[NCSG-PC] Fw: [NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry Operators to Respond to Security Threats

Rafik Dammak rafik.dammak at gmail.com
Thu Aug 10 02:52:19 EEST 2017 

Hi all,

as the deadline already passed with no objection made on the list, I
submitted the attached comment.
Thanks.

Best,

Rafik

2017-08-09 11:50 GMT+09:00 Rafik Dammak <rafik.dammak at gmail.com>:

> hi Tatiana,
>
> thanks, I removed those 2 statements and we have this version now
> https://docs.google.com/document/d/1TfgHuMqzD660_
> CHLQMXMW4phnBtLSP94j6X5riY2Ko4/edit . with those changes, I can
> understand that you are supporting the comment. looking to hear from
> other PC members.
> if I don't hear any objection by Wednesday 9th August 11:59am UTC, I can
> interpret that the comment is endorsed by NCSG Policy committee.
>
> Best,
>
> Rafik
>
>
> 2017-08-08 17:40 GMT+09:00 Dr. Tatiana Tropina <t.tropina at mpicc.de>:
>
>> Hi Rafik,
>>
>> As I said - I do not quite get what the first statement means in terms of
>> issues raised so I can't come up with any suggestion. I wish I could. As
>> this statement doesn't really contribute to anything and doesn't raise any
>> issue (although it's supposed to as it is placed in the "issue" section) I
>> suggest we just remove it for the sake of clarity. Unless the drafters are
>> ready to clarify or rephrase. But I don't think removal will change
>> anything in the document except making it clearer.
>>
>> I am totally supporting your suggestion for removal of anotehr statement
>> - let's not send the mix messages especially with vague wording proposals.
>>
>> Thanks!
>>
>> Tanya
>>
>> On 08/08/17 08:08, Rafik Dammak wrote:
>>
>> Hi Tatiana,
>>
>> Thanks for the comments,
>> while we are late by our deadline to submit a comment, I think we can
>> solve the concerns.
>> 1/ do you have a proposal of rephrasing for the first statement?
>> 2/ I understand your concerns and indeed doesn't seem aligned with our
>> previous stances regarding domain suspension. probably we can remove that.
>>
>> really looking forward to solving this within the next 24hours.
>>
>> Best,
>>
>> Rafik
>> 2017-08-05 6:56 GMT+09:00 Dr. Tatiana Tropina <t.tropina at mpicc.de>:
>>
>>> Hi all,
>>>
>>> I have a couple of comments:
>>>
>>> 1) I have hard time making sense of the first point:
>>>
>>> "1. Registry Response, Responsible Parties
>>>
>>>  “ROs are not necessarily the best parties to address certain security
>>> threats. The identification of the parties considered as being most
>>> relevant and appropriate in resolving the security threat is critical to
>>> the prompt resolution of the matter.”
>>>
>>> More specifically, responsibility of identifying security threats
>>> connected to New gTLDs and resolving them when possible rests with ROs."
>>>
>>> As this point is a part of the comment that refers to the "issue" I
>>> wonder what is this - a statement? What kind of issue is identified here?
>>> Are we recommending anything?  If not and if this is just an introduction,
>>> may be it's better to rephrase? May be it's just too late here but I
>>> struggling with what this "issue" implies.
>>>
>>> 2) I wonder if this one is really in line with NSCG values such as due
>>> process:
>>>
>>> 2. We ask you to consider including the following GAC recommendation in
>>> Registry Response:
>>>
>>> “If Registry operator identifies risk of  harm, Registry operator will
>>> notify the relevant registrar and , if the registrar does not take
>>> immediate action, suspend the domain name until the matter is resolved.”
>>>
>>> The framework already lists the actions that Registry can take even in
>>> the case if "a negative or non-existent response from the Registrar", which
>>> "should not
>>> preclude the Registry from taking action". I do not like the notion of
>>> "immediate action" as it sound to vague to me and I believe that there are
>>> enough actions listed to address the issue under the framework rather than
>>> suspension of domain name - again, "till the matter is resolved" looks too
>>> vague. I don't think it's acceptable when it comes to such a matter as a
>>> suspension of domain name. I know enough cases of mistakes when due to
>>> abuse claims customers went dark, etc. I suggest we rather be careful here.
>>> But if everyone is comfortable with this suggestion, I'll surrender.
>>>
>>> Warm regards,
>>>
>>> Tanya
>>>
>>>
>>>
>>> On 04/08/17 09:39, Rafik Dammak wrote:
>>>
>>> Dear PC members,
>>>
>>> any comment on the draft? we got an extension till 6th August, we should
>>> review quickly and make a decision.
>>>
>>> Best,
>>>
>>> Rafik
>>>
>>> 2017-07-31 19:33 GMT+09:00 Rafik Dammak <rafik.dammak at gmail.com>:
>>>
>>>> Hi Ayden,
>>>>
