[Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting

Rod Rasmussen rod at rodrasmussen.com
Wed Nov 1 11:31:46 UTC 2017 

Thanks very much for this Marika - looks good.

I’ve thrown together the attached slide deck that pulls the primary points out of this 15 page document for easier digestion during the meeting.  Happy to walk through it during the time period.

Thanks!

Rod



> On Oct 31, 2017, at 10:57 PM, Marika Konings <marika.konings at icann.org> wrote:
> 
> Hi DT7,
> 
> Anything else to add / edit before our meeting later this afternoon? I’ve made a small adjustment by creating additional headings for users and tasks and moved up the general data elements to the first page so that the first pages are the summary and the remainder the further details (see attached).
> 
> Best regards,
> 
> Marika
> 
> From: <gnso-rds-pdp-7-bounces at icann.org> on behalf of Marika Konings <marika.konings at icann.org>
> Date: Saturday, October 28, 2017 at 10:58
> To: Rod Rasmussen <rod at rodrasmussen.com>, Richard Leaning <rleaning at ripe.net>
> Cc: "gnso-rds-pdp-7 at icann.org" <gnso-rds-pdp-7 at icann.org>
> Subject: Re: [Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting
> 
> I’ve checked with the leadership team and it shouldn’t be a problem to update the document further based on input received to date and/or other items you may want to add. It may be helpful do to have a redline version available in case people want to be able to quickly see what has been added / changed? Please use the attached version for any further updates. I can also upload it as a google doc if that is easier?
> 
> Thanks,
> 
> Marika
> 
> From: Rod Rasmussen <rod at rodrasmussen.com>
> Date: Saturday, October 28, 2017 at 09:25
> To: Richard Leaning <rleaning at ripe.net>
> Cc: Marika Konings <marika.konings at icann.org>, "gnso-rds-pdp-7 at icann.org" <gnso-rds-pdp-7 at icann.org>
> Subject: Re: [Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting
> 
> I would, but not sure what the “rules” are for making changes now.
> 
> Rod
> 
>> On Oct 27, 2017, at 9:58 PM, Richard Leaning <rleaning at ripe.net <mailto:rleaning at ripe.net>> wrote:
>> 
>> Hi All,
>> 
>> If am correct, we are doing our thing Wednesday?
>> 
>> In that case i have a few other examples that i can add, they don’t add to what i have already sent but do add some context to what i said. Will our group find that useful?
>> 
>> Cheers
>> 
>> Dick
>> 
>> Richard Leaning
>> External Relations
>> RIPE NCC
>> 
>> 
>> 
>> 
>>> On 27 Oct 2017, at 15:05, Rod Rasmussen <rod at rodrasmussen.com <mailto:rod at rodrasmussen.com>> wrote:
>>> 
>>> Thanks Marika!
>>> 
>>>> On Oct 27, 2017, at 2:07 AM, Marika Konings <marika.konings at icann.org <mailto:marika.konings at icann.org>> wrote:
>>>> 
>>>> Dear All,
>>>> 
>>>> Please find attached the cleaned up DT7 template. I’ve added Dick’s input to the end of the template in a category labelled ‘Data Elements used generally for criminal investigation or DNS Abuse Mitigation’. I’ll get this posted now to the wiki page for tomorrow’s meeting. Thank you all for input and feedback.
>>>> 
>>>> Best regards,
>>>> 
>>>> Marika
>>>> 
>>>> From: <gnso-rds-pdp-7-bounces at icann.org <mailto:gnso-rds-pdp-7-bounces at icann.org>> on behalf of Marika Konings <marika.konings at icann.org <mailto:marika.konings at icann.org>>
>>>> Date: Thursday, October 26, 2017 at 22:13
>>>> To: Rod Rasmussen <rod at rodrasmussen.com <mailto:rod at rodrasmussen.com>>, Ayden Férdeline <ayden at ferdeline.com <mailto:ayden at ferdeline.com>>
>>>> Cc: "gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>" <gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>>
>>>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting
>>>> 
>>>> Thanks, Rod. I’ll take care of this first thing tomorrow Abu Dhabi time so everyone still has a couple of hours to review. Dick, I’ll also aim to integrate the input you provided.
>>>> 
>>>> Best regards,
>>>> 
>>>> Marika
>>>> 
>>>> From: <gnso-rds-pdp-7-bounces at icann.org <mailto:gnso-rds-pdp-7-bounces at icann.org>> on behalf of Rod Rasmussen <rod at rodrasmussen.com <mailto:rod at rodrasmussen.com>>
>>>> Date: Thursday, October 26, 2017 at 22:02
>>>> To: Ayden Férdeline <ayden at ferdeline.com <mailto:ayden at ferdeline.com>>
>>>> Cc: "gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>" <gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>>
