00:19:13 Jeff Neuman: I have a quick AOB later if possible 00:19:29 Steve Crocker: I need to leave at 15 minutes before the hour. 00:19:43 Matthew Thomas: Sure thing Jeff Neuman. 00:26:15 Jeff Schmidt: I don’t view it as an either-or. 00:30:25 Jeff Schmidt: I think ;-). Thank you, Jim. 00:32:20 Rod Rasmussen: Ann Aikman-Scalese just sent a very substantive email to the list as well, so may have something to add to the conversation as well. 00:34:38 Jeff Neuman: Sorry all---I just lost Internet covereage for about 10 minutes...but I am back 00:34:51 Danny McPherson: I agree with Ann’s comments 00:40:10 Jeff Neuman: Absolutely 00:41:35 Jeff Neuman: I don't think anyone said that we were done. Just that we not do Studies 2 and 3 as designed. 00:41:50 Jeff Neuman: I feel like we need to answer some important questions that SubPro (And the Board) have been asking 00:41:51 Matt Larson: To be clear, the conclusion of Study 1 is not that no further work should be done. On the contrary: 00:41:53 Matt Larson: All of that being said, this does not mean further study should not be conducted into name collision risks and the feasibility of potentially delegating additional domains that are likely to cause name collisions. However, the proposals for Studies 2 and 3 do not seem to still be effective ways of achieving those goals. 00:42:21 Matt Larson: (quoting from the report directly above) 00:43:28 Jeff Neuman: The important questions are: (a) Are the certain strings that are so high risk they should never be delegated. (b) Is there a way to "test" out other strings to see if they pose a real collision risk during an evaluation process and (c) Is the mitigation framework sufficient to address those mitigations. 00:44:04 Jeff Neuman: At the end of the day, these are the questions that SubPro has been trying to get answered. 00:51:44 Justine Chew: Well said, @Jim. 00:53:04 Anne Aikman-Scalese: +1 Jim and Justine: The Board does have a problem - otherwise they would not have asked the questions they asked. 00:55:33 Jeff Neuman: Warren - Did Google get reports of collision for the TLDs it launched? Would love to know since Google has many TLDs that has been delegated 00:56:48 Rod Rasmussen: corp/home/mail are examples where controlled interruption wasn’t even attempted. The “problem” we’re discussing now isn’t that we think that CI was inappropriate or that it was, but rather, we don’t necessarily have enough information to provide a conclusive answer to that question either way. YMMV on whether we have enough information to make that call. This isn’t easy, hence all the effort. :-) 00:57:49 Jeff Neuman: Collect all the data you want....but creating an implication that nothing should go forward because of the fact there may be a theoretical issue that we have no evidence of is not a vehicle for innovation 00:58:40 Karen Scarfone: Note that in Section 4.2.2 of the report, we did do Google searches for anecdotal public accounts of collisions, and we reviewed 50 of them. My own searches did not find a large number of anecdotal name collisions reported publicly. 01:00:54 Justine Chew: +1 Danny 01:01:08 Ram Mohan: +1 Danny 01:01:31 Anne Aikman-Scalese: +1 Rod and +1 Danny. The scope of the work that needs to be done is defined by the need to answer the Board;s questions accurately. 01:02:35 Steve Crocker: With apology, I need to break off now. 01:03:58 Jeff Neuman: 2 or 3 calls ago I proposed trying to define the "why" of the Board's questions. Why did they ask these questions in this way. We should make sure we are all on the same page. 01:05:11 Jeff Neuman: The "inadequate" part the last time was that it was not known in advance what strings would be "ineligible" and so applicants suffered from that. We should avoid that in the next round 01:06:44 Anne Aikman-Scalese: There may be a consensus forming as to the redesign of the scope of Study 2 and seeking funding for the purpose of proceeding on Study 2 in a way that will be helpful to the Board. HOWEVER, it is not an answer to say simply that "controlled interruption works to control harm" for all the reasons cited by Warren and Danny. 01:06:54 Ram Mohan: @Jeff Neumann, some of the Board members who drafted these questions (me, Crocker, among others) are on the NCAP group and can help explain. Also relevant is what the current Board is interested in/wants. 01:07:20 Greg Shatan: I have a dumb, lazy question. Are the studies being discussed by Danny listed in the Study 1 report? 