[Ssr2-review] Proposal: delete ???Establish Baseline Security Practices??? recommendation as OBE

k claffy kc at caida.org
Thu Dec 10 02:41:14 UTC 2020 

I disagree that RSSAC037 does not mention SSR related matters.

The word "security" appears 12 times in this document.
"reliabl" 15 times, resili* 10 times, stab* 20 times.
the role of the SAPF (p.20) explicitly includes best practices 
to "support the availability, performance, scalability, and
security of the RSS."
what else do you want in this framework that's not already here?

if anything i think we should use RSSAC037 as an example of
an SSR initative that's actually doing the right things, not
criticize it. (tho maybe it took 20 years longer than
it should have.)

k


On Thu, Dec 10, 2020 at 05:51:57AM +0400, Naveed Bin Rais wrote:
  I am not in favor of dropping this recommendation and I am not a big fan of
  dropping recommendations for a sake of reducing the number only.
  
  In my humble opinion, the recommendations is related to asking ICANN org to
  ensure that SSR related activities must be included in the RSS governance
  framework. It is not asking ICANN org to ensure implementation of the
  governance framework.
  
  If we read RSSAC037 and RSSAC038, there is no specific mention of the SSR
  related matters in the RSS governance framework.
  
  My two cents.
  
  Best,
  Naveed -
  
  On Thu, 10 Dec 2020 at 4:14 AM Heather Flanagan <
  hlf at sphericalcowconsulting.com> wrote:
  
  > Hi all,
  >
  > I???m working on the Baseline Security (see page 38
  > <https://docs.google.com/document/d/1myG9dtYYiL8lFd3ZOPXNUwKfr1yuAsNrwzod-J8CdMQ/edit#>)
  > findings to try and help them support the recommendations. The evidence for
  > the recommendation depend entirely on how the Board handled RSSAC037 and
  > 038.
  >
  > Since this recommendation was first drafted, the Board likely hadn???t done
  > much of anything. The Board???s initial response was in June 2018 and it said
  > they would create an Root Server System Governance Working Group (RSS GWG)
  > so that the community could tell them how to implement RSSAC 037 and 038.
  > That working group didn???t form until the very end of 2019 (see
  > https://ccnso.icann.org/en/announcements/announcement-26nov19-en.htm).
  > That said, it did form, and has a work plan
  > <https://community.icann.org/display/soacabout/Work+Plan> that runs
  > through 2022.
  >
  > Given that, I???m not entirely sure that this still fits - the Board will
  > simply point to the RSS GWG as the group with all the action items in the
  > RSS space.
  >
  > I think it makes sense to drop this recommendation, unless there other
  > supporting evidence we would like to refer to for the recommendation to
  > have merit.
  >
  > Text of the recommendation:
  > *SSR2 Recommendation 21: Establish Baseline Security Practices for Root
  > Server Operators and Operations*
  > 21.1. ICANN org, in close cooperation with RSSAC and other relevant
  > stakeholders, should ensure that the RSS governance model as proposed by
  > RSSAC037 includes baseline security best practices for Root Server
  > Operators and operations to minimize the SSR risks associated with root
  > server operation. These best practices should include change management,
  > verification procedures, and sanity check procedures.  As part of this
  > process, ICANN org should publish its own strategies for managing SSR for
  > the IMRS and encourage other Root Server Operators to do the same.
  >
  >
  > Heather Flanagan ??? Translator of Geek to Human
  > https://sphericalcowconsulting.com
  > _______________________________________________
  > Ssr2-review mailing list
  > Ssr2-review at icann.org
  > https://mm.icann.org/mailman/listinfo/ssr2-review
  >
  > _______________________________________________
  > By submitting your personal data, you consent to the processing of your
  > personal data for purposes of subscribing to this mailing list accordance
  > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
  > the website Terms of Service (https://www.icann.org/privacy/tos). You can
  > visit the Mailman link above to change your membership status or
  > configuration, including unsubscribing, setting digest-style delivery or
  > disabling delivery altogether (e.g., for a vacation), and so on.

  _______________________________________________
  Ssr2-review mailing list
  Ssr2-review at icann.org
  https://mm.icann.org/mailman/listinfo/ssr2-review
  
  _______________________________________________
  By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

More information about the Ssr2-review mailing list