<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:864635620;
mso-list-type:hybrid;
mso-list-template-ids:770593818 1402344178 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1177381911;
mso-list-type:hybrid;
mso-list-template-ids:395476616 1402344178 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:1244875873;
mso-list-type:hybrid;
mso-list-template-ids:-1087594444 235829506 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3
{mso-list-id:1302346832;
mso-list-template-ids:782692138;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level2 lfo4
{mso-level-number-format:arabic;
mso-level-numbering:continue;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoPlainText">Dear TPR WG members,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Please find below the notes and action items from today’s meeting.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The next meeting will be on <b>Thursday, 17 November at 16:00 UTC.</b><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Best regards,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<div style="border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in">
<p class="MsoPlainText">Emily, Julie, Berry, and Caitlin<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>ACTION ITEMS/HOMEWORK:<o:p></o:p></b></p>
<p class="MsoPlainText"><b><o:p> </o:p></b></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoPlainText" style="mso-list:l2 level1 lfo1"><b>Jothan Frakes, Jim Galvin, Jody Kolker, and Rick Wilhelm have volunteered to compile a list of attack vectors and how the recommendations solve for them, or where they are out of scope.<o:p></o:p></b></li></ol>
<p class="MsoNormal"><b>Recommendation 6: <o:p></o:p></b></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo1"><b>Staff to redline the language and include it as a sub-bullet in Recommendation 6. WG members to review with other redlines by Wednesday, 30 November.<o:p></o:p></b></li></ol>
<p class="MsoNormal"><b>Recommendation 2:<o:p></o:p></b></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo1"><b>WG members to review and comment on
</b><b><a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Vs9as7UA$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Vs9as7UA$">Strawman
Revision of Recommendation 2 on the Losing FOA [docs.google.com]</a> on the list by Wednesday, 30 November.<o:p></o:p></b></li></ol>
<p class="MsoNormal"><b>Recommendation 7:<o:p></o:p></b></p>
<ol style="margin-top:0in" start="4" type="1">
<li class="MsoPlainText" style="mso-list:l2 level1 lfo1"><b>(c) Proposed edit -- WG agrees with the potential next step of changing the language from “should” to “MUST”.
</b><b>Staff to incorporate. WG members should review and comment.<o:p></o:p></b></li></ol>
<p class="MsoNormal"><b>Recommendation 8 </b><o:p></o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoPlainText" style="mso-list:l2 level1 lfo1"><b>(a) Proposed Edit -- WG agrees with the potential next step strawman revision.
</b><b>Staff to incorporate.<o:p></o:p></b></li><li class="MsoPlainText" style="mso-list:l2 level1 lfo1"><b>(b) Proposed Edit – WG agrees with the potential next step strawman revision. Staff to incorporate.<o:p></o:p></b></li></ol>
<p class="MsoPlainText"><b>Recommendation 9:</b><b><o:p></o:p></b></p>
<ol style="margin-top:0in" start="7" type="1">
<li class="MsoPlainText" style="mso-list:l2 level1 lfo1"><b>(b) Proposed edit -- WG agrees with the suggested language in the Potential next step. Staff to incorporate.<o:p></o:p></b></li></ol>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><b>Notes:<o:p></o:p></b></p>
<p class="MsoPlainText"><b><o:p> </o:p></b></p>
<p class="MsoPlainText"><b>Transfer Policy Review - Meeting #66<o:p></o:p></b></p>
<p class="MsoPlainText"><b>Proposed Agenda<o:p></o:p></b></p>
<p class="MsoPlainText"><b>15 November 2022<o:p></o:p></b></p>
<p class="MsoPlainText"><b> <o:p></o:p></b></p>
<p class="MsoPlainText">1. Roll Call & SOI updates<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">2. Welcome and Chair Updates<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Recommendation 6: <b>Potential next step: </b>Strawman revision: "Designated representative" means an individual or entity that the Registered Name Holder explicitly authorizes to request and obtain the TAC on their behalf.”<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Discussion:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Re: the recent discussion on “Designated Representative” perhaps suggest instead “Authorized Representative”? Or another term.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Maybe just don’t define “Designated Representative”?<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">From ICANN org Compliance: Suggestion is to be more clear about the Designated Representative’s authority. Issue of resellers including language of authorizing and denying transfers. Compliance has
been able to obtain remediation in these cases, based on definitions in the policy – the more clear the policy is on definitions and authority for transfers, the better can Compliance enforce the policy. Recommends that the definition should be included in
the text of the policy.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Some disagree to change the language to include in the policy – RNH should have to abide by the terms agreed to with the reseller with respect to authorizing or denying transfers.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Some agree that the authorization should be clear in the policy.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Keep “Designated Agent” separate. Compliance spoke of “Designated Agent” in the COR as an analogy only. “Designated Agent” is a separate concept/use case.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">There was some agreement on the last call to adjust the meaning of the Designated Representative to include “request and obtain”. Also to pull out from the footnote into the policy but as a sub-bullet
