[gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 13 February

Lisa Phifer lisa at corecom.com
Wed Feb 14 00:33:35 UTC 2018 

Dear all,

Below please find notes from today's RDS PDP WG meeting.

To recap Action Items from today's call: https://community.icann.org/x/nAu8B

.        Action: Staff to record draft criteria as shown on slide 3 of
handout in working document for future reference.

.        Proposed WG Agreement (to be polled): Domain Name Certification is
a legitimate purpose for processing registration data, based on the
following definition: Information collected by a certificate authority to
enable contact between the registrant, or a technical or administrative
representative of the registrant, to assist in verifying that the identity
of the certificate applicant is the same as the entity that controls the
domain name.

.        Proposed WG Agreement (to be polled): Domain Name Certification is
an OPT-IN purpose for collecting registration data (that is,
registries/registrars are required to support collection, but data is
collected for this purpose at the registrant's choice).

.        Action: Leadership team to draft poll to test level of
support/opposition to two proposed WG agreements. All WG members are
encouraged to participate in the poll no later than COB 17 February.

Best regards,
Lisa

 

Action Items and Notes from RDS PDP WG Call - 13 February 2018

These high-level notes are designed to help PDP WG members navigate through
the content of the call and are not meant as a substitute for the transcript
and/or recording. The MP3, transcript, and chat are provided separately and
are posted on the wiki.

1. Roll Call/SOI Updates

*	Wiki page: https://community.icann.org/x/nAu8B
*	Michele Neylon updated his SOI to reflect change of interest in a
company
*	Klaus Stoll is now also an Visiting Professor at Xi'an
Jiaotong-Liverpool University
*	Call handout:
https://community.icann.org/download/attachments/79432604/Handout-13February
-RDSWGCall.pdf

2. Resolution of this week's poll results on criteria

*	Poll results:
https://community.icann.org/download/attachments/79432604/AnnotatedResults-P
oll-from-6FebruaryCall.pdf
*	Refer to slide 3 of call handout
*	After a month of discussion on criteria, we have been unable to
reach rough consensus
*	3 draft criteria will be recorded for future reference as we
deliberate on purposes

Action: Staff to record draft criteria as shown on slide 3 of handout in
working document for future reference.

3. Discuss list of purposes for processing

a. See list of DT-defined possible purposes and 30 January 30 poll results

*	Poll results:
https://community.icann.org/download/attachments/79432439/AnnotatedResults-P
oll-from-30JanuaryCall.pdf
*	Q3 asked for level of support to treating purposes as possibly
legitimate for processing registration data and working to further flesh out
data and user needs for those purposes
*	Results for Q3 ranged, but identified four purposes as having
significant support or could live with: Tech Issue Resolution, Domain Name
(DN) Management, DN Certification, DN Purchase/Sale
*	Proposed approach for today's call is to continue deliberation on
the two of those four purposes not yet addressed by WG agreements
*	Existing WG agreements for Tech Issue Resolution and DN Management
data are provided as a reminder on slide 5 of handout
*	Note: Should DNSSEC be added to the list of data required for Tech
Issue Resolution and DN Management purposes? (return to this)

b. Discuss DN Certification
<https://community.icann.org/download/attachments/74580010/DraftingTeam3-DNC
ertification-final%20clean.pdf>  as a purpose for processing and associated
data needs

*	Slide 6 recalls where previous WG deliberation left off on DN
Certification
*	Slide 8 enumerates the data identified by the Drafting Team (DT) on
DN Certification
*	In 9 January poll, there were mixed results on whether DN
Certification was a legitimate purpose for collection or access

Question: Is DN Certification a legitimate purpose for PROCESSING
registration data?

*	Proposed WG agreement to help move the WG along: Domain Name
Certification is a legitimate purpose for processing registration data,
based on the definition drafted by DT3
*	Note that slide 6 was the point at which the issue arose of
accessing data for a purpose which was not  deemed "legitimate" for
collecting that data.  In many data protection laws (and principles, e.g.
OECD) this requires a determination of whether the "access" purpose is
"compatible" with the "collection" purpose. 
*	Slide 8 will be the basis for the WG to discuss data for DN
Certification and whether the data has already been collected for another
purpose
*	Certification purpose may require data elements to be collected if
they were not already collected.  Most needed elements should already be
present given other purposes.  Again, certification would not be a required
purpose for all domains holders, but you need to allow for collection of
elements for those who do wish to use their data for certification.

Proposed WG Agreement: Domain Name Certification is a legitimate purpose for
processing registration data, based on the following definition: Information
collected by a certificate authority to enable contact between the
registrant, or a technical or administrative representative of the
registrant, to assist in verifying that the identity of the certificate
applicant is the same as the entity that controls the domain name.