>>>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting
>>>> 
>>>> I have updated the Google Doc with all my edits from my plane trip.
>>>> 
>>>> Marika or someone on our team should put this into the “final” format without instructions at the front and cleaning things up.
>>>> 
>>>> Cheers,
>>>> 
>>>> Rod
>>>> 
>>>>> On Oct 26, 2017, at 9:37 AM, Ayden Férdeline <ayden at ferdeline.com <mailto:ayden at ferdeline.com>> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I have not reviewed the Google Doc too comprehensively just yet, as I have been in an event at Chatham House the past few days, but I will try to review this tomorrow or Saturday once I am in Abu Dhabi. Thanks, and safe travels to all.
>>>>> 
>>>>> —Ayden
>>>>> 
>>>>> 
>>>>>> -------- Original Message --------
>>>>>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting
>>>>>> Local Time: 26 October 2017 12:29 PM
>>>>>> UTC Time: 26 October 2017 11:29
>>>>>> From: rleaning at ripe.net <mailto:rleaning at ripe.net>
>>>>>> To: Rod Rasmussen <rod at rodrasmussen.com <mailto:rod at rodrasmussen.com>>
>>>>>> gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org> <gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>>
>>>>>> 
>>>>>> Dear All,
>>>>>> 
>>>>>> Sorry about not replying sooner buts trying to find some alone time here when its your conference was proving a real challenge. How ever i have managed to ‘list’ few things that LEA use the DB before. No investigation is the same and i haven’t really packaged it around an actually case.
>>>>>> 
>>>>>> I haven’t attached this to the google doc as not sure where to put it. I arrive at the conference hotel tomorrow afternoon, around 3pm, it might be a good idea if we could have a quick get together and finalise the document.
>>>>>> 
>>>>>> From experience and dependent on the WHOIS tool used (I have taken the Centralops domain dossier as the WHOIS template below and picked out the relevant fields that could be returned) :
>>>>>> Domain WHOIS record
>>>>>> 
>>>>>> Registrant (Name, Address, email address). Use - identification, information and intelligence gathering etc
>>>>>> Creation date, renewal date, last updated date, expiry date. Use - is it recently registered (maybe a DGA etc) ; Is it a long time registered / historic domain - if so perform a WHOIS history check on it to look at identifying the registrant...before they changed over to a privacy/proxy registrar to hide their details
>>>>>> Registrar. Use - further enquiries with an disclosure authority/court order.
>>>>>> NS records (Nameserver - used to direct the traffic of your website to a specific web server at a web host.) Use - what other domains point to this NS - this could provide you with a whole host of intelligence on other domains controlled by the same person/organisation.
>>>>>> 
>>>>>> 
>>>>>> Network WHOIS record
>>>>>> Abuse contact (for further enquiries - disclosure authorities)
>>>>>> CIDR space of network provider (use - if they own for example a /24 - try some passive DNS to see what other domains point to these IPv4 addresses - may give you more intelligence on malicious domains associated to a rogue server etc)
>>>>>> 
>>>>>> DNS records
>>>>>> MX record. Use - which network provider provides mail for the domain ?
>>>>>> 
>>>>>> Bad WHOIS data of value
>>>>>> A false domain name, registrant, address, email
>>>>>> Uses - bad/false/stolen/incomplete domain whois data may give an investigation a new lead in terms of intel gathering, linked accounts showing the same false data through a registrant search of the WHOIS record for similarly registered domains.
>>>>>> That's what I can think of so far..
>>>>>> Cheers
>>>>>> 
>>>>>> Dick
>>>>>> 
>>>>>> Richard Leaning
>>>>>> External Relations
>>>>>> RIPE NCC
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On 26 Oct 2017, at 12:38, Rod Rasmussen <rod at rodrasmussen.com <mailto:rod at rodrasmussen.com>> wrote:
>>>>>>> 
>>>>>>> Getting ready to get on my plane to Abu Dhabi from AMS, so will be finishing things up in the next few hours and then uploading once I land.  I have made some more changes, adding an important category that I ended up leaving off by focusing too much on issues directly tied to a domain name.  This new section covers use of the RDS when a particular domain, registrant, e-mail, or other element stored in the RDS comes up in association with a crime/abuse issue not directly tied to a domain name itself.  Think of things like finding a criminal’s e-mail address and using reverse-whois queries to see if he has registered a domain in the past to find potential attribution.
