[CPWG] Readout from ICANN79 ALAC Plenary Session #2 - Building Trust on the Internet Through Registrant Verification

gopal gopal at annauniv.edu
Sat Mar 23 06:10:24 UTC 2024 

Thank you again Michael Palage.

Cryptography does identify failures but invariably it results in inner attacks.

A trust management scheme is a common way to detect and isolate the compromised nodes. IMHO, ICANN is taking on the challenge of "trust" based models in a multistakeholder system.

Blackhole is also a type of cyber attack.

In principle the apparent dichotomy between "Technical" and "Managerial" paths is useful. In practice, "Technical" path affords stable terms and definitions.

I note that you have earlier worked on rationalizing the terms in this area. We may have to prioritize the terms pertaining to "Sovereignty", "Provenance" , "Revocation" and "Enforcement" within the galaxy you have so nicely modeled.

The deck of slides you have sent in the trace from the Global Legal Entity Identifier Foundation [GLEIF] titled "Organizational Identity" mention Zero Trust Architectures i.e ‘Never trust; always verify’.

Coming from India, Zero is a sort of default lucky charm in my mind.

My choice report on "Zero Trust Architecture" [59 Pages] is at:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Hope this helps.

Sincerely,



Gopal T V
0 9840121302
https://vidwan.inflibnet.ac.in/profile/57545
https://www.facebook.com/gopal.tadepalli
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dr. T V Gopal
Professor
Department of Computer Science and Engineering
College of Engineering
Anna University
Chennai - 600 025, INDIA
Ph : (Off) 22351723 Extn. 3340
       (Res) 24454753
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

________________________________
From: mike palage.com <mike at palage.com>
Sent: 22 March 2024 22:30
To: gopal <gopal at annauniv.edu>; cpwg at icann.org <cpwg at icann.org>; Avri <avri at doria.org>
Subject: RE: Readout from ICANN79 ALAC Plenary Session #2 - Building Trust on the Internet Through Registrant Verification


Hello Gopal,



Yes “Digital Identity” is complex. If you ask 20 experts for a definition you are likely to get 20 different answers. That is in part why I positioned “Digital Identity” as a black hole in that graphic.



A couple of years ago I prepared a document that I called the Digital Identity Rosetta Stone which tracked how different terms were defined/used differently in various standards and trust frameworks. May it is time to dusk that off Excel spreadsheet again. Shout Out to Avri, would my co-moderator be interested in restarting this project?



Unfortunately, I see no clear path to minimizing the potential collision of certain definitions or acronyms, unless the industry adopts ICANN's crazy approach to acronyms.  This is why practitioners need to alert their internal teams about these conflicts. The danger of miscommunication is heightened when the legal team may have one definition for a term, while the business and technical teams may have conflicting definitions. It is sort of a modern-day Tower of Babel.



Based upon my work in the space over the past 5-7 years, I believe that the work OIX is doing is perhaps some of the best cutting-edge work to help provide interoperability between the various trust framework and technical standards. You should check out the great work that Nick Mothershaw and his team are doing at OIX, see https://openidentityexchange.org.



Best regards,



Michael







From: gopal <gopal at annauniv.edu>
Sent: Friday, March 22, 2024 5:26 AM
To: cpwg at icann.org; Avri <avri at doria.org>; mike palage.com <mike at palage.com>
Subject: Re: Readout from ICANN79 ALAC Plenary Session #2 - Building Trust on the Internet Through Registrant Verification



Michael Palage,



Many thanks for the mail in the trace. I must thank you for the image "Digital Identity Galaxy"  you have shared and the CIRA public report " A Trust Layer for the Internet is Emerging".



Identity is the attribute of identical, the exact correspondence of one thing with another when compared.



The challenge is to make this happen online globally.



It is interesting to note that from Wednesday, 24 April 2024 in Switzerland , Swiss Citizens [Natural Persons] will be able to get a ".swiss domain" using their UPI ID. This is Unique Person Identification in Switzerland.



In India UPI is Unified Payments Interface (UPI) created by the National Payments Corporation of India (NPCI) to facilitate single mobile application manage multiple bank accounts and carry out low value transactions. UPI leaves a trace for cross checking by law enforcement.



The acronym UPI is confusing.



The verification of people's identity online using images and selfies is not standardized. Verification is a curious blend of in-person and online methods. It is a multi-factor act and the strength of the chain is the determined by the weakest link.



At what level of "Unique ID" generation a given individual will attain the "Trust Layer" grade to go peer - to -peer globally?



Your advise please.



