Note
Notes/ Action Items These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki. 1. Roll Call/SOI Updates Wiki page: https://community.icann.org/x/nAu8B Michele Neylon updated his SOI to reflect change of interest in a company Klaus Stoll is now also an Visiting Professor at Xi'an Jiaotong-Liverpool University Call handout: https://community.icann.org/download/attachments/79432604/Handout-13February-RDSWGCall.pdf 2. Resolution of this week's poll results on criteria Poll results: https://community.icann.org/download/attachments/79432604/AnnotatedResults-Poll-from-6FebruaryCall.pdf Refer to slide 3 of call handout After a month of discussion on criteria, we have been unable to reach rough consensus 3 draft criteria will be recorded for future reference as we deliberate on purposes Action: Staff to record draft criteria as shown on slide 3 of handout in working document for future reference. 3. Discuss list of purposes for processing a. See list of DT-defined possible purposes and 30 January 30 poll results Poll results: https://community.icann.org/download/attachments/79432439/AnnotatedResults-Poll-from-30JanuaryCall.pdf Q3 asked for level of support to treating purposes as possibly legitimate for processing registration data and working to further flesh out data and user needs for those purposes Results for Q3 ranged, but identified four purposes as having significant support or could live with: Tech Issue Resolution, Domain Name (DN) Management, DN Certification, DN Purchase/Sale Proposed approach for today's call is to continue deliberation on the two of those four purposes not yet addressed by WG agreements Existing WG agreements for Tech Issue Resolution and DN Management data are provided as a reminder on slide 5 of handout Note: Should DNSSEC be added to the list of data required for Tech Issue Resolution and DN Management purposes? (return to this) b. Discuss DN Certification as a purpose for processing and associated data needs Slide 6 recalls where previous WG deliberation left off on DN Certification Slide 8 enumerates the data identified by the Drafting Team (DT) on DN Certification In 9 January poll, there were mixed results on whether DN Certification was a legitimate purpose for collection or access Question: Is DN Certification a legitimate purpose for PROCESSING registration data? Proposed WG agreement to help move the WG along: Domain Name Certification is a legitimate purpose for processing registration data, based on the definition drafted by DT3 Note that slide 6 was the point at which the issue arose of accessing data for a purpose which was not deemed "legitimate" for collecting that data. In many data protection laws (and principles, e.g. OECD) this requires a determination of whether the "access" purpose is "compatible" with the "collection" purpose. Slide 8 will be the basis for the WG to discuss data for DN Certification and whether the data has already been collected for another purpose Certification purpose may require data elements to be collected if they were not already collected. Most needed elements should already be present given other purposes. Again, certification would not be a required purpose for all domains holders, but you need to allow for collection of elements for those who do wish to use their data for certification. Proposed WG Agreement: Domain Name Certification is a legitimate purpose for processing registration data, based on the following definition: Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name. Question: Is DN Certification a legitimate purpose for COLLECTING registration data Comments made by WG members on call: No: you cannot discuss processing if you are not authorized to collect it No: not all registrants need certificates, so it is not a common item for all registrations No: data collected for other legit purposes can be "processed" as is for the Certificate authority use case. Maybe: Are there other avenues for collection; ICANN isn't in the certificate issuance business but not opposed to processing for this purpose. the certificate is not part of the DNS. it is used for other purposes. so, in my mind, it is not a subset of DNS security and stability Yes? The purpose of ICANN is not merely conferring domains to registrants... there is a broad purpose. TLS and certificates in a subset of circumstances rely on DNS Yes. ICANN is in the security, stability and resiliency business, and certification is very much a part of that. No: As defined by the EU, what ICANN does is crucial to the evaluation of the purposes of collection and processing. ICANN is not an academic institution, a law enforcement agency, or a DN certification service Yes: DNS is inherently used for other purposes. To enable communication. That's the point of it. We created it so people didn't have to use hosts files or IP addresses. DNS enables communication. Yes: Some are of the view that the only reason to collect data is so that the registrar can contact the registrant. I don't believe that is true at all. Neither, it’s an OPT-IN purpose for optional collection: We are rehashing discussion of several weeks ago on this issue of RDS data in the CERT issuance and maintenance process. Unfortunately, there is a fundamental disagreement on the necessity vs. utilization of Whois data in current industry practices. Would probably be good to get actual data from CAB Forum. Neither: Until a registrant seeks a certificate, there is no purpose to collect for this purpose. If the registrant wants a certificate, it could be a purpose for optional collection Note: Some confusion between DNSSEC signing of a domain name DNS data and SSL/TLS Certs and what each accomplishes Proposed WG agreement on collection: DN Certification is an OPT-IN purpose for collecting data at the registrant's choice. Implication of giving the registrant the choice: optional to offer but required to support - at least at the registry level If the data elements were already collected for a different (legitimate) purpose and the domain registrant wanted a certificate, they could authorize the release of the information for certification purposes. A certificate authority could decide to not issue a cert if the information were not provided. Note that there are many registries that require registrars to collect additional data beyond the RAA requirements. In those cases, it is not up to the registrant or registrar but the registry. Capturing "optional" data requires informed and revocable consent. This is a high bar to maintain, and costly. It also adds to data breach risk factors. Why is it important that DN certification be a valid reason for collection? Why is it not enough for it to be a valid reason for processing? One reason might be to ensure against the risk that obtaining a cert might be treated as a use incompatible with whatever was the purpose for which the data was originally collected Note on slide 8, the WG agreed (by rough consensus) that Tech Issue Resolution and DN Management were legitimate purposes for collecting registration data (and thus processing) Proposed WG Agreement (to be polled): Domain Name Certification is an OPT-IN purpose for collecting registration data (that is, registries/registrars are required to support collection, but data is collected for this purpose at the registrant's choice). Action: Leadership team to draft poll to test level of support/opposition to two proposed WG agreements. All WG members are encouraged to participate in the poll no later than COB 17 February. c. Discuss DN Purchase/Sale as a purpose for processing and associated data needs DEFERRED 4. Confirm agreements for polling & next steps Action: Staff to record draft criteria as shown on slide 3 of handout in working document for future reference. Proposed WG Agreement (to be polled): Domain Name Certification is a legitimate purpose for processing registration data, based on the following definition: Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name. Proposed WG Agreement (to be polled): Domain Name Certification is an OPT-IN purpose for collecting registration data (that is, registries/registrars are required to support collection, but data is collected for this purpose at the registrant's choice). Action: Leadership team to draft poll to test level of support/opposition to two proposed WG agreements. All WG members are encouraged to participate in the poll no later than COB 17 February. 5. Confirm next meeting: Wednesday 21 February at 06:00 UTC Note two F2F WG meetings are tentatively scheduled for ICANN61: Saturday March 10, 2018 (8.30-12.00 local time) Wednesday March 14, 2018 (15.15-18.30 local time)

