<div dir="ltr"><div class="gmail_extra">Hi Tatiana,</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks for the comments,</div><div class="gmail_extra">while we are late by our deadline to submit a comment, I think we can solve the concerns.</div><div class="gmail_extra">1/ do you have a proposal of rephrasing for the first statement?</div><div class="gmail_extra">2/ I understand your concerns and indeed doesn't seem aligned with our previous stances regarding domain suspension. probably we can remove that.<br>
<br>really looking forward to solving this within the next 24hours.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Best,</div><div class="gmail_extra"><br></div><div class="gmail_extra">Rafik<br><div class="gmail_quote">2017-08-05 6:56 GMT+09:00 Dr. Tatiana Tropina <span dir="ltr"><<a href="mailto:t.tropina@mpicc.de" target="_blank">t.tropina@mpicc.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Hi all,</p>
    <p>I have a couple of comments:</p>
    <p>1) I have hard time making sense of the first point:</p>
    <p><font size="-2">"1. Registry Response, Responsible Parties<br>
        <br>
         “ROs are not necessarily the best parties to address certain
        security threats. The identification of the parties considered
        as being most relevant and appropriate in resolving the security
        threat is critical to the prompt resolution of the matter.”<br>
        <br>
        More specifically, responsibility of identifying security
        threats connected to New gTLDs and resolving them when possible
        rests with ROs."</font></p>
    <p>As this point is a part of the comment that refers to the "issue"
      I wonder what is this - a statement? What kind of issue is
      identified here? Are we recommending anything?  If not and if this
      is just an introduction, may be it's better to rephrase? May be
      it's just too late here but I struggling with what this "issue"
      implies. <br>
    </p>
    <p>2) I wonder if this one is really in line with NSCG values such
      as due process: <br>
    </p>
    <p><font size="-2">2. We ask you to consider including the following
        GAC recommendation in Registry Response:<br>
        <br>
        “If Registry operator identifies risk of  harm, Registry
        operator will notify the relevant registrar and , if the
        registrar does not take immediate action, suspend the domain
        name until the matter is resolved.” </font><br>
    </p>
    <p>The framework already lists the actions that Registry can take
      even in the case if "a negative or non-existent response from the
      Registrar", which "should not<br>
      preclude the Registry from taking action". I do not like the
      notion of "immediate action" as it sound to vague to me and I
      believe that there are enough actions listed to address the issue
      under the framework rather than suspension of domain name - again,
      "till the matter is resolved" looks too vague. I don't think it's
      acceptable when it comes to such a matter as a suspension of
      domain name. I know enough cases of mistakes when due to abuse
      claims customers went dark, etc. I suggest we rather be careful
      here. But if everyone is comfortable with this suggestion, I'll
      surrender. <br>
    </p>
    <p>Warm regards,</p>
    <p>Tanya <br>
    </p><div><div class="m_4966123089002198678h5">
    <p><br>
    </p>
    <br>
    <div class="m_4966123089002198678m_-326150836554865276moz-cite-prefix">On 04/08/17 09:39, Rafik Dammak wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">
        <div class="gmail_extra">Dear PC members,</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">any comment on the draft? we got an
          extension till 6th August, we should review quickly and make a
          decision.</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">Best,</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">Rafik</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">
          <div class="gmail_quote">2017-07-31 19:33 GMT+09:00 Rafik
            Dammak <span dir="ltr"><<a href="mailto:rafik.dammak@gmail.com" target="_blank">rafik.dammak@gmail.com</a>></span>:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="auto">
                <div>Hi Ayden,
                  <div dir="auto"><br>
                  </div>
                  <div dir="auto">Yes it is for PC review. We worked on
                    it the last days with Juan, Dina and Niels. James
                    cannot response since is off for the coming days. I
                    was going to send email to related ICANN staff to
                    inform that we will make a late submission,
                    hopefully by end of this week.</div>
                  <div dir="auto"><br>
                  </div>
                  <div dir="auto">Best,</div>
                  <div dir="auto"><br>
                  </div>
                  <div dir="auto">Rafik </div>
                  <br>
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote">
                      <div>
                        <div class="m_4966123089002198678m_-326150836554865276h5">On Jul 31, 2017 7:18 PM, "Ayden
                          Férdeline" <<a href="mailto:icann@ferdeline.com" target="_blank">icann@ferdeline.com</a>>
                          wrote:<br type="attribution">
                        </div>
                      </div>
                      <blockquote class="m_4966123089002198678m_-326150836554865276m_7229474843329171798quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                        <div>
                          <div class="m_4966123089002198678m_-326150836554865276h5">
                            <div>I believe the PC is being asked to
                              review this comment which has been drafted
                              by Dina and Juan. The submission deadline
                              for comments on this issue is today, but I
                              suspect we will not be able to meet that,
