Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services (R-2)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| SSAC Comment on ICANN’s Initial Report from the Expert Working Group on gTLD Directory Services (R-2) | SAC061 | CLOSED |
Description:
The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | This Advice Item is now Closed |
| Phase 5 | AP Feedback | ICANN received confirmation from the SSAC that the items included in the letter (https://www.icann.org/en/system/files/correspondence/olive-to-rasmussen-22jun23-en.pdf) from David Olive can be formally closed. |
| Phase 5 | Phase Update | A letter (https://www.icann.org/en/system/files/correspondence/olive-to-rasmussen-22jun23-en.pdf) was sent from David Olive to Rod Rasmussen regarding the status of the Advice Item. |
| Phase 5 | Phase Update | On 23 June 2018, the Board accepted this advice and noted (https://www.icann.org/resources/board-material/resolutions-2018-06-23-en#1.g) that implementation has been completed. Subsequently, on 2 August 2018, the SSAC contacted the ICANN org to oppose this determination and requested the ICANN org change SAC061 Recommendation 2’s status from ‘Closed’ to ‘Open.” Upon review of SAC061 and SAC101v2, the ICANN org has returned SAC061 to Phase 2 | Understand. SAC061 recommendation 2 was considered in conjunction with SAC101v2. On 23 June 2019 the ICANN Board considered SAC101v2 and noted (https://www.icann.org/resources/board-material/resolutions-2019-06-23-en#1.c) advice items 2A and three through seven in SAC101 version 2 and referred them to the GNSO Council for consideration for inclusion in the EPDP Phase 2 work. In its rationale the Board states "Advice item five reiterates Recommendation 2 from SAC061 and suggests that 'The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. A separate security risk assessment should also be conducted regarding the implementation of the policy.' The advice further suggests that 'These assessments should be incorporated in PDP plans at the GNSO.' As the Advice suggests that the assessments be incorporated into PDP plans and the GNSO is the manager of PDPs, the Board notes and refers this advice to the GNSO Council." As a result, implementation of this Advice is considered complete. |
| Phase 5 | AP Feedback | SSAC acknowledged the June 2019 notification that this item is considered complete following the Board's consideration of SAC101v2. The SSAC did not provide any feedback but indicated that it agreed with the action taken by the ICANN Board and org. |
| Phase 5 | Phase Update | On 23 June 2018, the Board accepted this advice and noted that implementation has been completed (https://www.icann.org/resources/board-material/resolutions-2018-06-23-en#1.g). Subsequently, on 2 August 2018 the SSAC contacted the ICANN org to oppose this determination and requested the ICANN org change SAC061 Recommendation 2’s status from ‘Closed’ to ‘Open.” Upon review of SAC061 and SAC101v2, the ICANN org has returned SAC061 to Phase 2 | Understand. SAC061 Recommendation 2 will be considered in conjunction with SAC101v2. On 23 June 2019 the ICANN Board considered SAC101v2 and noted advice items 2A and three through seven in SAC101 version 2 and referred them to the GNSO Council for consideration for inclusion in the EPDP Phase 2 work (https://www.icann.org/resources/board-material/resolutions-2019-06-23-en#1.c). In its rationale the Board states "Advice item five reiterates Recommendation 2 from SAC061 and suggests that 'The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. A separate security risk assessment should also be conducted regarding the implementation of the policy.' The advice further suggests that 'These assessments should be incorporated in PDP plans at the GNSO.' As the advice suggests that the assessments be incorporated into PDP plans and the GNSO is the manager of PDPs, the Board notes and refers this advice to the GNSO Council." |
| Phase 5 | Phase Change | Now in Phase 5: Close |
| Phase 2 | Board Update | Resolved (2019.06.23.06), the Board notes advice items 2A and three through seven in SAC101 version 2 and refers them to the GNSO Council for consideration for inclusion in the EPDP Phase 2 work. Board Rationale: Advice item five reiterates Recommendation 2 from SAC061 and suggests that "The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. A separate security risk assessment should also be conducted regarding the implementation of the policy." The advice further suggests that "These assessments should be incorporated in PDP plans at the GNSO." As the advice suggests that the assessments be incorporated into PDP plans and the GNSO is the manager of PDPs, the Board notes and refers this advice to the GNSO Council. |