Note

Notes/ Action Items

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki.

1. Roll Call/SOI Updates

Wiki page: https://community.icann.org/x/nAu8B
Michele Neylon updated his SOI to reflect change of interest in a company
Klaus Stoll is now also an Visiting Professor at Xi'an Jiaotong-Liverpool University
Call handout: https://community.icann.org/download/attachments/79432604/Handout-13February-RDSWGCall.pdf

2. Resolution of this week's poll results on criteria

Poll results: https://community.icann.org/download/attachments/79432604/AnnotatedResults-Poll-from-6FebruaryCall.pdf
Refer to slide 3 of call handout
After a month of discussion on criteria, we have been unable to reach rough consensus
3 draft criteria will be recorded for future reference as we deliberate on purposes

Action: Staff to record draft criteria as shown on slide 3 of handout in working document for future reference.

3. Discuss list of purposes for processing

a. See list of DT-defined possible purposes and 30 January 30 poll results

Poll results: https://community.icann.org/download/attachments/79432439/AnnotatedResults-Poll-from-30JanuaryCall.pdf
Q3 asked for level of support to treating purposes as possibly legitimate for processing registration data and working to further flesh out data and user needs for those purposes
Results for Q3 ranged, but identified four purposes as having significant support or could live with: Tech Issue Resolution, Domain Name (DN) Management, DN Certification, DN Purchase/Sale
Proposed approach for today's call is to continue deliberation on the two of those four purposes not yet addressed by WG agreements
Existing WG agreements for Tech Issue Resolution and DN Management data are provided as a reminder on slide 5 of handout
Note: Should DNSSEC be added to the list of data required for Tech Issue Resolution and DN Management purposes? (return to this)

b. Discuss DN Certification as a purpose for processing and associated data needs

Slide 6 recalls where previous WG deliberation left off on DN Certification
Slide 8 enumerates the data identified by the Drafting Team (DT) on DN Certification
In 9 January poll, there were mixed results on whether DN Certification was a legitimate purpose for collection or access

Question: Is DN Certification a legitimate purpose for PROCESSING registration data?