>>>>>>> 
>>>>>>> Lots of other stuff in that bucket, but it’s an important one we cannot ignore. (whether we agree it is legitimate use or not in some cases - we’ll get to that after we get the actual uses catalogued).
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> 
>>>>>>> Rod
>>>>>>> 
>>>>>>>> On Oct 24, 2017, at 11:11 AM, Marika Konings <marika.konings at icann.org <mailto:marika.konings at icann.org>> wrote:
>>>>>>>> 
>>>>>>>> I’m also arriving in Abu Dhabi early Thursday evening, so I won’t be able to send anything before that time in any case so happy to wait for you to finalize your edits on the plane. Of course, if there are further questions from DT members on those further additions, these can always be discussed during the WG meetings.
>>>>>>>> 
>>>>>>>> Best regards,
>>>>>>>> 
>>>>>>>> Marika
>>>>>>>> 
>>>>>>>> From: Rod Rasmussen <rod at rodrasmussen.com <mailto:rod at rodrasmussen.com>>
>>>>>>>> Date: Tuesday, October 24, 2017 at 12:03
>>>>>>>> To: Marika Konings <marika.konings at icann.org <mailto:marika.konings at icann.org>>
>>>>>>>> Cc: "gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>" <gnso-rds-pdp-7 at icann.org <mailto:gnso-rds-pdp-7 at icann.org>>
>>>>>>>> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items today's DT7 meeting
>>>>>>>> 
>>>>>>>> Marika,
>>>>>>>> 
>>>>>>>> EOD Thursday in what time zone?  Since I’m going to be flying from Amsterdam to Abu Dhabi and getting in early Thursday evening local time, I can likely finish up all the “empty” slots during that flight and submit them.  I realize this doesn’t help with our review process and will endeavor to get more done prior to then, but if I can take advantage of that flight time to make things a lot more clear, I’d like to.
>>>>>>>> 
>>>>>>>> Cheers,
>>>>>>>> 
>>>>>>>> Rod
>>>>>>>> 
>>>>>>>>> On Oct 24, 2017, at 10:58 AM, Marika Konings <marika.konings at icann.org <mailto:marika.konings at icann.org>> wrote:
>>>>>>>>> 
>>>>>>>>> Dear all,
>>>>>>>>> 
>>>>>>>>> Thank you to those that were available to participate in today’s DT meeting. As there is little time left before people start travelling, please take note of the action items below. The objective is to submit the template to the full WG by the end of day on Thursday so the DT will need to have completed its work by then. As per action item #3, please find attached the latest draft of the legal action DT. The latest draft of the regulatory & contract enforcement can be found here: https://docs.google.com/document/d/1NvoYYmMsjqgt48mAYt5nCr8uPk-E-2IngGt50wDkaFU/edit[docs.google.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_1NvoYYmMsjqgt48mAYt5nCr8uPk-2DE-2D2IngGt50wDkaFU_edit&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=C3YupzrG3mSEkSACVeCai8-XtfHdgWguPNkm2N3inX4&s=8m4pQ-Aahnt8gKDFaP8uBjfvC249UgeAm3WLhvr6VUQ&e=>. As noted, these DTs may have some overlap with the purpose described by this DT.
>>>>>>>>> 
>>>>>>>>> Best regards,
>>>>>>>>> 
>>>>>>>>> Marika
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Notes – DT7 Meeting on 24 October 2017:
>>>>>>>>> 
>>>>>>>>> 1. Roll call / Welcome
>>>>>>>>> On call today: Dick Leaning, Marc Anderson, Raoul Plommer, Rod Rasmussen
>>>>>>>>> 
>>>>>>>>> 2. Review, discuss and confirm support and understanding of all input received to date (see https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit#heading=h.gjdgxs[docs.google.com[docs.google.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_19fUlV3HEyZ0IYFOY-2Dr4KGoN25ICHPf1wDjUA-5FZMx3yc_edit-23heading-3Dh.gjdgxs-5Bdocs.google.com&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=C3YupzrG3mSEkSACVeCai8-XtfHdgWguPNkm2N3inX4&s=1N3rJPG4v2WDnZB28DFLgYD1vKdiH1_M7K8Bz-h3Ves&e=>])
>>>>>>>>> See latest version at link above
>>>>>>>>> Initial draft expanded by adding a number of additional use cases to give a broader flavor of this particular purpose, both for individual investigations as well as automated processes.
>>>>>>>>> RDAP protocol would facilitate automated process
>>>>>>>>> Description has been provided for each use case as well as the overall structure and distinction between different use cases (individual investigations vs. automated processes and various stages of an investigation)
