[Comments-atrt3-draft-report-16dec19] SSR

Weissinger, Laurin laurin.weissinger at yale.edu
Fri Jan 31 20:47:45 UTC 2020


The aim (option 2) to reduce the SSR review to short workshops is concerning. 

While the OCTO team is doing a lot of excellent work (e.g. outreach, engagement, stakeholder support, etc.) and SSAC and RSSAC contribute important advice, there are systemic security issues within the DNS and the ICANN ecosystem that need to be addressed. 
For example, ICANN contracts do not properly address systemic abuse (https://www.icann.org/en/system/files/correspondence/hedlund-to-vayra-04apr18-en.pdf, p.2). Issues with ICANN’s approach to security and anti-abuse are also documented by multiple review teams. 
It is obvious that improving on security is paramount and requires proper oversight and/or audit mechanisms. 

Many approaches to addressing security vulnerabilities and lacking anti-abuse provisions do exist. Likewise, many options exist for overseeing the process — but the key to all of them is to have actual oversight, transparency, and consequences / actions to address SSR concerns. 

Continuous assessment and audits by independent third parties, reviewed by the community in intervals or partly “staffed” by community volunteers, could be an approach as well as shorter but more frequent reviews on SSR, e.g. twice per year. In the latter case, having overlapping terms (at least 1 year overlap, better 1.5/2) to ensure knowledge transfer would be useful. 

Whatever is finally recommended should be fleshed out more and explain how the future process could uphold a level of oversight and transparency appropriate for such an important concern. 

Laurin Weissinger, in personal capacity
(For the record: Yale University, and SSR2 co-vice chair)




More information about the Comments-atrt3-draft-report-16dec19 mailing list