<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi all,</p>
<p>I have a couple of comments:</p>
<p>1) I have hard time making sense of the first point:</p>
<p><font size="-2">"1. Registry Response, Responsible Parties<br>
<br>
“ROs are not necessarily the best parties to address certain
security threats. The identification of the parties considered
as being most relevant and appropriate in resolving the security
threat is critical to the prompt resolution of the matter.”<br>
<br>
More specifically, responsibility of identifying security
threats connected to New gTLDs and resolving them when possible
rests with ROs."</font></p>
<p>As this point is a part of the comment that refers to the "issue"
I wonder what is this - a statement? What kind of issue is
identified here? Are we recommending anything? If not and if this
is just an introduction, may be it's better to rephrase? May be
it's just too late here but I struggling with what this "issue"
implies. <br>
</p>
<p>2) I wonder if this one is really in line with NSCG values such
as due process: <br>
</p>
<p><font size="-2">2. We ask you to consider including the following
GAC recommendation in Registry Response:<br>
<br>
“If Registry operator identifies risk of harm, Registry
operator will notify the relevant registrar and , if the
registrar does not take immediate action, suspend the domain
name until the matter is resolved.” </font><br>
</p>
<p>The framework already lists the actions that Registry can take
even in the case if "a negative or non-existent response from the
Registrar", which "should not<br>
preclude the Registry from taking action". I do not like the
notion of "immediate action" as it sound to vague to me and I
believe that there are enough actions listed to address the issue
under the framework rather than suspension of domain name - again,
"till the matter is resolved" looks too vague. I don't think it's
acceptable when it comes to such a matter as a suspension of
domain name. I know enough cases of mistakes when due to abuse
claims customers went dark, etc. I suggest we rather be careful
here. But if everyone is comfortable with this suggestion, I'll
surrender. <br>
</p>
<p>Warm regards,</p>
<p>Tanya <br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 04/08/17 09:39, Rafik Dammak wrote:<br>
</div>
<blockquote
cite="mid:CAH5sThmx08DOsLL4AbzAeyJF9-YEQLjqy0hbyZALxT5=cGr6kA@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div class="gmail_extra">Dear PC members,</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">any comment on the draft? we got an
extension till 6th August, we should review quickly and make a
decision.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Best,</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Rafik</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">
<div class="gmail_quote">2017-07-31 19:33 GMT+09:00 Rafik
Dammak <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rafik.dammak@gmail.com" target="_blank">rafik.dammak@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div>Hi Ayden,
<div dir="auto"><br>
</div>
<div dir="auto">Yes it is for PC review. We worked on
it the last days with Juan, Dina and Niels. James
cannot response since is off for the coming days. I
was going to send email to related ICANN staff to
inform that we will make a late submission,
hopefully by end of this week.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Best,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Rafik </div>
<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div class="h5">On Jul 31, 2017 7:18 PM, "Ayden
Férdeline" <<a moz-do-not-send="true"
href="mailto:icann@ferdeline.com"
target="_blank">icann@ferdeline.com</a>>
wrote:<br type="attribution">
</div>
</div>
<blockquote class="m_7229474843329171798quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div class="h5">
<div>I believe the PC is being asked to
review this comment which has been drafted
by Dina and Juan. The submission deadline
for comments on this issue is today, but I
suspect we will not be able to meet that,
so let's try for this Friday? I think we
need to bring in a topic expert, James
Gannon (cc'd), to get his opinion on this
comment, too -- because I am happy to
raise my hand and say I do not know
anything about this topic. <br>
</div>
<div><br>
</div>
<div
class="m_7229474843329171798m_6307797313055180449protonmail_signature_block">
<div
class="m_7229474843329171798m_6307797313055180449protonmail_signature_block-user">
<div>Best, Ayden <br>
</div>
</div>
<div
class="m_7229474843329171798m_6307797313055180449protonmail_signature_block-proton
m_7229474843329171798m_6307797313055180449protonmail_signature_block-empty"><br>
</div>
</div>
<div
class="m_7229474843329171798elided-text">
<div><br>
</div>
<blockquote type="cite"
class="m_7229474843329171798m_6307797313055180449protonmail_quote">
<div>-------- Original Message --------<br>
</div>
<div>Subject: [NCUC-DISCUSS] Suggested
Comment: Draft Framework for Registry
Operators to Respond to Security