Sincerely,









Gopal T V

0 9840121302
https://vidwan.inflibnet.ac.in/profile/57545
https://www.facebook.com/gopal.tadepalli
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dr. T V Gopal
Professor
Department of Computer Science and Engineering
College of Engineering
Anna University
Chennai - 600 025, INDIA
Ph : (Off) 22351723 Extn. 3340
       (Res) 24454753
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

________________________________

From: CPWG <cpwg-bounces at icann.org<mailto:cpwg-bounces at icann.org>> on behalf of mike palage.com via CPWG <cpwg at icann.org<mailto:cpwg at icann.org>>
Sent: 22 March 2024 10:29
To: cpwg at icann.org<mailto:cpwg at icann.org> <cpwg at icann.org<mailto:cpwg at icann.org>>; Avri <avri at doria.org<mailto:avri at doria.org>>
Subject: [CPWG] Readout from ICANN79 ALAC Plenary Session #2 - Building Trust on the Internet Through Registrant Verification



Hello All,



Below please find a readout in connection with the ALAC Plenary Session that Avri and I co-moderated during ICANN79.



Best regards,



Michael





On 6-March-2024, the ICANN At Large Advisory Committee (ALAC) held a plenary session entitled “Building Trust on the Internet Through Registrant Verification” at the ICANN79 Community Forum in San Juan Puerto, Rico that Michael Palage and Avri Doria co-moderated. This session was inspired in part by a recent World Economic Forum report entitled “Reimagining Digital ID” that noted “[d]espite a sustained focus on ID, the increasingly widespread use of digital technologies, and the rapid development of AI, the internet lacks an ID layer.” This session focused on innovations by TLD registry operators (both gTLD and ccTLD) that are increasing trust in their respective namespace using enhanced registrant verification, and how this innovation can have an impact beyond the domain name marketplace.



Listed below is a summary of each speaker’s comments along with a link to their respective presentation in the order they presented.



Finn Petersen, the Danish Director of International ICT Relations Agency for Digital Government, provided a presentation<https://community.icann.org/download/attachments/292978838/Presentation%20-%20NIS%20CG%20%20-%20WS%20WHOIS%20-%20ALAC%20Plenary-%20Verification%20-%2029.02.24%20-%20FPT%20%20-%20%20Read-Only.pdf?version=1&modificationDate=1709668949000&api=v2> on the recently enacted European Network and Information Security Directive 2 (NIS 2.0) and its potential impact on domain registration authorities. Finn specifically addressed Article 28 and its requirements regarding the collection, verification, and publication of domain name registrant data. Finn is uniquely qualified to provide insight on Article 28 as he is the Chair of Work Stream (WS) on WHOIS that currently encompasses a Task Force on Verification and Legitimate Access.



Karla McKenna, Managing Director/Head of Standards at the Global Legal Entity Identifier Foundation (GLEIF) provided a presentation<https://community.icann.org/download/attachments/292978838/2024-03-06_Organizational-Identity-LEI-vLEI-ICANN_v1.0_final.pdf?version=1&modificationDate=1709653690000&api=v2> on the establishment of GLIEF in 2011 to create global unique Legal Entity Identifiers (LEIs) to identify parties in financial transactions. Karla explained how GLIEF has used 38 global partners to issue over 2 million LEIs and the recent innovation of verifiable LEIs (vLEIs). vLEIs enable Zero Trust Architecture for Organizational Identifiers through Verifiable Provenance and Instate Revocation State Verification.



Avri Doria, a research consultant, then spoke on the various standards (some complimentary and some competitive) surrounding digital identity and why it is so hard to find a universal solution. Avri produced a readout of her presentation via a short blog<https://medium.com/@doriavr/why-is-it-so-hard-8f55ef531913> available where she included a compilation of current and evolving standards in various standard bodies to help educate those attempting to navigate the digital identity landscape.



Lucas Prêtre, Telecommunication Engineer at the Swiss Federal Office of Communications OFCOM provided a presentation<https://community.icann.org/download/attachments/292978838/ICANN79_ALAC_dotSwiss_registrant_verif.pdf?version=1&modificationDate=1709668635000&api=v2> about how OFCOM has historically handled registrant verification of legal entities through the use of an UID (Enterprise Identification Number) corresponding to the Swiss corporate identifier. Lucas also spoke about how OFCOM intends to expand registration of .SWISS domains to natural persons through the use of a UPI (Unique Person Identification) in 2024. Another unique aspect of the .SWISS TLD that Lucas discussed is how they have integrated the UID and UPI into the registry via the “publicID” in the WHOIS/RDAP protocol.