>>>>>>>>> Around automated processes for reputation services - is an area that hasn't really been discussed in the larger WG, so might be of broader interest to highlight that use case.
>>>>>>>>> Is a separate category needed for copyright infringement - likely covered by another DT, but may be worth flagging to ensure that it is not lost. May need to conduct a gap analysis once all DTs have presented their work to make sure nothing is forgotten. Similarly content on web-sites (e.g. pharma) may fall in different categories even though they may follow similar steps and/or require similar information. Difference may be in the asking to determine in which DT it belongs. Info-sec and other private actors aren't usually interested in attribution, so that's a big difference.
>>>>>>>>> 
>>>>>>>>> Action item #1: Rod to add additional use case concerning compromise of account / hijacking / domain shattering
>>>>>>>>> Action item #2: All to review template and aim to flesh out use cases to ensure a comprehensive overview and understanding of data elements required for criminal investigation / DNS Abuse Mitigation purpose.
>>>>>>>>> Action item #3 - Staff to share latest drafts of enforcement and legal actions DT so that the DT can see what is being covered in other DTs and flag accordingly what may require further attention.
>>>>>>>>> Action item #4 - DT encouraged to ask questions should certain aspects not be clear to make sure that the template is understandable for a broad audience
>>>>>>>>> 
>>>>>>>>> 3. Confirm what further updates / edits need to be made prior to submission to the full WG (deadline Thursday 26 October)
>>>>>>>>> 4. Identify team members who will attend ICANN60 sessions:
>>>>>>>>> Saturday 28 October and Wednesday 1 November
>>>>>>>>> In person or remote
>>>>>>>>> Volunteer to introduce the team's output?
>>>>>>>>> Consider having a high level overview on a slide - Rod to discuss with Lisa
>>>>>>>>> Rod and Dick normally available to present
>>>>>>>>> Aim to ensure that Rod is available to present as he is the expert
>>>>>>>>> 
>>>>>>>>> Action item #5 - Rod to check breaks for SSAC session so that DT7 update could be scheduled in accordance with the breaks
>>>>>>>>> Action item #6 – Staff to work with the leadership team to schedule the DT7 update at a time that works with Rod’s schedule
>>>>>>>>> 
>>>>>>>>> Marika Konings
>>>>>>>>> Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
>>>>>>>>> Email: marika.konings at icann.org <mailto:marika.konings at icann.org>
>>>>>>>>> 
>>>>>>>>> Follow the GNSO via Twitter @ICANN_GNSO
>>>>>>>>> Find out more about the GNSO by taking our interactive courses[learn.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=C3YupzrG3mSEkSACVeCai8-XtfHdgWguPNkm2N3inX4&s=pre864ezRWYssJVhzpw8DwAgI65TZdjaOQ4xSbyKv_c&e=> and visiting the GNSO Newcomer pages[gnso.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=C3YupzrG3mSEkSACVeCai8-XtfHdgWguPNkm2N3inX4&s=IrYscX1FVzCXOgMjO0sTtQItmPfbK8XqHCanCMtF3PM&e=>.
>>>>>>>>> 
>>>>>>>>> <RDS WG DT6 Draft - Revised 10.23.2017.docx>_______________________________________________
>>>>>>>>> Gnso-rds-pdp-7 mailing list
>>>>>>>>> Gnso-rds-pdp-7 at icann.org <mailto:Gnso-rds-pdp-7 at icann.org>
>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Gnso-rds-pdp-7 mailing list
>>>>>>> Gnso-rds-pdp-7 at icann.org <mailto:Gnso-rds-pdp-7 at icann.org>
>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
>>>> 
>>>> 
>>>> <DraftingTeam7-CrimInvAbuseMit-27 October 2017.docx>
>>> 
>>> 
>>> _______________________________________________
>>> Gnso-rds-pdp-7 mailing list
>>> Gnso-rds-pdp-7 at icann.org <mailto:Gnso-rds-pdp-7 at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
>> 
> 
> 
> <DraftingTeam7-CrimInvAbuseMit-1 November 2017.docx>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-7/attachments/20171101/ca66af83/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Subteam 7 Overview for ICANN 60.pptx
Type: application/vnd.openxmlformats-officedocument.presentationml.presentation
Size: 478676 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-7/attachments/20171101/ca66af83/Subteam7OverviewforICANN60-0001.pptx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-7/attachments/20171101/ca66af83/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-7/attachments/20171101/ca66af83/signature-0001.asc>

More information about the Gnso-rds-pdp-7 mailing list