Threats<br>
</div>
<div>Local Time: July 30, 2017 11:24 PM<br>
</div>
<div>UTC Time: July 30, 2017 10:24 PM<br>
</div>
<div>From: <a moz-do-not-send="true"
href="mailto:thomascovenant@thomascovenant.org"
target="_blank">thomascovenant@thomascovenant.<wbr>org</a><br>
</div>
<div>To: NCUC-discuss <<a
moz-do-not-send="true"
href="mailto:ncuc-discuss@lists.ncuc.org"
target="_blank">ncuc-discuss@lists.ncuc.org</a>><br>
</div>
<div><br>
</div>
<div>Hello,<br>
</div>
<div><br>
</div>
<div>the comment proposal is underneath,
what are your thoughts?<br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://docs.google.com/document/d/1TfgHuMqzD660_CHLQMXMW4phnBtLSP94j6X5riY2Ko4/edit"
target="_blank">https://docs.google.com/docume<wbr>nt/d/1TfgHuMqzD660_CHLQMXMW4ph<wbr>nBtLSP94j6X5riY2Ko4/edit</a><br>
</div>
<div><br>
</div>
<div>Note from Security Framework
Drafting Team wiki workspace:<br>
</div>
<div><br>
</div>
<div>- Is Public Comment required for
the draft Framework?<br>
</div>
<div>- This is not a policy
implementation nor a contractual
requirements document; therefore, a
public comment proceeding would not be
required. However, SFDT has decided to
conduct a public comment for broader
community feedback prior to
finalization of the Framework.<br>
</div>
<div><br>
</div>
<div>Main points:<br>
</div>
<div><br>
</div>
<div>- Framework should be expanded<br>
</div>
<div>- Several minor details are to be
clarified, restructuring proposal<br>
</div>
<div>- as a small step in response to
proposed detailed report examination,
I suggest we include a recommendation
on Responsible Threat Disclosure.<br>
</div>
<div><br>
</div>
<div>Finally, I quote Point 3 from the
Comment:<br>
</div>
<div><br>
</div>
<div>"Since the following examination of
threat report is identified in the
Framework, we strongly suggest
including a recommendation on
Responsible Threat Disclosure to be
included in the document:<br>
</div>
<div><br>
</div>
<div>"Each RO should scrutinize,
question or otherwise inquire about
the legitimacy of the origin<br>
</div>
<div>of a request, in accordance with
their own internal policies and
processes."<br>
</div>
<div><br>
</div>
<div>We have seen a broad variation in
handling security threat reports,
varying from constructive actions
addressing the issues to punishment of
the reporting party. Benefits of
responsible threat submission are
obvious.<br>
</div>
<div><br>
</div>
<div>In this context, it is important to
underline benefits and importance of
responsible threat disclosure. We
request recommendation to extend
goodwill and not cause harm to the
reporting party whenever possible:<br>
</div>
<div><br>
</div>
<div>When applicable, RO should provide:<br>
</div>
<div><br>
</div>
<div>- an easy way to report security
threats and violation<br>
</div>
<div>- encrypted ways of communication<br>
</div>
<div>- option of anonymous submission"<br>
</div>
<div><br>
</div>
<div>Other:<br>
</div>
<div><br>
</div>
<div>- This is my first comment drafted
with input from Juan Manuel Rojas
(thank you for commenting). Access to
shared document and request for review
was given to those who expressed
interest in working on it. All input
from the list is very welcome. Please
let me know what needs to be corrected
and I will promptly do it.<br>
</div>
<div>- Comment is a bit late, I will
request an extra week to discuss the
proposal with my humble excuses.<br>
</div>
<div><br>
</div>
<div>BR,<br>
</div>
<div>Dina Solveig Jalkanen<br>
</div>
<div>-- <br>
</div>
<div>* * *<br>
</div>
<div>Friendly geek in Amsterdam, FSFE
Fellow<br>
</div>
<div><a moz-do-not-send="true"
href="https://wiki.techinc.nl/index.php/User:Thomascovenant"
target="_blank">https://wiki.techinc.nl/index.<wbr>php/User:Thomascovenant</a><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>______________________________<wbr>_________________<br>
</div>
<div>Ncuc-discuss mailing list<br>
</div>
<div><a moz-do-not-send="true"
href="mailto:Ncuc-discuss@lists.ncuc.org"
target="_blank">Ncuc-discuss@lists.ncuc.org</a><br>
</div>
<div><a moz-do-not-send="true"
href="http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss"
target="_blank">http://lists.ncuc.org/cgi-bin/<wbr>mailman/listinfo/ncuc-discuss</a><br>
</div>
</blockquote>
<div><br>
</div>
</div>
<br>
</div>
</div>
______________________________<wbr>_________________<br>
NCSG-PC mailing list<br>
<a moz-do-not-send="true"
href="mailto:NCSG-PC@lists.ncsg.is"
target="_blank">NCSG-PC@lists.ncsg.is</a><br>
<a moz-do-not-send="true"
href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc"
rel="noreferrer" target="_blank">https://lists.ncsg.is/mailman/<wbr>listinfo/ncsg-pc</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
NCSG-PC mailing list
<a class="moz-txt-link-abbreviated" href="mailto:NCSG-PC@lists.ncsg.is">NCSG-PC@lists.ncsg.is</a>
<a class="moz-txt-link-freetext" href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc">https://lists.ncsg.is/mailman/listinfo/ncsg-pc</a>
</pre>
</blockquote>
<br>
</body>
</html>