Niamh Lewis, Senior Digital Health & Policy Expert at the National Association of Boards of Pharmacy (NABP) gave a presentation<https://community.icann.org/download/attachments/292978838/NABP-deck%5B1%5D.pdf?version=1&modificationDate=1709728975000&api=v2> on how a 120 old US-based non-profit organization dedicated to protecting public health has leveraged its skill set in licensing and accreditation to vet registrants in the .pharmacy TLD. Niamh also shared how domain name registrants in .pharmacy can use their registration as a fraud-proof seal that is recognized by third-party stakeholders, such as Google, Bing, TikTok, Twitter/X, Reddit, Visa and Mastercard.



Craig Schwartz, Managing Director, fTLD Registry Services spoke<https://community.icann.org/download/attachments/292978838/ICANN79-ALAC-Plenary-fTLD%20%28f%29%5B3%5D%20%20-%20%20Read-Only.pdf?version=1&modificationDate=1709730479000&api=v2> about the importance of security in the operation of the .Bank and .Insurance domains and the various security innovations they have implemented. Craig also spoke about fTLD’s continued enhancements regarding registrant verification and how 80% of .Bank registrants already have an existing GLEIF LEI.



Thomas Keller, Executive Board Member DENIC presented<https://community.icann.org/download/attachments/292978838/DENIC_Verification%5B1%5D%20%20-%20%20Read-Only.pdf?version=2&modificationDate=1709731659000&api=v2> on how DENIC has worked in collaboration with its 290 Members to implement appropriate safeguards they believe comply with the requirements of NIS 2.0 before the end of the year. As one of the world’s largest TLDs with over 17 million domain names under management, DENIC was looking for an approach that would not only meet its immediate needs but also provide a future-oriented, scalable, and risk-based approach. The solution presented proposes a Traffic Light Risk Assessment (red, yellow, green) toward domain name registrant verification that relies heavily upon close coordination with its Registrar Members.



Bruce Tonkin, Chief Operating Officer at .au Domain Administrator (auDA), spoke<https://community.icann.org/download/attachments/292978838/alac-session-registrant-verification-6March2024.pdf?version=1&modificationDate=1709741326000&api=v2> about auDA has incorporated Registrant verification of natural and legal persons into their normal business operations to comply with Australian nexus requirements. Bruce also spoke to how .au has had low volumes of malicious registrants with those instances generally associated with stolen identities.



Jaromir Talíř, Technical Fellow at CZ.NIC, provided<https://community.icann.org/download/attachments/292978838/Jaromir%20ICANN79-ALAC-CZ.pdf?version=1&modificationDate=1709729364000&api=v2> a historical overview of the pioneering work that CZ.NIC has been engaged in the area of registrant verification over the past 18 years. These innovations include, but are not limited to: the rollout of MojeID (digital identity service) in 2010; participation in RegeID, a joint EU project involving 4 ccTLD exploring the use of eIDs; and their current active participation in one of the four Large-Scale eIDAS 2.0 pilots involving the European Digital Identity Wallet.



Timo Võhmar,  Head of Business and IT Development at the Estonia Internet Foundation, spoke<https://community.icann.org/download/attachments/292978838/ICANN%2079%20-%20ALAC%20eeID%20panel.pdf?version=2&modificationDate=1709732440000&api=v2> about .EE’s commitment to registrant verification since 2010, and spoke of some of the challenges they have faced with foreign registrants. Timo also shared a new eeID initiative leveraging FIDO and passkeys to promote the use of federated user-centric identifiers and enhanced multi-factor authentication.



Jacques Latour, Chief Technology & Security Officer at CIRA presented<https://community.icann.org/download/attachments/292978838/Latour-CA-ALAC.pdf?version=1&modificationDate=1709653331000&api=v2> on CIRA’s involvement in various IETF working groups and a recent report that he co-authored entitled A trust Layer for the Internet is Emerging<https://www.cira.ca/uploads/2023/12/2023_A-trust-layer-for-the-internet-is-emerging_-report-%E2%80%93-Continuum_CIRA.pdf>. Jacques also spoke about various CIRA pilots involving verified registrant credentials. Some of the additional work that Jacques and CIRA have been involved in was also discussed during two other ICANN79 sessions: DNS Trust Panel<https://icann79.sched.com/event/1a1CA/dnssec-and-security-workshop-1-of-3> and eID Panel Discussion<https://icann79.sched.com/event/1a1DU/tech-day-3-of-4>.



A Zoom recording from this ALAC Plenary session is available from the ICANN website at https://icann.zoom.us/rec/share/RHdhIaT_AQ94rO49u1LbU0HxjSZKdx_Z8KlHL-bm5kG_3dx_eJr9wQgUF_oKyJxl.BLiD6CxPZzXCSPXc?startTime=1709756148000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/cpwg/attachments/20240323/b01b9edc/attachment-0001.html>

More information about the CPWG mailing list