[CWG-Stewardship] SLE update - ICANN seeks to delay SLE Accountability reporting......

James Gannon james at cyberinvasion.net
Wed Oct 14 16:36:37 UTC 2015 

Hey David,

I am really happy to hear that, I possibly read too much into the statement, if we have good audit trails from a security standpoint then much of my comment is moot.

If the issue is logging more than audit trailing then yes the situation is different I would still hope that a timeline that suits all parties can be achieved without compromising any of the SSR.

-JG




On 14/10/2015, 2:39 a.m., "David Conrad" <david.conrad at icann.org> wrote:

>James,
>
>On 10/13/15, 11:41 AM, "James Gannon" <james at cyberinvasion.net> wrote:
>>As a security guy in my day job I share your concern about the
>>apparent/potential lack of an audit trail and transaction log for this
>>system, I cannot see this being the case in reality given ICANNs recent
>>security issues I would think that systems closest to the root would be
>>heavily logged and tracked.
>
>While I make no claim to being "a security guy" (I have a number of actual
>"security guys" reporting to me and I know what I don't know), I do have a
>bit of background in software engineering and software development
>management.  I believe it would be a mistake to make assumptions about
>code based on nearly decade old third-hand hearsay about how that code has
>been implemented.
>
>The point here is not about having an audit trail and transaction logging,
>both of which the existing Root Zone Management System has. The point is
>that the SLE Working Group has demanded metrics on actions that, in some
>cases, are not logged simply because we didn't see the need.  For example,
>despite numerous arguments against it, the SLE Working Group has demanded
>we measure "The time the automation system takes from when the last
>required confirmation is received, until the business process logic
>progresses the request to the next logic state."  From a conceptual point
>of view, currently in the RZMS code base when the last confirmation is
>received, a while loop conditional fails (that is, "do we have to wait
>more?") and the next logic state is entered.  To implement this metric we
>will have to insert code immediately after the termination of the while
>loop and before the _immediate next executable statement_ which is the
>update of the logic state.  I remain a bit mystified as to what this is
>supposed to measure, but at this point my job is to see that it is
>implemented in a way that doesn't impact the security and stability of
>ICANN's Root Zone Management System (not too hard in that particular
>case). 
>
>>This is a troubling point and one that should be taken up by senior ICANN
>>staff/board members if necessary and our co-chairs at the earliest
>>possible juncture.
>
>Feel free.
>
>Regards,
>-drc

More information about the CWG-Stewardship mailing list