>>>> Yes it is for PC review. We worked on it the last days with Juan, Dina
>>>> and Niels. James cannot response since is off for the coming days. I was
>>>> going to send email to related ICANN staff to inform that we will make a
>>>> late submission, hopefully by end of this week.
>>>>
>>>> Best,
>>>>
>>>> Rafik
>>>>
>>>>
>>>> On Jul 31, 2017 7:18 PM, "Ayden Férdeline" <icann at ferdeline.com> wrote:
>>>>
>>>> I believe the PC is being asked to review this comment which has been
>>>> drafted by Dina and Juan. The submission deadline for comments on this
>>>> issue is today, but I suspect we will not be able to meet that, so let's
>>>> try for this Friday? I think we need to bring in a topic expert, James
>>>> Gannon (cc'd), to get his opinion on this comment, too -- because I am
>>>> happy to raise my hand and say I do not know anything about this topic.
>>>>
>>>> Best, Ayden
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: [NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry
>>>> Operators to Respond to Security Threats
>>>> Local Time: July 30, 2017 11:24 PM
>>>> UTC Time: July 30, 2017 10:24 PM
>>>> From: thomascovenant at thomascovenant.org
>>>> To: NCUC-discuss <ncuc-discuss at lists.ncuc.org>
>>>>
>>>> Hello,
>>>>
>>>> the comment proposal is underneath, what are your thoughts?
>>>>
>>>> https://docs.google.com/document/d/1TfgHuMqzD660_CHLQMXMW4ph
>>>> nBtLSP94j6X5riY2Ko4/edit
>>>>
>>>> Note from Security Framework Drafting Team wiki workspace:
>>>>
>>>> - Is Public Comment required for the draft Framework?
>>>> - This is not a policy implementation nor a contractual requirements
>>>> document; therefore, a public comment proceeding would not be required.
>>>> However, SFDT has decided to conduct a public comment for broader community
>>>> feedback prior to finalization of the Framework.
>>>>
>>>> Main points:
>>>>
>>>> - Framework should be expanded
>>>> - Several minor details are to be clarified, restructuring proposal
>>>> - as a small step in response to proposed detailed report examination,
>>>> I suggest we include a recommendation on Responsible Threat Disclosure.
>>>>
>>>> Finally, I quote Point 3 from the Comment:
>>>>
>>>> "Since the following examination of threat report is identified in the
>>>> Framework, we strongly suggest including a recommendation on Responsible
>>>> Threat Disclosure to be included in the document:
>>>>
>>>> "Each RO should scrutinize, question or otherwise inquire about the
>>>> legitimacy of the origin
>>>> of a request, in accordance with their own internal policies and
>>>> processes."
>>>>
>>>> We have seen a broad variation in handling security threat reports,
>>>> varying from constructive actions addressing the issues to punishment of
>>>> the reporting party. Benefits of responsible threat submission are obvious.
>>>>
>>>> In this context, it is important to underline benefits and importance
>>>> of responsible threat disclosure. We request recommendation to extend
>>>> goodwill and not cause harm to the reporting party whenever possible:
>>>>
>>>> When applicable, RO should provide:
>>>>
>>>> - an easy way to report security threats and violation
>>>> - encrypted ways of communication
>>>> - option of anonymous submission"
>>>>
>>>> Other:
>>>>
>>>> - This is my first comment drafted with input from Juan Manuel Rojas
>>>> (thank you for commenting). Access to shared document and request for
>>>> review was given to those who expressed interest in working on it. All
>>>> input from the list is very welcome. Please let me know what needs to be
>>>> corrected and I will promptly do it.
>>>> - Comment is a bit late, I will request an extra week to discuss the
>>>> proposal with my humble excuses.
>>>>
>>>> BR,
>>>> Dina Solveig Jalkanen
>>>> --
>>>> * * *
>>>> Friendly geek in Amsterdam, FSFE Fellow
>>>> https://wiki.techinc.nl/index.php/User:Thomascovenant
>>>>
>>>>
>>>> _______________________________________________
>>>> Ncuc-discuss mailing list
>>>> Ncuc-discuss at lists.ncuc.org
>>>> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> NCSG-PC mailing list
>>>> NCSG-PC at lists.ncsg.is
>>>> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> NCSG-PC mailing listNCSG-PC at lists.ncsg.ishttps://lists.ncsg.is/mailman/listinfo/ncsg-pc
>>>
>>> _______________________________________________ NCSG-PC mailing list
>>> NCSG-PC at lists.ncsg.is https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20170810/6fae6587/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Draft Framework for the Registry Operator to Respond to Security Threats - NCSG comment.pdf
Type: application/pdf
Size: 73275 bytes
Desc: not available
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20170810/6fae6587/attachment.pdf>

More information about the NCSG-PC mailing list