| Phase 2 | Phase Update | On 23 June 2018, the Board accepted this advice and noted that implementation has been completed (https://www.icann.org/resources/board-material/resolutions-2018-06-23-en#1.g). Subsequently, on 2 August 2018 the SSAC contacted the ICANN org to oppose this determination and requested the ICANN org change SAC061 Recommendation 2's status from "Closed" to "Open." Upon review of SAC061 and SAC101v2, the ICANN org has returned SAC061 to Phase 2: Understand. SAC061 Recommendation 2 will be considered in conjunction with SAC101v2. | |
| Phase 2 | Phase Update | Notification: In response to SSAC's 8 August 2018 feedback regarding SAC061 Recommendation 2's implementation status, the ICANN org has returned SAC061 Recommendation 2 to Phase 2 to be considered alongside SAC101v2. SAC061 Recommendation 2 will be considered together with SAC101v2 in Phase 3. The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment is completed and available for the PDP working group to consider before the PDP is finalized and moved to implementation. The SSAC confirmed this understanding on 18 August 2017. | |
| Phase 2 | Phase Change | Now in Phase 2: Understand |
| Phase 5 | AP Feedback | We are writing regarding an advice item’s implementation status. SAC061 (2013) Recommendation 2 states, “The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process.” During its meeting at ICANN 62, the Board accepted the advice but also said the assessment was done and “implementation has been completed.” In the Board scorecard, it says that the SSAC advice was fulfilled because the Expert Working Group (EWG) on gTLD Directory Services had completed a risk assessment. Also the Board scorecard noted the SSAC advice was fulfilled because the RDS PDP had a risk assessment in its charter. In reviewing the EWG report, and RDS PDP, it is clear that a risk assessment has not yet been done: First, the EWG did not perform a risk assessment. The EWG performed a risk survey of the community rather than a risk assessment. While the EWG made some security-related judgments, there was no assessment methodology, and the EWG report itself said several times that risk assessments still needed to be performed. (See Appendix A: Sections of EWG Report Highlighting the Need for Risk Assessment of a new RDS) Second, the RDS PDP had a risk assessment in its charter, but the RDS PDP was shut down before ICANN 62 and no assessment took place. Having been a member of both the EWG and the RDS PDP, I can attest to the fact that such an assessment has not been completed. The EWG only laid out the necessary groundwork to start a risk assessment by crafting a wide-ranging survey. Based on our research and the data presented, we request ICANN to: Change SAC061’s status from Resolved to Open. If ICANN believes that it should be considered Resolved, we request information on the basis for making such a recommendation. We further request that ICANN update necessary documentation and continue the work. We note that SAC101 reiterated that the SAC061 advice is outstanding and needs to be considered in the forthcoming GNSO EPDP on the Temporary Specification for gTLD Registration Data. This is especially appropriate since the landscape has changed since 2014-2015. |
| Phase 5 | Phase Update | On 23 June 2018, the Board accepted this advice and noted that implementation has been completed (https://www.icann.org/resources/board-material/resolutions-2018-06-23-en#1.g). |
| Phase 5 | Phase Change | Now in Phase 5: Close |
| Phase 3 | Board Update | Resolved (2018.06.23.10), the Board adopts the scorecard titled "ICANN Board Action for SSAC Advice Documents SAC047, SAC058, SAC061, SAC090, and SAC097 (08 June 2018)" [PDF, 182 KB], and directs the President and CEO or his designee(s) to implement the advice as described in the scorecard. SAC061 Recommendation 2 Board Action: The Board accepts this advice and notes that implementation has been completed. See full resolution at and scorecard at https://www.icann.org/resources/board-material/resolutions-2018-06-23-en#1.g. |
| Phase 3 | Phase Change | Now in Phase 3: Evaluate & Consider |
| Phase 3 | Phase Update | ICANN received SSAC's approval of understanding and is in the process of evaluating the advice. The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment is completed and available for the PDP working group to consider before the PDP is finalized and moved to implementation. This understanding was sent to the SSAC on 6 June 2017. |
| Phase 2 | AP Feedback | SSAC confirmed statement of understanding from 5 June 2017. |