in Recommendation 6.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Redline of changes to recommendations thus far from discussion of public comments will be out soon – allow two weeks to review, by Wednesday, 30 November.<o:p></o:p></li></ul>
<p class="MsoNormal"><b>ACTION ITEM: Recommendation 6 -- Staff to redline the language and include it as a sub-bullet in Recommendation 6. WG members to review with other redlines by Wednesday, 30 November.<o:p></o:p></b></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">3. Review of <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Vs9as7UA$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Vs9as7UA$">Strawman
Revision of Recommendation 2 on the Losing FOA [docs.google.com]</a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">WG agreement in previous discussions to preserve the functionality of the Losing FOA and consider where best to put it.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Keep the 5-day provisioning window flexible. That’s what this strawman is doing.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">WG has two weeks to review this strawman text.<o:p></o:p></li></ul>
<p class="MsoPlainText"><b>ACTION ITEM: Recommendation 2 -- WG members to review and comment on
</b><b><a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Vs9as7UA$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Vs9as7UA$">Strawman
Revision of Recommendation 2 on the Losing FOA [docs.google.com]</a> on the list by Wednesday, 30 November.<o:p></o:p></b></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">4. Continue Discussion of TAC Composition – Recommendation 7 (<a href="https://community.icann.org/download/attachments/201949311/gnso-TPR-P1A-pcrt-Initial-Report-Recommendations_Rec%207_20220829.docx?version=1&modificationDate=1661773009000&api=v2" title="https://community.icann.org/download/attachments/201949311/gnso-TPR-P1A-pcrt-Initial-Report-Recommendations_Rec%207_20220829.docx?version=1&modificationDate=1661773009000&api=v2">Public
Comment Review Tool</a> and <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1796UeXK6GspA7cehLcSn5tWiCyuR7JU7hOfKHgCSVz4/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Ws_lHhnA$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1796UeXK6GspA7cehLcSn5tWiCyuR7JU7hOfKHgCSVz4/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_Ws_lHhnA$">Working
Document [docs.google.com]</a>)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re: <b>a) Concerns -- </b>Discussion:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">RFC9154 is only a guidance/principle – NIS2 will cover a lot of this with high requirements on how you set up security as a European company, including auditing capability; so we don’t have to do all
of that.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Important to recognize that we aren’t using everything in RFC9154.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">We have left the choice of mechanism for communication up to registrars, not specifying it in the policy.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">RFC9154 doesn’t include auditing – but that’s not part of any technical specifications, not a limitation; we can add auditing provisions to the recommendations if we wish.
<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Reasonable for registrars to think back about what is the minimum from a security standard that we should have – which elements are mandatory and which are optional? Some of these security elements
can be left up to the business model.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">From a technical point of view you can’t just start eliminating characters – have an algorithm that has been reviewed and accepted – can’t just change it.<o:p></o:p></li></ul>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re: <b>b) Proposed edit -- </b>Discussion:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">After review of Tech Ops discussion, WG doesn’t recommend any changes.<o:p></o:p></li></ul>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re: <b>c) Proposed edit </b>– Discussion:<b><o:p></o:p></b></p>
<p class="MsoPlainText"><b>Potential next step:</b> Strawman revision from ICANN org comment:<o:p></o:p></p>
<p class="MsoPlainText">“The working group recommends that the minimum requirements for the composition of a TAC MUST be as specified in RFC 9154, including all successor standards, modifications or additions thereto relating to Secure Authorization Information
for Transfer. The requirement in section 4.1 of RFC 9154 regarding the minimum bits of entropy (i.e., 128 bits) should be a MUST in the policy until a future RFC approved as “Internet Standards” (as opposed to Informational or Experimental standards) through
the applicable IETF processes updates the security recommendation.”<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Hinges on the meaning of the word “should”.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Using “MUST” means it’s something you have to do; “should” is something you are urged to do, but don’t have to do it.<o:p></o:p></li></ul>
<p class="MsoPlainText"><b>ACTION ITEM: Recommendation 7, (c) Proposed edit -- WG agrees with the potential next step of changing the language from “should” to “MUST”.
