[NCSG-PC] Fw: [NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry Operators to Respond to Security Threats

Mon Jul 31 13:17:47 EEST 2017

I believe the PC is being asked to review this comment which has been drafted by Dina and Juan. The submission deadline for comments on this issue is today, but I suspect we will not be able to meet that, so let's try for this Friday? I think we need to bring in a topic expert, James Gannon (cc'd), to get his opinion on this comment, too -- because I am happy to raise my hand and say I do not know anything about this topic.

Best, Ayden

> -------- Original Message --------
> Subject: [NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry Operators to Respond to Security Threats
> Local Time: July 30, 2017 11:24 PM
> UTC Time: July 30, 2017 10:24 PM
> From: thomascovenant at thomascovenant.org
> To: NCUC-discuss <ncuc-discuss at lists.ncuc.org>
> Hello,
> the comment proposal is underneath, what are your thoughts?
> https://docs.google.com/document/d/1TfgHuMqzD660_CHLQMXMW4phnBtLSP94j6X5riY2Ko4/edit
> Note from Security Framework Drafting Team wiki workspace:
> - Is Public Comment required for the draft Framework?
> - This is not a policy implementation nor a contractual requirements document; therefore, a public comment proceeding would not be required. However, SFDT has decided to conduct a public comment for broader community feedback prior to finalization of the Framework.
> Main points:
> - Framework should be expanded
> - Several minor details are to be clarified, restructuring proposal
> - as a small step in response to proposed detailed report examination, I suggest we include a recommendation on Responsible Threat Disclosure.
> Finally, I quote Point 3 from the Comment:
> "Since the following examination of threat report is identified in the Framework, we strongly suggest including a recommendation on Responsible Threat Disclosure to be included in the document:
> "Each RO should scrutinize, question or otherwise inquire about the legitimacy of the origin
> of a request, in accordance with their own internal policies and processes."
> We have seen a broad variation in handling security threat reports, varying from constructive actions addressing the issues to punishment of the reporting party. Benefits of responsible threat submission are obvious.
> In this context, it is important to underline benefits and importance of responsible threat disclosure. We request recommendation to extend goodwill and not cause harm to the reporting party whenever possible:
> When applicable, RO should provide:
> - an easy way to report security threats and violation
> - encrypted ways of communication
> - option of anonymous submission"
> Other:
> - This is my first comment drafted with input from Juan Manuel Rojas (thank you for commenting). Access to shared document and request for review was given to those who expressed interest in working on it. All input from the list is very welcome. Please let me know what needs to be corrected and I will promptly do it.
> - Comment is a bit late, I will request an extra week to discuss the proposal with my humble excuses.
> BR,
> Dina Solveig Jalkanen
> --
> * * *
> Friendly geek in Amsterdam, FSFE Fellow
> https://wiki.techinc.nl/index.php/User:Thomascovenant
> _______________________________________________
> Ncuc-discuss mailing list
> Ncuc-discuss at lists.ncuc.org
> http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20170731/84499afc/attachment.htm>