[council] FW: Letter to board on DNS CERT WG

Gomes, Chuck cgomes at verisign.com
Fri Apr 9 12:43:10 UTC 2010

Please note the following response that Chris, Cheryl and I sent to
Thomas Narten in follow-up to an email he sent as in his capacity as a
Board liaison regarding our letter about the DNS-CERT.


-----Original Message-----
From: Chris Disspain [mailto:ceo at auda.org.au] 
Sent: Friday, April 09, 2010 3:45 AM
To: 'Thomas Narten'; Gomes, Chuck; 'Cheryl Langdon-Orr'
Subject: RE: Letter to board on DNS CERT WG


Given the 25 March letter to Peter and Rod was a joint ALAC, gNSO and
ccNSO comment, we felt it appropriate for us to also collaborate on a
response to your questions.

To help clarify our concerns, we believe it is important to draw a
distinction between ICANN's processes of "community interaction" and
"public comment".  We believe that, in releasing a draft proposal for a
DNS-CERT, ICANN staff skipped a number of important steps in the
bottom-up policy development process. Atypically, ICANN's first formal
engagement on the issue was the proposal of a significantly developed
solution to perceived DNS security problems. It skipped to the later
public comment phase without first engaging the community in a dialogue
regarding the nature of its concerns, an assessment of threats and
vulnerabilities and collaborative consideration of possible solutions.

When a significant issue is identified, the ICANN Board usually directs
a group of relevant ICANN stakeholders to consider the matter at hand
and develop a strategy for addressing it. Consistent with our proposal,
this consultation often takes the form of a public forum at a physical
ICANN meeting followed by the establishment of a cross-constituency
Working Group. This represents a preliminary stage of "community
While ICANN staff often develops an issues paper to support the group's
work, we believe the current document does not meet this need.

The Working Group should be tasked with identifying and developing
responses to the questions that have already been addressed in the
proposed DNSCERT plan - 
.	What is the nature and extent of the problem?
.	Do current structures and efforts provide an adequate response?

.	If not, should a DNS-CERT be established?
.	What precisely to we mean by a "DNS-CERT"?
.	Should ICANN undertake this work?
.	What areas would the DNS-CERT work in?
.	Should it be established as a gTLD DNS-CERT and ccTLDs
to participate?
Only after this process has occurred, and a mitigation strategy
developed, would ICANN seek "public comment" on any proposed solution.

In summary, we share ICANN's view that the security and stability of the
DNS is an important strategic priority. As such, if threats to the DNS
are deemed to be severe enough and current response mechanisms
inadequate, we would welcome community consideration of a proposed
response, including the possibility of a DNS-CERT. 

We believe that ICANN's typical working methods have not been followed
in the development of the DNS-CERT business case and, through our joint
letter, are encouraging the ICANN Board and staff to take a step back to
ensure that an appropriate, consensus-based, bottom-up policy
development process is followed.

We hope this clarifies our position though would be happy to discuss
this with you, or any other Board member, in further detail.


Chris Disspain, Cheryl Langdon-Orr and Chuck Gomes

> -----Original Message-----
> From: Thomas Narten [mailto:narten at us.ibm.com]
> Sent: Sunday, 28 March 2010 05:06
> To: Gomes, Chuck; Cheryl Langdon-Orr; Chris Disspain
> Subject: Letter to board on DNS CERT WG
> Hi.
> I read your letter with interest and would like to understand a bit 
> better what is motivating it. I'm asking as an interested board 
> member, trying to understand what the real underlying issue is.
> The DNS CERT paper (as I understand it) is just a proposal. It would 
> presumably go through a standard set of public 
> discussions/feedback/etc. before ever going into effect. Would that 
> not be sufficient to get community feedback? I.e, why form a joint WG?
> That isn't the normal response to proposals. What is different about 
> this one that raises it to the level of needing a special WG?
> Thanks!
> Thomas
> __________ Information from ESET Smart Security, version of virus
signature database
> 4978 (20100326) __________
> The message was checked by ESET Smart Security.
> http://www.eset.com

__________ Information from ESET Smart Security, version of virus
signature database 5011 (20100408) __________

The message was checked by ESET Smart Security.


More information about the council mailing list