Framework for Registry Operators to Respond to Security Threats

This is a collaborative work space for the Security Framework Drafting Team.

Status

The draft Framework draft has been endorsed by the contributing groups and the SFDT is preparing to publish it for public comment.published for public comment. SFDT will be presenting it to public on 12 July 2017. https://www.icann.org/news/announcement-3-2017-07-06-en

Background 

While developing the terms of the Registry Agreements in the new gTLD Program, the New gTLD Program Committee of the ICANN Board (NGPC) resolved to include the so called “security checks” into Specification 11 section 3b (see the New gTLD Registry Agreement).

While doing so, the NGPC recognized that these terms were general guidelines which omitted specific details because there are multiple ways for Registry Operators to implement such security checks. In order to allow for careful and fulsome consideration of these implementation details, the NGPC Proposal for Implementation of GAC Safeguards Applicable to All New gTLDs called for ICANN to solicit community participation to develop a framework for “Registry Operators to respond to identified security risks that pose an actual risk of harm (…)”.

After conducting a preliminary consultation with a group of registries and GAC representatives, ICANN has formed a Framework Drafting Team composed of volunteers from affected parties to draft a Framework for Registry Operators to Respond to Security Threats.

Registries, Registrars and GAC representatives (including form the Public Safety Working Group) have joined the drafting effort.

Objectives and Drafting Principles

The ultimate objective of the Framework for Registry Operators to Respond to Security Threats is to reduce the impact on Internet users of new gTLD domain-related security threats though timely industry self-regulation.

In line with the NGPC Proposal, the Framework should provide the necessary details for “Registry Operators to respond to identified security risks that pose an actual risk of harm, notification procedures, and appropriate consequences, including a process for suspending domain names until the matter is resolved, while respecting privacy and confidentiality”.

The Framework is intended to become a set of non-binding standards to serve as a reference for self-regulation by New gTLD Registries and Registrars as well any other interested contracted party. The community may consider the Framework as a building block for future policy work.

The objective of the Framework Drafting Team is to produce the substance of a Framework, grounded in:

• Industry experience,
• Accepted best practices (if any), and
• Consultation with the memberships of relevant communities.

The Framework is expected to be composed of principles, definitions, methods, procedures, and more generally elements that can be mutually acceptable to all parties. 

A Draft Framework will be submitted to the community for Public Comments. Input from the community will be considered by the Drafting Team to produce a finalized Framework for publication and implementation by interested parties. 

Once finalized, the initial Framework could become an evolutionary document, to be reviewed and revised as circumstances require. And other documents could be added to supplement the guidance document. The purpose is to promote collaboration among all stakeholders in a voluntary manner.

Project Timeline

• 31 July 2015 - First meeting of Security Framework Drafting Team

• 4 September 2015 - Initial Draft Framework for consultation with relevant communities

• 2 October 2015   - Revised Draft Framework for discussion during ICANN 54

• 9 March 2016 - SFDT Meeting in ICANN55

• November 2016 - Multiple meetings at ICANN57 to resolve differences

• 14 March 2017 - SFDT agreement on draft after 4 meetings (ICANN58)

• April 2017 - Review by RySG, RrSG and GAC

• June/July 2017  - Draft Framework open for Public Comment

• August 2017 - Public Comment summary report / Update the Framework
  

• 2H2017 - Release Publication of Framework revised with input received during public comment period.on icann.org (location tbd)