Question: Is DN Certification a legitimate purpose for COLLECTING
registration data

*	Comments made by WG members on call:

*	No: you cannot discuss processing if you are not authorized to
collect it
*	No: not all registrants need certificates, so it is not a common
item for all registrations
*	No: data collected for other legit purposes can be "processed" as is
for the Certificate authority use case.
*	Maybe: Are there other avenues for collection; ICANN isn't in the
certificate issuance business but not opposed to processing for this
purpose. the certificate is not part of the DNS.  it is used for other
purposes.  so, in my mind, it is not a subset of DNS security and stability
*	Yes? The purpose of ICANN is not merely conferring domains to
registrants... there is a broad purpose. TLS and certificates in a subset of
circumstances rely on DNS
*	Yes.  ICANN is in the security, stability and resiliency business,
and certification is very much a part of that.
*	No: As defined by the EU, what ICANN does is crucial to the
evaluation of the purposes of collection and processing. ICANN is not an
academic institution, a law enforcement agency, or a DN certification
service
*	Yes: DNS is inherently used for other purposes. To enable
communication. That's the point of it. We created it so people didn't have
to use hosts files or IP addresses. DNS enables communication.
*	Yes: Some are of the view that the only reason to collect data is so
that the registrar can contact the registrant. I don't believe that is true
at all.
*	Neither, it's an OPT-IN purpose for optional collection: We are
rehashing discussion of several weeks ago on this issue of RDS data in the
CERT issuance and maintenance process.  Unfortunately, there is a
fundamental disagreement on the necessity vs. utilization of Whois data in
current industry practices. Would probably be good to get actual data from
CAB Forum.
*	Neither: Until a registrant seeks a certificate, there is no purpose
to collect for this purpose. If the registrant wants a certificate, it could
be a purpose for optional collection

*	Note: Some confusion between DNSSEC signing of a domain name DNS
data and SSL/TLS Certs and what each accomplishes
*	Proposed WG agreement on collection: DN Certification is an OPT-IN
purpose for collecting data at the registrant's choice.
*	Implication of giving the registrant the choice: optional to offer
but required to support - at least at the registry level
*	If the data elements were already collected for a different
(legitimate) purpose and the domain registrant wanted a certificate, they
could authorize the release of the information for certification purposes.
*	A certificate authority could decide to not issue a cert if the
information were not provided.
*	Note that there are many registries that require registrars to
collect additional data beyond the RAA requirements. In those cases, it is
not up to the registrant or registrar but the registry.
*	Capturing "optional" data requires informed and revocable consent.
This is a high bar to maintain, and costly.  It also adds to data breach
risk factors.
*	Why is it important that DN certification be a valid reason for
collection?  Why is it not enough for it to be a valid reason for
processing? One reason might be to ensure against the risk that obtaining a
cert might be treated as a use incompatible with whatever was the purpose
for which the data was originally collected
*	Note on slide 8, the WG agreed (by rough consensus) that Tech Issue
Resolution and DN Management were legitimate purposes for collecting
registration data (and thus processing)

Proposed WG Agreement (to be polled): Domain Name Certification is an OPT-IN
purpose for collecting registration data (that is, registries/registrars are
required to support collection, but data is collected for this purpose at
the registrant's choice).

Action: Leadership team to draft poll to test level of support/opposition to
two proposed WG agreements. All WG members are encouraged to participate in
the poll no later than COB 17 February.

c. Discuss DN Purchase/Sale
<https://community.icann.org/download/attachments/74580010/DraftingTeam4-DNP
urchaseSale-Purpose-v9-clean.pdf>  as a purpose for processing and
associated data needs

*	DEFERRED

4. Confirm agreements for polling & next steps

Action: Staff to record draft criteria as shown on slide 3 of handout in
working document for future reference.

Proposed WG Agreement (to be polled): Domain Name Certification is a
legitimate purpose for processing registration data, based on the following
definition: Information collected by a certificate authority to enable
contact between the registrant, or a technical or administrative
representative of the registrant, to assist in verifying that the identity
of the certificate applicant is the same as the entity that controls the
domain name.

Proposed WG Agreement (to be polled): Domain Name Certification is an OPT-IN
purpose for collecting registration data (that is, registries/registrars are
required to support collection, but data is collected for this purpose at
the registrant's choice).

Action: Leadership team to draft poll to test level of support/opposition to
two proposed WG agreements. All WG members are encouraged to participate in
the poll no later than COB 17 February.

5. Confirm next meeting: Wednesday 21 February at 06:00 UTC

*	Note two F2F WG meetings are tentatively scheduled for ICANN61:

*	Saturday March 10, 2018 (8.30-12.00 local time)
*	Wednesday March 14, 2018 (15.15-18.30 local time)

Meeting Materials: https://community.icann.org/x/nAu8B

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/7f2e5125/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list