The GNSO Next-Gen RDS PDP Working Group teleconference will take place on Tuesday, 02 August 2016 at 16:00 UTC for 90 minutes. 

09:00 PDT, 12:00 EDT, 17:00 London, 18:00 CEST 

For other times: http://tinyurl.com/jpl9j6g

Proposed Agenda for RDS PDP WG Call 2 August
  1) Roll call/SOI updates
  2) Brief progress updates on: problem statement, coding, triaged PR list
  3) Review of a draft example use cases:
     09-Law Enforcement - Compromised websites (Greg Mounier)
     10-Dissident Group Using Internet to Communicate (Ayden Ferdeline)
     14-WHOIS queries for compliance purposes (Terri Stumme)
     13-Services required by Registry agreement (Maxim Alzoba)
     Additional use cases, time permitting: https://community.icann.org/x/JA6bAw
  4) Confirm Next Meeting - Tuesday 9 August

Mp3

Transcript 

AC Chat 

Attendance 

Apologies:  Michele Neylon, Patrick Lenihan, Steve Metalitz, Vlad Dinculescu, Daniel Nanghaka, Maryan Rizinski, Alex Deacon, Beth Allegretti, Holly Raiche

On audio only:  None

 

Notes RDS PDP WG Meeting – 2 August 2016

 

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/C4xlAw.

 

1) Roll call/SOI updates

  • Roll call will be taken from Adobe Connect
  • Please remember to mute your microphones when not speaking and state your name when speaking for the transcript
  • Reminder to ensure that Statements of Interests are up to date

 

2) Brief progress updates on: problem statement, coding, triaged PR list

  • Problem statement: the small group met last week to discuss next steps, regroup later this week. Need some additional time to share a problem statement with full WG for review. Some different perspectives on what a problem statement should look like - aiming to bridge that gap in time for the next meeting. For the latest version, see etherpad.wikimedia.org/p/gnso-rds-pbstatement-0. Request to have draft available at least 24 hours in advance of the call, otherwise it may need to be deferred to the next meeting to allow for sufficient time for review.
  • Triaged PR list update: further work has been put on hold awaiting definitions of the codings. Definitions were submitted yesterday by Stephanie. Now that these are in place, WG members are encouraged to review these and flag any comments / questions they may have. Staff will start applying these definitions to the first three topics with the aim of providing a revised version in time for next week's meeting.

 

Action item #1: WG members to review definitions as circulated by Stephanie and share any comments/questions with the mailing list.

 

3) Review of a draft example use cases (see https://community.icann.org/x/JA6bAw):

  • Not the time to deliberate but to raise questions, raise different points of view, discuss use cases honestly and openly. Goal is not to make use cases perfect, but to discuss the issues that they raise and add issues while discussing the use case.
  • Should there be differentiation between 'anti' use cases and use cases? Explicit goal of the use cases - see the description on the wiki page, to include both use cases that some are of the view should be deterred while others should be supported. Use cases that are to be deterred could facilitate discussions around security measures and/or policies how to prevent those uses. Should focus on what the policy should prevent instead of what the system should prevent as the system may need to be fairly flexible. Policy will determine what the system will eventually do. 

 

09-Law Enforcement - Compromised websites (Greg Mounier)

  • Context - Greg Mounier works for Europol's cyber division. Has met with cyber-investigators who provided concrete examples of where WHOIS is used during investigations.
  • See use case for further details.
  • Discussion: the fact of using the same email address does not show it's the same entity, even though it may still be of interest to the investigators. What is desirable is to find out whether the same information is used for other registrations - is it a cluster that is operated by the same people or individual case. Other systems could permit this style of query without necessarily revealing underlying data. Correlation is main objective of this use case, could not be used as direct evidence as information can be spoofed, but combination of factors may assist in such cases. Allows you to find things you do not yet know about. Use case concerns gTLD. Concerns IP address of web-site hosting the content. Note that WHOIS for IP addresses is a separate system than WHOIS for domain names - GNSO is responsible for policy for WHOIS for gTLD domain names. Privacy implications - email addresses may be considered PII if they pertain to one individual. Pertains on who the registrant is - commercial or not. Privacy considerations should be attributed once status of registrant is confirmed (commercial or non-commercial). Definitions may vary depending on jurisdiction. Need to consider enhancing data elements to facilitate investigations like these. In this specific case P/P services were not used, but in others they have been encountered.

 

10-Dissident Group Using Internet to Communicate (Ayden Ferdeline)

  • See use case for further details.
  • Discussion: RDS is registration data base - what is it's use if there is no PII stored whatsoever? Only used for minimal data as outlined in the use case. Who will be controlling the data? How would the use case differ by replacing 'dissident group' by 'organised crime groups' - how to avoid abuse of legitimate tools by criminals? Other solutions are also available instead of not having PII in RDS such as use of P/P services which may provide anonymity and protection. Multiple solutions should be considered balanced across other factors and/or may suit different scenarios. Who is the protected party in this case? Whose data is at risk and which data elements are mainly targeted? Registrar database are part of the database 'store' - registrar will have billing information of registrant. Only question is what data elements are going to be exposed to queries.  

 

14-WHOIS queries for compliance purposes (Terri Stumme)

  • See use case for further details.
  • Discussion: Primary actor here is the monitoring solution provider or any user of WHOIS? In this case, private industry who would need access to this information. Are there any jurisdictions that require to provide this kind of investigative services? No, not aware of any. Because this access is provided now does not make it an argument for it to be provided in the future. Certificate authorities when receiving a request to issue a digital certificate, one of the first places they turn to for information is WHOIS which is used to correlate and relate to sources of other data providers - 'are we talking to the person we think we are talking to'. Similarities with 09-law enforcement use case. How is this case different from that use case? It relates to users & purposes - not LE that does the investigation but private industry. In the case of gated access, what information would be allowed to be obtained by private industry. Consider having a Cert Authority use case. Can the use case be satisfied by restricting access in some way to solution providers or whether other actors require access to meet this use case? What about validation and verification. Not yet decided whether a next-gen RDS is needed - that will come after deliberating on the first five questions. Third phase looks at implementation. Does IPv6 authentication change this use case?

 

13-Services required by Registry agreement (Maxim Alzoba)

  • Deferred to next week.

 

  • Continue discussing use cases next week. Are there any obvious gaps (not goal to have use case for each and every detail)? Review wiki page which includes the EWG use case list (see https://community.icann.org/x/JA6bAw) and see whether these include any that you come across in your daily life.

 

Action item #2: WG members to identify any use case gaps and identify those this week.

 

4) Confirm Next Meeting - Tuesday 9 August at 16.00 UTC

Meeting Materials: 

 

  • No labels