[NCSG-PC] Fw: [NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry Operators to Respond to Security Threats

Mon Jul 31 13:33:59 EEST 2017

Hi Ayden,

Yes it is for PC review. We worked on it the last days with Juan, Dina and
Niels. James cannot response since is off for the coming days. I was going
to send email to related ICANN staff to inform that we will make a late
submission, hopefully by end of this week.

Best,

Rafik

On Jul 31, 2017 7:18 PM, "Ayden Férdeline" <icann at ferdeline.com> wrote:

I believe the PC is being asked to review this comment which has been
drafted by Dina and Juan. The submission deadline for comments on this
issue is today, but I suspect we will not be able to meet that, so let's
try for this Friday? I think we need to bring in a topic expert, James
Gannon (cc'd), to get his opinion on this comment, too -- because I am
happy to raise my hand and say I do not know anything about this topic.

Best, Ayden

-------- Original Message --------
Subject: [NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry
Operators to Respond to Security Threats
Local Time: July 30, 2017 11:24 PM
UTC Time: July 30, 2017 10:24 PM
From: thomascovenant at thomascovenant.org
To: NCUC-discuss <ncuc-discuss at lists.ncuc.org>

Hello,

the comment proposal is underneath, what are your thoughts?

https://docs.google.com/document/d/1TfgHuMqzD660_
CHLQMXMW4phnBtLSP94j6X5riY2Ko4/edit

Note from Security Framework Drafting Team wiki workspace:

- Is Public Comment required for the draft Framework?
- This is not a policy implementation nor a contractual requirements
document; therefore, a public comment proceeding would not be required.
However, SFDT has decided to conduct a public comment for broader community
feedback prior to finalization of the Framework.

Main points:

- Framework should be expanded
- Several minor details are to be clarified, restructuring proposal
- as a small step in response to proposed detailed report examination, I
suggest we include a recommendation on Responsible Threat Disclosure.

Finally, I quote Point 3 from the Comment:

"Since the following examination of threat report is identified in the
Framework, we strongly suggest including a recommendation on Responsible
Threat Disclosure to be included in the document:

"Each RO should scrutinize, question or otherwise inquire about the
legitimacy of the origin
of a request, in accordance with their own internal policies and processes."

We have seen a broad variation in handling security threat reports, varying
from constructive actions addressing the issues to punishment of the
reporting party. Benefits of responsible threat submission are obvious.

In this context, it is important to underline benefits and importance of
responsible threat disclosure. We request recommendation to extend goodwill
and not cause harm to the reporting party whenever possible:

When applicable, RO should provide:

- an easy way to report security threats and violation
- encrypted ways of communication
- option of anonymous submission"

Other:

- This is my first comment drafted with input from Juan Manuel Rojas (thank
you for commenting). Access to shared document and request for review was
given to those who expressed interest in working on it. All input from the
list is very welcome. Please let me know what needs to be corrected and I
will promptly do it.
- Comment is a bit late, I will request an extra week to discuss the
proposal with my humble excuses.

BR,
Dina Solveig Jalkanen
-- 
* * *
Friendly geek in Amsterdam, FSFE Fellow
https://wiki.techinc.nl/index.php/User:Thomascovenant

_______________________________________________
Ncuc-discuss mailing list
Ncuc-discuss at lists.ncuc.org
http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss

_______________________________________________
NCSG-PC mailing list
NCSG-PC at lists.ncsg.is
https://lists.ncsg.is/mailman/listinfo/ncsg-pc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20170731/ec6315cd/attachment.htm>