[registrars] Information regarding Data Escrow

Tim Ruiz tim at godaddy.com
Sun Aug 26 15:29:04 UTC 2007 

> Hs anyone thought to ask Iron Mountain to give up their ICANN accreditation ? 

Not sure, but there was a question in the RFP related to that. Keep in
mind that they already have structural and geographic seperation. The
escrow services are in Atlanta and the registrar is in the DC area. That
issue was addressed when they first became accredited.

As an alternative to giving up their accreditation perhaps they could do
just the checksum or some other form of upload verification and only
ICANN and the registrar would have the PGP keys. Some thought would have
to be given to how ICANN would sample and verify in that case, but I
think it could be worked out. Might be the way to go regardless of who
gets the contract.


Tim 



-------- Original Message --------
Subject: RE: [registrars] Information regarding Data Escrow
From: "Rob Hall" <rob at momentous.com>
Date: Fri, August 24, 2007 12:06 pm
To: "Jeffrey Eckhaus" <jeckhaus at register.com>, 
<registrars at gnso.icann.org>
Cc: "Tim Cole" <tim.cole at icann.org>,  "Mike Zupke"
<mike.zupke at icann.org>


Jeff,
 
I believe that part of what Iron Mountain is doing is looking at the
data randomly and verifying that it is complete and correct.  I think
they have to report to ICANN that we have delivered properly formatted
data, and that they look in detail at a subset of it for these purposes.
 
So while I think your idea is a great one, I don't think it could be
applied here, as Iron Mountain would  need to have the keys.
 
Rob.
 
P.S.  Hs anyone thought to ask Iron Mountain to give up their ICANN
accreditation ?    Seems to me that this contract is probably worth much
more to them than the accreditation they are not using.   They might be
willing to just give it up in order to win the contract, thus removing
all competitive concerns.
 
 
 
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Jeffrey Eckhaus
Sent: Friday, August 24, 2007 11:21 AM
To: registrars at gnso.icann.org
Cc: Tim Cole; Mike Zupke
Subject: [registrars] Information regarding Data Escrow


 
All, 
 
I did not see this covered in the questionnaire from Iron Mountain, so
maybe I missed this, but will there be a form of data encryption held by
ICANN only? 
 
We have been thinking of solutions and one possible solution for the
concerns of Iron Mountain looking at registrar data is using a form of
public key cryptography, where the registrars are all given ICANN's
public key and only ICANN holds the private key.  All of the registrars
will encrypt their data with that public key, and in the event that this
data is necessary, the encrypted data can be delivered to ICANN and they
can use the private key to decrypt it.  This way, even if IRON Mountain
does look at our data, it's useless to them in an encrypted form. Only
ICANN can see the data
 
If this was covered then I apologize, but if not would like this to be
considered and thoughts from other Registrars
 
 
 
 
Thanks
 
 
Jeff
 
 
 
 
-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Tim Ruiz
Sent: Friday, August 17, 2007 10:36 AM
To: registrars at gnso.icann.org
Subject: RE: [registrars] FW: Information regarding Data Escrow
 
Agreed. All valid issues we'll also consider before selecting ICANN's
agent or another. And the separation issue should likely be covered
whether the agent is currently accredited as a registrar or not, since
that could obviously change.
 
Tim 
 
 
-------- Original Message --------
Subject: RE: [registrars] FW: Information regarding Data Escrow
From: "Nevett, Jonathon" <jnevett at networksolutions.com>
Date: Fri, August 17, 2007 8:58 am
To: "Tim Ruiz" <tim at godaddy.com>,  <registrars at gnso.icann.org>
 
 
I am reserving my comments on the escrow program and on Iron Mountain
until a draft contract is available for review. I appreciate that Iron
Mountain has provided answers to a questionnaire about how it would
protect our customer data and how it would address the perceived
conflict or interest situation, but we don't know how that will
translate into a contract. Will Iron Mountain agree contractually to
some sort of structural separation between its registrar business and
this escrow arrangement? What contractual warranties will Iron Mountain
provide that it will protect our customer data and cover us in case of a
breach? Similarly, if ICANN wants to access the data for checking
purposes, what contractual warranties and protections will it provide to
registrars in order to give us comfort that our customer data will be
protected? Perhaps ICANN should be negotiating with the top two bidders
to ensure that the contract is as competitive as possible.
 
Thanks.
 
Jon
-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Tim Ruiz
Sent: Friday, August 17, 2007 8:46 AM
To: registrars at gnso.icann.org
Subject: RE: [registrars] FW: Information regarding Data Escrow
 
Larry, appreciate your concerns.
 
1) Most likely, yes. Escrowing the beneficial user data behind
private/proxied registrations is not required under the currently
proposed process. But two points about that. First, speaking just for Go
Daddy, while there are a large number of our domain names registered
through Domains by Proxy the majority are not. Second, Domains by Proxy
is willing to escrow the beneficial user data but not likely under the
standard Escrow agreement. So that will be discussed with ICANN and
hopefully worked out soon. And after our experience with assuming the
RegisterFly names, I hope other registrars who offer private/proxied
registrations will consider it as well.
 
2) You're assuming that Iron Mountain is currently mining data? Our
records show no evidence of that at all. I would suggest that before
making any judgement you look closely at who Iron Mountain is how
they've built their publicly traded company on a worldwide reputation of
trust and security. Corp. Domain management is a small part of their
overall business. It's hard to imagine them sacrificing that reputation
for what little they might gain from data that is otherwise public
anyway.
 
3) I doubt that ICANN can select a provider that all registrars will be
100% happy with. So there is no requirement to use ICANN's selected
agent. Some are going to use their own agent regardless. Is Iron
Mountain more of a risk just because they are accredited any more so
than another agent who isn't? You may have a different answer to that
than we do. Fortunately, we'll all have a choice.
 
Bottom line, registrars are under fire right now due to recent events.
We need to get this escrow thing figured out and implemented. If we
delay with the idea that we need a process that 100% of us are 100%
happy with it will never get done.
 
 
Tim

More information about the registrars mailing list