</b><b>Staff to incorporate. WG members should review and comment.<o:p></o:p></b></p>
<p class="MsoPlainText"><b><o:p> </o:p></b></p>
<p class="MsoPlainText">Re:<b> d) Proposed edit </b>– Discussion:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Think about whether the current language is sufficiently clear.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Seems like we don’t want to include this in our policy – the IETF is taking care of it.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">WG members agree that no further clarification is necessary.<o:p></o:p></li></ul>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">5. Discussion of Verification of TAC Composition – Recommendation 8 (<a href="https://community.icann.org/download/attachments/201949311/gnso-TPR-P1A-pcrt-Initial-Report-Recommendations_Rec%208_20220829.docx?version=1&modificationDate=1661773017000&api=v2" title="https://community.icann.org/download/attachments/201949311/gnso-TPR-P1A-pcrt-Initial-Report-Recommendations_Rec%208_20220829.docx?version=1&modificationDate=1661773017000&api=v2">Public
Comment Review Tool</a> and <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1gUoQQ-YpnjOO_3X0R_vt6CRB9VUfEijf4Ap2LgR92U0/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_UuLqLgEQ$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1gUoQQ-YpnjOO_3X0R_vt6CRB9VUfEijf4Ap2LgR92U0/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_UuLqLgEQ$">Working
Document [docs.google.com]</a>)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re: <b>a) Proposed edit – Discussion:<o:p></o:p></b></p>
<p class="MsoPlainText"><b>Potential next step: </b>Strawman revision: “The working group recommends that the Registry verifies at the time that the TAC is stored in the Registry system that the TAC meets the syntax requirements specified in Preliminary Recommendation
7.”<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">WG agrees with the suggested change.<o:p></o:p></li></ul>
<p class="MsoPlainText"><b>ACTION ITEM: Recommendation 8, (a) Proposed Edit -- WG agrees with the potential next step strawman revision.
</b><b>Staff to incorporate.<o:p></o:p></b></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re<b>: b) Proposed edit</b> – Discussion:<o:p></o:p></p>
<p class="MsoPlainText"><b>Potential next step:</b> Strawman revision, based on staff understanding of the WG’s intent: <br>
“The working group recommends that the Registry MUST verifyies at the time that the TAC is stored in the Registry system that the TAC meets the requirements specified in Preliminary Recommendation 7.”<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">WG agrees with the suggested change.<o:p></o:p></li></ul>
<p class="MsoPlainText"><b>ACTION ITEM: Recommendation 8, (b) Proposed Edit – WG agrees with the potential next step strawman revision. Staff to incorporate.<o:p></o:p></b></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">6. Discussion of TAC Generation, Storage, and Provision – Recommendation 9 (<a href="https://community.icann.org/download/attachments/201949311/gnso-TPR-P1A-pcrt-Initial-Report-Recommendations_Rec%209_20220829.docx?version=1&modificationDate=1661773025000&api=v2" title="https://community.icann.org/download/attachments/201949311/gnso-TPR-P1A-pcrt-Initial-Report-Recommendations_Rec%209_20220829.docx?version=1&modificationDate=1661773025000&api=v2">Public
Comment Review Tool</a> and <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1dbJ8gV6afl9oHxXW9dMvIX66nacy2IzzXz9VFpRTKKs/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_UvCSvRWQ$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1dbJ8gV6afl9oHxXW9dMvIX66nacy2IzzXz9VFpRTKKs/edit__;!!PtGJab4!4ACbtX8DZKkMx-TOxeLbQzcZroX4M7nkT1Eb3K5SIThcJcy7pgKiNV78s8VwesBC9y8_um9mCyogF5yqoRJaxu0wS_UvCSvRWQ$">Working
Document [docs.google.com]</a>)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re: <b>a) Concerns</b> – Discussion:<o:p></o:p></p>
<p class="MsoPlainText"><b>Potential next step</b>: WG to consider the suggestion that Gaining Registrars should log failed requests and share with targets, as well as suggestion about enhanced security measures.<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="mso-list:l0 level1 lfo7">The TAC itself is one-time use; from a registry point of view if we get a TAC that matches what is stored, it can’t be used again. Also, rather than counting failed, the TAC has a TTL, which should address
that. So, we already have security measures that address this; no need to log failed attempts.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Could be a registry choice to keep note of failures and investigate as part of a particular business model. No need to make it mandatory.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">Registrars and registries already log a lot.<o:p></o:p></li><li class="MsoPlainText" style="mso-list:l0 level1 lfo7">WG agrees that no changes are necessary to the policy language.<o:p></o:p></li></ul>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Re: <b>b) Proposed edit – Discussion:<o:p></o:p></b></p>
<p class="MsoPlainText"><b>Potential next step: </b>Strawman revision: <u>9.2</u>: When the Registrar of Record sets the TAC at the Registry, the Registry MUST store the TAC securely, at least according to the minimum standard set forth in RFC 9154 (or its
successors).<o:p></o:p></p>
<p class="MsoPlainText"><b>ACTION ITEM: Recommendation 9, (b) Proposed edit -- WG agrees with the suggested language in the Potential next step. Staff to incorporate.</b><o:p></o:p></p>
</div>
</body>
</html>