01:07:41 Jeff Neuman: @greg - yes 01:07:57 Danny McPherson: #greg: no, they weren’t considered “recent" 01:08:12 Jeff Schmidt: The liability associated with honey potting and causing data that would not have otherwise been transmitted over the Internet - is huge. 01:08:34 Warren Kumari: @JeffN - Yup, fully agree. 01:08:39 Jeff Schmidt: Honeypotting this is not the answer. Yes, it gets more data, but it is unworkable legally. 01:08:48 Jeff Schmidt: We talked about this in our papers. 01:08:53 Danny McPherson: @JAS: I agree but no one every saw any analysis of that…. 01:09:18 Jeff Schmidt: ? It’s in our paper. That exactidiscussion. We listened to SSAC and Warren. We talked to lawyers. Big issue. 01:09:47 Warren Kumari: ... apart from the honeypots, there was no requirements that registries report #/ length of queries of names... 01:09:58 Danny McPherson: Can you resend to list - Warren and I discussed what you stated and didn’t agree at the time 01:10:07 Danny McPherson: SSAC discussed it as well. 01:10:26 Warren Kumari: DELEGATING THE NAMES DOES THAT!!! 01:10:42 Jeff Schmidt: :beer: 01:11:12 Danny McPherson: See “Internet Motion Sensor” and zillions of examples since. 01:11:12 Jeff Neuman: The malicious party being the party under a strict contract with ICANN? 01:11:32 Jeff Neuman: Assuming it is not a single registrant TLD 01:12:04 Danny McPherson: @All: Raising hand about “recent work” 01:12:08 Jeff Neuman: Single registrant TLDs do not have any of the issues Warren was just talking about 01:12:25 Jeff Neuman: As the registrant is always the registry which is known and under a strict contract with ICANN 01:13:22 Jeff Neuman: Reminder: I have an AOB 01:13:31 Anne Aikman-Scalese: Just wanted to say we can redesign Study 2 and potentially reach a consensus on seeking funding on Study 2. 01:13:35 Rod Rasmussen: @Jeff Neuman - may not be the registry but rather a malicious 2LD - depends on the behaviors causing the leakage. Tricky stuff. In theory, you catch that with a honeypot - any level of a potential new TLD. 01:13:40 Danny McPherson: @JAS: interested in any data of you have actual collisions in COM that were not the result of search list processing and not the result of a domain being registered. I do not consider the same namespace a collision 01:14:10 Jeff Neuman: @ROd - But that doesn't apply in a brand TLD where all 2nd levels are owned and run by the registry 01:14:19 Patrik Fältström : as warren said, the analysis we did in ssac (as we all know) was different regarding controller interruption. it’s the delegation that makes data leak. nothing else. the follow up is to see wether it can be controlled where data go. 01:14:21 Jeff Neuman: And that is a VERY important distinction 01:14:34 Warren Kumari: @jeffN - yes it does -- if people were using e.g .coke internally, and it gets delegated to Coke (a single registrant TLD), those people will start sending the confidential information to Coke. The fact that it is a single registrant doesn't change this... 01:14:53 Rod Rasmussen: That would hopefully be the case for a .brand when any delegation is held by the organization running the TLD (malicious insiders aside of course). 01:15:01 Jeff Schmidt: @Danny - corp.com is a collision in com. Every wpad qname ending in .com is a collision in .com. The most dangerous and directly exploitable collisions - bar none - happen in corp.com and www..com 01:15:15 Jeff Neuman: @Warren - but if they have an obligation under a contract not to engage in that behavior, or else real consequences, then that would solve it 01:15:37 Rod Rasmussen: & what Warren said - assumes the .brand is the cause of the original collision problem. 01:15:39 Jeff Neuman: Warren - Google has had a number of delegations....have you received any confidential information? 01:15:57 Jeff Neuman: @Rod - No, the brand has contractual obligations it must follow 01:16:14 Ram Mohan: have to drop at the top of the hour. what's your AOB, @Jeff? 01:16:27 Jeff Neuman: It will take 20 second 01:16:29 Jeff Neuman: second 01:16:33 Jeff Neuman: seconds 01:16:43 Warren Kumari: @Jeff: If you had been using .goog internally, and it was delegated to Google, would you be comfortable sending $confidential_stuff to Google? 01:17:03 Jeff Neuman: @Warren - I wouldn't be using that 01:17:37 Rod Rasmussen: @JeffN - I hope so and it probably should be that way - just pointing out that there are some things that may come across your network that may not get handled properly should you receive anomalous traffic. All about risk analysis at the end of the day. 01:17:51 Anne Aikman-Scalese: Thank you Jeff! 01:18:03 Jeff Neuman: thanks!