[Ssr2-review] Proposal: delete “Establish Baseline Security Practices” recommendation as OBE

Thu Dec 10 01:51:57 UTC 2020

I am not in favor of dropping this recommendation and I am not a big fan of
dropping recommendations for a sake of reducing the number only.

In my humble opinion, the recommendations is related to asking ICANN org to
ensure that SSR related activities must be included in the RSS governance
framework. It is not asking ICANN org to ensure implementation of the
governance framework.

If we read RSSAC037 and RSSAC038, there is no specific mention of the SSR
related matters in the RSS governance framework.

My two cents.

Best,
Naveed -

On Thu, 10 Dec 2020 at 4:14 AM Heather Flanagan <
hlf at sphericalcowconsulting.com> wrote:

> Hi all,
>
> I’m working on the Baseline Security (see page 38
> <https://docs.google.com/document/d/1myG9dtYYiL8lFd3ZOPXNUwKfr1yuAsNrwzod-J8CdMQ/edit#>)
> findings to try and help them support the recommendations. The evidence for
> the recommendation depend entirely on how the Board handled RSSAC037 and
> 038.
>
> Since this recommendation was first drafted, the Board likely hadn’t done
> much of anything. The Board’s initial response was in June 2018 and it said
> they would create an Root Server System Governance Working Group (RSS GWG)
> so that the community could tell them how to implement RSSAC 037 and 038.
> That working group didn’t form until the very end of 2019 (see
> https://ccnso.icann.org/en/announcements/announcement-26nov19-en.htm).
> That said, it did form, and has a work plan
> <https://community.icann.org/display/soacabout/Work+Plan> that runs
> through 2022.
>
> Given that, I’m not entirely sure that this still fits - the Board will
> simply point to the RSS GWG as the group with all the action items in the
> RSS space.
>
> I think it makes sense to drop this recommendation, unless there other
> supporting evidence we would like to refer to for the recommendation to
> have merit.
>
> Text of the recommendation:
> *SSR2 Recommendation 21: Establish Baseline Security Practices for Root
> Server Operators and Operations*
> 21.1. ICANN org, in close cooperation with RSSAC and other relevant
> stakeholders, should ensure that the RSS governance model as proposed by
> RSSAC037 includes baseline security best practices for Root Server
> Operators and operations to minimize the SSR risks associated with root
> server operation. These best practices should include change management,
> verification procedures, and sanity check procedures.  As part of this
> process, ICANN org should publish its own strategies for managing SSR for
> the IMRS and encourage other Root Server Operators to do the same.
>
>
> Heather Flanagan — Translator of Geek to Human
> https://sphericalcowconsulting.com
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20201210/d6b6fd5f/attachment.html>