                              so let's try for this Friday? I think we
                              need to bring in a topic expert, James
                              Gannon (cc'd), to get his opinion on this
                              comment, too -- because I am happy to
                              raise my hand and say I do not know
                              anything about this topic. <br>
                            </div>
                            <div><br>
                            </div>
                            <div class="m_4966123089002198678m_-326150836554865276m_7229474843329171798m_6307797313055180449protonmail_signature_block">
                              <div class="m_4966123089002198678m_-326150836554865276m_7229474843329171798m_6307797313055180449protonmail_signature_block-user">
                                <div>Best, Ayden <br>
                                </div>
                              </div>
                              <div class="m_4966123089002198678m_-326150836554865276m_7229474843329171798m_6307797313055180449protonmail_signature_block-proton
m_7229474843329171798m_6307797313055180449protonmail_signature_block-empty"><br>
                              </div>
                            </div>
                            <div class="m_4966123089002198678m_-326150836554865276m_7229474843329171798elided-text">
                              <div><br>
                              </div>
                              <blockquote type="cite" class="m_4966123089002198678m_-326150836554865276m_7229474843329171798m_6307797313055180449protonmail_quote">
                                <div>-------- Original Message --------<br>
                                </div>
                                <div>Subject: [NCUC-DISCUSS] Suggested
                                  Comment: Draft Framework for Registry
                                  Operators to Respond to Security
                                  Threats<br>
                                </div>
                                <div>Local Time: July 30, 2017 11:24 PM<br>
                                </div>
                                <div>UTC Time: July 30, 2017 10:24 PM<br>
                                </div>
                                <div>From: <a href="mailto:thomascovenant@thomascovenant.org" target="_blank">thomascovenant@thomascovenant.<wbr>org</a><br>
                                </div>
                                <div>To: NCUC-discuss <<a href="mailto:ncuc-discuss@lists.ncuc.org" target="_blank">ncuc-discuss@lists.ncuc.org</a>><br>
                                </div>
                                <div><br>
                                </div>
                                <div>Hello,<br>
                                </div>
                                <div><br>
                                </div>
                                <div>the comment proposal is underneath,
                                  what are your thoughts?<br>
                                </div>
                                <div><br>
                                </div>
                                <div><a href="https://docs.google.com/document/d/1TfgHuMqzD660_CHLQMXMW4phnBtLSP94j6X5riY2Ko4/edit" target="_blank">https://docs.google.com/docume<wbr>nt/d/1TfgHuMqzD660_CHLQMXMW4ph<wbr>nBtLSP94j6X5riY2Ko4/edit</a><br>
                                </div>
                                <div><br>
                                </div>
                                <div>Note from Security Framework
                                  Drafting Team wiki workspace:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>- Is Public Comment required for
                                  the draft Framework?<br>
                                </div>
                                <div>- This is not a policy
                                  implementation nor a contractual
                                  requirements document; therefore, a
                                  public comment proceeding would not be
                                  required. However, SFDT has decided to
                                  conduct a public comment for broader
                                  community feedback prior to
                                  finalization of the Framework.<br>
                                </div>
                                <div><br>
                                </div>
                                <div>Main points:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>- Framework should be expanded<br>
                                </div>
                                <div>- Several minor details are to be
                                  clarified, restructuring proposal<br>
                                </div>
                                <div>- as a small step in response to
                                  proposed detailed report examination,
                                  I suggest we include a recommendation
                                  on Responsible Threat Disclosure.<br>
                                </div>
                                <div><br>
                                </div>
                                <div>Finally, I quote Point 3 from the
                                  Comment:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>"Since the following examination of
                                  threat report is identified in the
                                  Framework, we strongly suggest
                                  including a recommendation on
                                  Responsible Threat Disclosure to be
                                  included in the document:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>"Each RO should scrutinize,
                                  question or otherwise inquire about
                                  the legitimacy of the origin<br>
                                </div>
                                <div>of a request, in accordance with
                                  their own internal policies and
