[GNSO-Accuracy-ST] Identity Proofing Clarity - Follow Up Homework

[Steve Crocker]

Sarah, Volker, et al,

My apologies again for not staying for the entire call yesterday.  I have a
standing commitment to chair a call on Thursdays at 1400 UTC.  (In fact,
those calls were originally scheduled at 1300 UTC, and I was able to move
them in deference to this group's schedule.  At the time, I believe I was
told our calls going forward would be only an hour, not 90 minutes.  If our
calls in the future will regularly run 90 minutes, I'll have to figure out
how to deal with the conflict.)

I have read the transcript for the period immediately after I departed.  (I
believe it was the period from 1:00 to 1:04, copied below for convenience.)

After reading the transcript and reflecting on our conversation, I'm not
sure we're all that far apart.  Perhaps it's mainly a question of precision
of terminology.

I have been using the SAC 058 definitions of operational and identity
validation:

*Operational Validation* refers to the assessment of data for their
intended use in their routine functions. Examples of operational validation
include 1) checking that an email address or phone number can receive email
or phone calls; 2) checking that a postal address can receive postal mail;
3) checking that the data entered are self-consistent, i.e. that all data
are logically consistent with all other data. It is expected that many
operational validation checks would be automated and some could be executed
inline with a registration process.

*Identity validation* refers to the assessment that the data corresponds to
the real world identity of the entity. It involves checking that a data
item correctly represents the real world identity for the registrant. In
general, identity validation checks are expected to require some manual
intervention.


The SAC 058 definition of Operational Validation does appear to require
affirmative feedback, so perhaps that's weaker than the level of validation
required by the contracts.

I was not involved in the preparation of SAC 058.  I will go back to my
SSAC colleagues for some clarification and background.

A separate matter, I believe we're in agreement that registrars are
permitted to do more validation, i.e., the ICANN policy and the ICANN
contracts do not prohibit them from doing so.  I don't think either the
ICANN policy or the ICANN contracts are clear on this point.

Thanks,

Steve





Sarah Wyld (RrSG)
01:00:14Yes, thank you i'm super disappointed that Steve is not able to
remain in this meeting, because, of course, I wanted to respond to what he
said so My hope is that he'll be able to listen to the recording.
01:00:24So that we can all get on the same page, because we have a very
different understanding of how this specification.
01:00:30works or what the requirements are in real life, but so firstly
going back to what Alan said Alan said that the current requirements are
not suitable and to that I would really say why what problem is there.
01:00:42So that's what I think the job of the scoping team would be is to
determine if there is an issue, and I have to say very clearly accuracy is
not the same thing as access to the data.
01:00:54The relevant controller has the responsibility of determining
accuracy and, as you can see right here on screen, there are processes that
are mandatory for doing so.
01:01:03But the ability for some person on the Internet to look up the WHO
is data and look at the email address is not the same as making sure that
accuracy is.
01:01:14avail is the case right, those are very, very different things.
01:01:17So that's part one, part two, to Steve and the higher level of
validation I think it's really important here, that we need to not conflate
the account holder and the registry right, so I just want to point out.
01:01:29That, if the registered name holder does not respond in the
appropriate time period the domain gets suspended, but if the account
holder does not respond, there is no need to suspend the domain that's a
difference in that paragraph so it's important to keep that in mind.
01:01:44and going back to what he said about manual here manual
verification could mean a higher level, in my experience that has been
taken to me that, instead of using an automated system to send the
verification email to the domain owner.
01:01:56There might be, for example, somebody from the customer service
team sends an email directly that they then get a reply to so or they
actually call the person on their phone instead of using an automated
system.
01:02:07I have never seen this interpreted to mean that the identity is
validated, such as like checking an ID card against the registration data
so that that's just not operationally what's going on here and I don't
think it's the requirement, thank you.
Michael Palage (Chair)
01:02:20Okay i'm Volker you're on the clock go, please.
Volker Greimann (RRSG)
01:02:25Yes, thank you and have disappointed Steve had to leave because I
think this would have been helpful for him as well.
01:02:33I was part of the negotiation team of the 2013 ra, and the reason
why we have that language is because we wanted to in there.
01:02:44I can have the opinion that.
01:02:48Failure to verify should lead to the automated the activation of
the domain name after 15 days, so if you forget to click on.
01:02:58That link that we send you then your hospital websites your.
01:03:04E commerce websites your blog might go down, and you might lose
whatever you had.
01:03:12operational for that time that it takes you to get it back online,
whereas.
01:03:17With this option we now can have.
01:03:21For.
01:03:23Important customers for customers that we know and trust for
corporate registrar's that may want to have additional levels of securities.
01:03:32A way to avoid that automation automatism of the activation and
basically the ability for certain registrar's they want to do that to flag
certain registrations as essential or critical domain names and thereby.
01:03:49Avoiding automated deactivation if they so choose, but it still
does not require a registered do anything it's just an option to protect
high value domain is or.
01:04:00Critical resources that you managed for a customer Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-accuracy-st/attachments/20211022/c0f80da8/attachment-0001.html>