[Ssr2-review] Proposal: delete ???Establish Baseline Security Practices??? recommendation as OBE

Thu Dec 10 07:40:39 UTC 2020

Dear kc, Naveed, and all, 

It seems to me that this recommendation was at least partly overtaken by events. 

If we want to remind them to not “forget” SSR, that is a different recommendation at this point in time than what we wrote a while back — things have moved on and part of the recommendation has been “overtaken". 

Do we have any evidence that SSR is being included sufficiently in the process that is happening _now_ or evidence that it is not? 

In case things look fine, the rec doesn’t make sense anymore; in case there seem to be gaps (emerging), we should rephrase. 

All the best
Laurin 

> On Dec 10, 2020, at 03:41, k claffy <kc at caida.org> wrote:
> 
> 
> I disagree that RSSAC037 does not mention SSR related matters.
> 
> The word "security" appears 12 times in this document.
> "reliabl" 15 times, resili* 10 times, stab* 20 times.
> the role of the SAPF (p.20) explicitly includes best practices 
> to "support the availability, performance, scalability, and
> security of the RSS."
> what else do you want in this framework that's not already here?
> 
> if anything i think we should use RSSAC037 as an example of
> an SSR initative that's actually doing the right things, not
> criticize it. (tho maybe it took 20 years longer than
> it should have.)
> 
> k
> 
> 
> On Thu, Dec 10, 2020 at 05:51:57AM +0400, Naveed Bin Rais wrote:
>  I am not in favor of dropping this recommendation and I am not a big fan of
>  dropping recommendations for a sake of reducing the number only.
> 
>  In my humble opinion, the recommendations is related to asking ICANN org to
>  ensure that SSR related activities must be included in the RSS governance
>  framework. It is not asking ICANN org to ensure implementation of the
>  governance framework.
> 
>  If we read RSSAC037 and RSSAC038, there is no specific mention of the SSR
>  related matters in the RSS governance framework.
> 
>  My two cents.
> 
>  Best,
>  Naveed -
> 
>  On Thu, 10 Dec 2020 at 4:14 AM Heather Flanagan <
>  hlf at sphericalcowconsulting.com> wrote:
> 
>> Hi all,
>> 
>> I???m working on the Baseline Security (see page 38
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1myG9dtYYiL8lFd3ZOPXNUwKfr1yuAsNrwzod-J8CdMQ%2Fedit%23&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000345240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=M10enEE6%2BPhnabWdKureuvDYjESfRiyRTIZVt1GR4eU%3D&reserved=0>)
>> findings to try and help them support the recommendations. The evidence for
>> the recommendation depend entirely on how the Board handled RSSAC037 and
>> 038.
>> 
>> Since this recommendation was first drafted, the Board likely hadn???t done
>> much of anything. The Board???s initial response was in June 2018 and it said
>> they would create an Root Server System Governance Working Group (RSS GWG)
>> so that the community could tell them how to implement RSSAC 037 and 038.
>> That working group didn???t form until the very end of 2019 (see
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccnso.icann.org%2Fen%2Fannouncements%2Fannouncement-26nov19-en.htm&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000345240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uBGBGT7RKK2lOiwJg84e40D9RYu9HOP8qzgkNvC6hkM%3D&reserved=0).
>> That said, it did form, and has a work plan
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.icann.org%2Fdisplay%2Fsoacabout%2FWork%2BPlan&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000345240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QntT4uzQXTm7%2BSwP0JaupZ%2FXTHXZljJsakWbrwP7924%3D&reserved=0> that runs
>> through 2022.
>> 
>> Given that, I???m not entirely sure that this still fits - the Board will
>> simply point to the RSS GWG as the group with all the action items in the
>> RSS space.
>> 
>> I think it makes sense to drop this recommendation, unless there other
>> supporting evidence we would like to refer to for the recommendation to
>> have merit.
>> 
>> Text of the recommendation:
>> *SSR2 Recommendation 21: Establish Baseline Security Practices for Root
>> Server Operators and Operations*
>> 21.1. ICANN org, in close cooperation with RSSAC and other relevant
>> stakeholders, should ensure that the RSS governance model as proposed by
>> RSSAC037 includes baseline security best practices for Root Server
>> Operators and operations to minimize the SSR risks associated with root
>> server operation. These best practices should include change management,
>> verification procedures, and sanity check procedures.  As part of this
>> process, ICANN org should publish its own strategies for managing SSR for
>> the IMRS and encourage other Root Server Operators to do the same.
>> 
>> 
>> Heather Flanagan ??? Translator of Geek to Human
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsphericalcowconsulting.com%2F&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000345240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ft%2FEy0kgaDs%2F4Pwpyi0SBJjLlwVw7D5bNzBKeMUVsvE%3D&reserved=0
>> _______________________________________________
>> Ssr2-review mailing list
>> Ssr2-review at icann.org
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fssr2-review&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000345240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dX7CWvC6bK5Kt3CSxVYAbsaBQDdrNwZybBrXEZGjGy4%3D&reserved=0
>> 
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your
>> personal data for purposes of subscribing to this mailing list accordance
>> with the ICANN Privacy Policy (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tRhSz8UY1OULxuXiuDZxwgp0fQV6jxrPfmRFC1UXBSk%3D&reserved=0) and
>> the website Terms of Service (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9xQ4MUE3%2FMVrEaLh2xLQxqZETen5qSBRVAg%2B%2FKod2TY%3D&reserved=0). You can
>> visit the Mailman link above to change your membership status or
>> configuration, including unsubscribing, setting digest-style delivery or
>> disabling delivery altogether (e.g., for a vacation), and so on.
> 
>  _______________________________________________
>  Ssr2-review mailing list
>  Ssr2-review at icann.org
>  https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fssr2-review&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ybUkvQhgR9H1Fqpd08KNdpGnSLUh0gDgwitqekwjIws%3D&reserved=0
> 
>  _______________________________________________
>  By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tRhSz8UY1OULxuXiuDZxwgp0fQV6jxrPfmRFC1UXBSk%3D&reserved=0) and the website Terms of Service (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9xQ4MUE3%2FMVrEaLh2xLQxqZETen5qSBRVAg%2B%2FKod2TY%3D&reserved=0). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
> 
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fssr2-review&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ybUkvQhgR9H1Fqpd08KNdpGnSLUh0gDgwitqekwjIws%3D&reserved=0
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tRhSz8UY1OULxuXiuDZxwgp0fQV6jxrPfmRFC1UXBSk%3D&reserved=0) and the website Terms of Service (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=04%7C01%7Claurin.weissinger%40yale.edu%7Cd7b3c7b42a0441e8d1e508d89cb51e88%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637431649000355233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9xQ4MUE3%2FMVrEaLh2xLQxqZETen5qSBRVAg%2B%2FKod2TY%3D&reserved=0). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.