                                  processes."<br>
                                </div>
                                <div><br>
                                </div>
                                <div>We have seen a broad variation in
                                  handling security threat reports,
                                  varying from constructive actions
                                  addressing the issues to punishment of
                                  the reporting party. Benefits of
                                  responsible threat submission are
                                  obvious.<br>
                                </div>
                                <div><br>
                                </div>
                                <div>In this context, it is important to
                                  underline benefits and importance of
                                  responsible threat disclosure. We
                                  request recommendation to extend
                                  goodwill and not cause harm to the
                                  reporting party whenever possible:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>When applicable, RO should provide:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>- an easy way to report security
                                  threats and violation<br>
                                </div>
                                <div>- encrypted ways of communication<br>
                                </div>
                                <div>- option of anonymous submission"<br>
                                </div>
                                <div><br>
                                </div>
                                <div>Other:<br>
                                </div>
                                <div><br>
                                </div>
                                <div>- This is my first comment drafted
                                  with input from Juan Manuel Rojas
                                  (thank you for commenting). Access to
                                  shared document and request for review
                                  was given to those who expressed
                                  interest in working on it. All input
                                  from the list is very welcome. Please
                                  let me know what needs to be corrected
                                  and I will promptly do it.<br>
                                </div>
                                <div>- Comment is a bit late, I will
                                  request an extra week to discuss the
                                  proposal with my humble excuses.<br>
                                </div>
                                <div><br>
                                </div>
                                <div>BR,<br>
                                </div>
                                <div>Dina Solveig Jalkanen<br>
                                </div>
                                <div>-- <br>
                                </div>
                                <div>* * *<br>
                                </div>
                                <div>Friendly geek in Amsterdam, FSFE
                                  Fellow<br>
                                </div>
                                <div><a href="https://wiki.techinc.nl/index.php/User:Thomascovenant" target="_blank">https://wiki.techinc.nl/index.<wbr>php/User:Thomascovenant</a><br>
                                </div>
                                <div><br>
                                </div>
                                <div><br>
                                </div>
                                <div>______________________________<wbr>_________________<br>
                                </div>
                                <div>Ncuc-discuss mailing list<br>
                                </div>
                                <div><a href="mailto:Ncuc-discuss@lists.ncuc.org" target="_blank">Ncuc-discuss@lists.ncuc.org</a><br>
                                </div>
                                <div><a href="http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss" target="_blank">http://lists.ncuc.org/cgi-bin/<wbr>mailman/listinfo/ncuc-discuss</a><br>
                                </div>
                              </blockquote>
                              <div><br>
                              </div>
                            </div>
                            <br>
                          </div>
                        </div>
                        ______________________________<wbr>_________________<br>
                        NCSG-PC mailing list<br>
                        <a href="mailto:NCSG-PC@lists.ncsg.is" target="_blank">NCSG-PC@lists.ncsg.is</a><br>
                        <a href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc" rel="noreferrer" target="_blank">https://lists.ncsg.is/mailman/<wbr>listinfo/ncsg-pc</a><br>
                        <br>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="m_4966123089002198678m_-326150836554865276mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
NCSG-PC mailing list
<a class="m_4966123089002198678m_-326150836554865276moz-txt-link-abbreviated" href="mailto:NCSG-PC@lists.ncsg.is" target="_blank">NCSG-PC@lists.ncsg.is</a>
<a class="m_4966123089002198678m_-326150836554865276moz-txt-link-freetext" href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc" target="_blank">https://lists.ncsg.is/mailman/<wbr>listinfo/ncsg-pc</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>______________________________<wbr>_________________<br>
NCSG-PC mailing list<br>
<a href="mailto:NCSG-PC@lists.ncsg.is" target="_blank">NCSG-PC@lists.ncsg.is</a><br>
<a href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc" rel="noreferrer" target="_blank">https://lists.ncsg.is/mailman/<wbr>listinfo/ncsg-pc</a><br>
<br></blockquote></div><br></div></div>