| Phase 2 | Phase Update | The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment is completed and available for the PDP working group to consider before the PDP is finalized and moved to implementation. This understanding was sent to the SSAC on 6 June 2017. |
| Phase 2 | Board Understanding | The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment is completed and available for the PDP working group to consider before the PDP is finalized and moved to implementation. |
| Phase 2 | Phase Update | [Update as of 05 May 2017 - ICANN is in receipt of the SSAC's response and/or comment to this item. ICANN will revert back with any questions] This advice item was identified by the SSAC as "Open - Prior to Board Consideration" in November 2016. Accordingly, it will be processed through the BAR Pilot procedure. The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment of the registration data policy be executed during the PDP as well as following the PDP prior to implementation. |
| Phase 2 | AP Feedback | SSAC rejected statement of understanding and provided the following clarifying comments: The recommendation clearly states that the risk assessment is to be done as input to the PDP process. I realize that this is moot at this point, since the PDP process is well underway, so we would accept an interpretation change that suggests that the risk assessment will be completed before the PDP work product is finalized and moved to implementation, i.e., it must be done in such a way as to be available for consideration by the PDP working group. |
| Phase 2 | Phase Update | This advice item was identified by the SSAC as "Open - Prior to Board Consideration" in November 2016. Accordingly, it will be processed through the BAR Pilot procedure. The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment of the registration data policy be executed during the PDP as well as following the PDP prior to implementation. |
| Phase 2 | Board Understanding | [This advice item was originally part of the "historical" advice review conducted by ICANN and was identified by the SSAC as "Open - Prior to Board Consideration" in November 2016. Accordingly, it will be processed through the BAR Pilot procedure.] The ICANN organization understands SAC061 Recommendation 2 to mean that the ICANN Board should ensure that a formal risk assessment of the registration data policy be executed during the PDP as well as following the PDP prior to implementation. |
| Phase 2 | Phase Change | Now in Phase 2: Understand |
| Phase 5 | AP Feedback | This advice was addressed directly to the Board. The Board has not considered the advice, and the advice has not been carried out anywhere by anyone. This one was marked "Closed" because the SSAC advice was submitted to the EWG public comment period, and that justification for closure is irrelevant. Please move this item to status = "Open - Prior to Board Consideration". The advice is: "Recommendation 2: The ICANN Board should ensure that a formal security risk assessment of the registration data policy be conducted as an input into the Policy Development Process. A separate security risk assessment should also be conducted regarding the implementation of the policy." So the Board needs to consider the advice and ensure that the risk assessments are properly scoped, funded, and executed at the proper points during the PDP. As a member of the RDS PDP WG, I note that risk assessment is mentioned in the WG's project plan. But the general expectations are undefined. (For example, does "formal" mean "professional", performed by a party or parties with requisite expertise, and not performed just by the WG itself?) SSAC's responsibilities under the Bylaws include risk assessments, so should SSAC be involved formally? Either way, I think these assessments will require some $ for research and legal advice. |
| Phase 5 | Board Update | This item has been processed as much as is relevant and is considered complete; no work is outstanding from the perspective of Board Advice (note that related implementation work may have been integrated into ICANN’s ongoing operations or other initiatives). Status provided in 19 October 2016 letter from ICANN Board Chair to SSAC Chair (https://www.icann.org/en/system/files/correspondence/crocker-to-faltstrom-19oct16-en.pdf). This statement was considered as part of a public comment period on the initial report (http://mm.icann.org/pipermail/input-toewg/2013/thread.html). A Final Report was published in June 2014 (https://www.icann.org/en/system/files/files/final-report06jun14-en.pdf). |
| Phase 5 | Phase Change | Now in Phase 5: Close |
| Phase 1 | Phase Update | SSAC published SAC061: Comment on ICANN's Initial Report from the Expert Working Group on gTLD Directory Services: https://www.icann.org/en/system/files/files/sac-061-en.pdf. |
