SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle (R-2)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle (R-2) | SAC074 | CLOSED |
Description:
A provision similar to 2013 RAA paragraph 3.20 should be incorporated into all future registry contracts, with similar statistics published.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | SAC074 Recommendation 2 is Closed. |
| Phase 5 | Phase Update | Completion letter sent to Board on 12 June 2018 (https://www.icann.org/en/system/files/correspondence/namazi-to-chalaby-12jun18-en.pdf) [SAC074 Recommendation 2]: On 4 Feb 2018, the ICANN Board took a resolution directing the President and CEO, or his designee(s), to implement the advice as described in the scorecard: https://www.icann.org/en/system/files/files/resolutions-implementation-recs-ssac-advice-scorecard-04feb18-en.pdf. Per the direction from the ICANN Board, the ICANN org will include this recommendation in the proposed changes to the registry agreement during the next bilateral negotiation. |
| Phase 5 | Phase Update | ICANN staff's understanding of this advice is that a provision similar to paragraph 3.20 of the 2013 Registrar Accreditation Agreement (RAA) should be incorporated into all future gTLD Registry Agreements, with similar statistics published (e.g., about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches). On 4 Feb 2018, the ICANN Board took a resolution directing the President and CEO, or his designee(s), to implement the advice as described in the scorecard: https://www.icann.org/en/system/files/files/resolutions-implementation-recs-ssac-advice-scorecard-04feb18-en.pdf. Per the direction from the ICANN Board, the ICANN org will address the advice items as described in the adopted implementation recommendations and continue to provide updates to the SSAC and community on these advice items. |
| Phase 5 | Phase Change | SAC074 Recommendation 2 is Open in Phase 5: Close |
| Phase 3 | Board Update | Resolved (2018.02.04.07), the Board adopts the scorecard titled "Implementation Recommendations for SSAC Advice Document SAC074" [PDF, 49 KB], and directs the President and CEO, or his designee(s), to implement the advice as described in the scorecard. Rec 2 ICANN Organization Implementation Recommendation & proposed implementation plan: Implementation will be attempted. The ICANN Org will include this in the proposed changes to the registry agreement during the next bilateral negotiation. See full resolution at https://www.icann.org/resources/board-material/resolutions-2018-02-04-en#1.f |
| Phase 3 | Phase Update | ICANN received SSAC's approval of understanding and is in the process of evaluating the advice. ICANN staff's understanding of this advice is that a provision similar to paragraph 3.20 of the 2013 Registrar Accreditation Agreement (RAA) should be incorporated into all future gTLD Registry Agreements, with similar statistics published (e.g., about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches). |
| Phase 3 | Phase Change | SAC074 Recommendation 2 is Open in Phase 3: Evaluate & Consider |
| Phase 2 | AP Feedback | SSAC confirmed the understanding. |
| Phase 2 | Board Understanding | Our understanding of this advice is that a provision similar to paragraph 3.20 of the 2013 Registrar Accreditation Agreement (RAA) should be incorporated into all future gTLD Registry Agreements, with similar statistics published (e.g., about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches). For the avoidance of doubt, we have included paragraph 3.20 of the RAA below: 3.20 Notice of Bankruptcy, Convictions and Security Breaches. Registrar will give ICANN notice within seven (7) days of (i) the commencement of any of the proceedings referenced in Section 5.5.8. (ii) the occurrence of any of the matters specified in Section 5.5.2 or Section 5.5.3 or (iii) any unauthorized access to or disclosure of registrant account information or registration data. The notice required pursuant to Subsection (iii) shall include a detailed description of the type of unauthorized access, how it occurred, the number of registrants affected, and any action taken by Registrar in response. |
| Phase 1 | Phase Update | SSAC published SAC074: SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle: https://www.icann.org/en/system/files/files/sac-074-en.pdf. |
