registry operators and services concerning the New gTSLALD Delegation and Transition process.
Outstanding questions: 1

Q: Referencing the EBERO testing of Fall, 2017 (https://schd.ws/hosted_files/icann60abudhabi2017/08/7%20EBERO%20Arias.pdf
[schd.ws<https://schd.ws/hosted_files/icann60abudhabi2017/08/7%20EBERO%20Arias.pdf>]) Since the ERERO testing in the Fall of 2017, have the issues raised been addressed by the EBERO providers? If so, has a re-test been conducted and, if so, are the results available? If not, is a re-test scheduled and when is it scheduled?
A: ICANN has updated the EBERO Master Services Agreement and updated requirements in the Common Transition Process (the requirements for EBERO Service Providers) in preparation for the EBERO RFP process that is underway. These changes add additional clarity to the process requirements and all providers selected as part of the RFP will be subject to the new requirements. No re-test has been conducted and none is scheduled at this time as the referenced tests were conducted with the permission of terminating gTLDs.

Review Team volunteers: Denise, Kerry-Ann, Zarko
Workstream: ICANN SSR
Topic 7: Perform an assessment how effectively ICANN has implemented its processes to ensure compliance regarding registrar agreements and the consensus policies.
Outstanding questions: 6

Q: In your experience, are the emergence thresholds fit for purpose?  If not, are there any plans to revisit them with the community?
A: The emergency thresholds fit the purpose for which they were designed. There are no plans to revise them with the community.

Q: To what extent are the EBERO processes part of ICANN’s risk management framework?
A: EBERO capabilities are considered as part of ICANN's enterprise risk management efforts.

Q: To what extent have the relationships or contracts with EBERO providers been updated to take into account the changing security landscapes, information security requirements?
A: EBERO provider contracts are for 5 years. ICANN is currently running a Request for Proposal (RFP) to find EBERO providers for the next 5 years. Throughout the past five years, EBERO processes have been updated as needed when criteria have changed. The requirements for the next round of EBERO providers, to be identified in 2019, includes several updates to both EBERO processes and contract. It includes lessons learned from experience in EBERO operations as well as new language and amendments to cover data privacy and management (IT Security) of data.

Q: ICANN was not monitoring EPP. Is this still the case?
A: Correct, EPP is not currently being monitored.

Q: Please provide a progress report on the planned webpage with current information on common challenges for registry service providers, and suggested mitigation actions/proactive measures?
A: There is no planned webpage for this service.

Q: Is there a plan to continue research on the abuse of and possible safeguards in the DNS, and in particular with reference to New gTLDs, following the report on DNS abuse (commissioned by CCT Review Team)?
A: ICANN’s Office of the CTO will continue to provide anonymized reports from the Domain Abuse Activity Reporting (DAAR)<https://www.icann.org/octo-ssr/daar> system, which monitors the amount of spam, phishing, malware, and botnet domains in the DNS.

While DAAR is not a result of the CCT-RT’s work, it employs a similar methodology to that used in the DNS abuse study<https://www.icann.org/en/system/files/files/sadag-final-09aug17-en.pdf> they commissioned, and is referenced in the CCTRT’s recommendations regarding DNS abuse. The CCTRT also recommended continuing research on new gTLD safeguards and DNS abuse for future Review Teams. Currently, however, there are no specific plans for a study on gTLD safeguards.

The ICANN Board flagged some of the CCTRT’s recommendations relating to DNS abuse and safeguards as “pending,” to be addressed at a later time when certain pre-requisites have been met. If and when these recommendations are approved, ICANN org may carry out further research on DNS abuse and gTLD safeguards. For details, see the ICANN Board’s scorecard<https://www.icann.org/en/system/files/files/resolutions-final-cct-recs-scorecard-01mar19-en.pdf>.

Review Team volunteers: Eric, Denise, Norm, Boban
Workstream: Future Challenges
Topic: Coalescence of registrars/registry/backend operators for multiple TLDs
Outstanding questions: 0

Q: Is there a complete list of backend registry operators & escrow providers?
A: We do not have the authority to release some of this data. Approved Data Escrow providers are listed at https://newgtlds.icann.org/en/applicants/data-escrow

Q: Are there any measurements/ analysis/ testing of exercising the above functions?
A: There is no service defined for direct testing of RSPs. Data Escrow Agents are monitored via regular, monthly data escrow reports. Measurement or testing of RSP performance is done on a random basis.

Q: Is there a periodic report of domain names (number registrars, etc.)?
A: In terms of periodic summary reports, the Domain Name Marketplace Indicators initiative will shortly release a first wave of relevant indicators such as those identified in the question. This report is intended to be updated semi-annually, and should be accessible via https://www.icann.org/resources/pages/metrics-gdd-2015-01-30-en. The same webpage currently hosts some relevant statistics, albeit with less breadth and depth, under the 'gTLD Marketplace Health Index' heading.

Q: Are there higher security requirements for backend operators running multiple TLD’s?
A: The requirements in the base Registry Agreement apply to the Registry Operator signing the agreement. ICANN does not have a contractual relationship with backend operators, with the exception of backend operator that are also Registry Operators.

Q: Are there any and if so, what are the control mechanisms for operational availability of the TLD’s?
A: The control mechanisms are:
* data escrow, please refer to specification 2 of the base registry agreement.
* registry performance specifications, please refer to specification 10 of the base registry agreement.
* registry continuity, please refer to section 3, specification 6 of the base registry agreement.
* emergency transition (EBERO), please refer to section 2.13 of the base agreement.
* contractual and operational compliance audit, please refer to section 2.11 of the base agreement.
* continued operations instrument, please refer to section 2.12 of the base agreement.

--

Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)

Email: jennifer.bryce at icann.org
Skype: jennifer.bryce.icann
www.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190403/95934c59/attachment.html>