Proposed WG agreement to help move the WG along: Domain Name Certification is a legitimate purpose for processing registration data, based on the definition drafted by DT3
Note that slide 6 was the point at which the issue arose of accessing data for a purpose which was not deemed "legitimate" for collecting that data. In many data protection laws (and principles, e.g. OECD) this requires a determination of whether the "access" purpose is "compatible" with the "collection" purpose.
Slide 8 will be the basis for the WG to discuss data for DN Certification and whether the data has already been collected for another purpose
Certification purpose may require data elements to be collected if they were not already collected. Most needed elements should already be present given other purposes. Again, certification would not be a required purpose for all domains holders, but you need to allow for collection of elements for those who do wish to use their data for certification.

Proposed WG Agreement: Domain Name Certification is a legitimate purpose for processing registration data, based on the following definition: Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name.

Question: Is DN Certification a legitimate purpose for COLLECTING registration data

Comments made by WG members on call:
- No: you cannot discuss processing if you are not authorized to collect it
- No: not all registrants need certificates, so it is not a common item for all registrations
- No: data collected for other legit purposes can be "processed" as is for the Certificate authority use case.
- Maybe: Are there other avenues for collection; ICANN isn't in the certificate issuance business but not opposed to processing for this purpose. the certificate is not part of the DNS. it is used for other purposes. so, in my mind, it is not a subset of DNS security and stability
- Yes? The purpose of ICANN is not merely conferring domains to registrants... there is a broad purpose. TLS and certificates in a subset of circumstances rely on DNS
- Yes. ICANN is in the security, stability and resiliency business, and certification is very much a part of that.
- No: As defined by the EU, what ICANN does is crucial to the evaluation of the purposes of collection and processing. ICANN is not an academic institution, a law enforcement agency, or a DN certification service
- Yes: DNS is inherently used for other purposes. To enable communication. That's the point of it. We created it so people didn't have to use hosts files or IP addresses. DNS enables communication.
- Yes: Some are of the view that the only reason to collect data is so that the registrar can contact the registrant. I don't believe that is true at all.
- Neither, it’s an OPT-IN purpose for optional collection: We are rehashing discussion of several weeks ago on this issue of RDS data in the CERT issuance and maintenance process. Unfortunately, there is a fundamental disagreement on the necessity vs. utilization of Whois data in current industry practices. Would probably be good to get actual data from CAB Forum.
- Neither: Until a registrant seeks a certificate, there is no purpose to collect for this purpose. If the registrant wants a certificate, it could be a purpose for optional collection
Note: Some confusion between DNSSEC signing of a domain name DNS data and SSL/TLS Certs and what each accomplishes
Proposed WG agreement on collection: DN Certification is an OPT-IN purpose for collecting data at the registrant's choice.
Implication of giving the registrant the choice: optional to offer but required to support - at least at the registry level
If the data elements were already collected for a different (legitimate) purpose and the domain registrant wanted a certificate, they could authorize the release of the information for certification purposes.
A certificate authority could decide to not issue a cert if the information were not provided.
Note that there are many registries that require registrars to collect additional data beyond the RAA requirements. In those cases, it is not up to the registrant or registrar but the registry.
Capturing "optional" data requires informed and revocable consent. This is a high bar to maintain, and costly. It also adds to data breach risk factors.
Why is it important that DN certification be a valid reason for collection? Why is it not enough for it to be a valid reason for processing? One reason might be to ensure against the risk that obtaining a cert might be treated as a use incompatible with whatever was the purpose for which the data was originally collected
Note on slide 8, the WG agreed (by rough consensus) that Tech Issue Resolution and DN Management were legitimate purposes for collecting registration data (and thus processing)

Proposed WG Agreement (to be polled): Domain Name Certification is an OPT-IN purpose for collecting registration data (that is, registries/registrars are required to support collection, but data is collected for this purpose at the registrant's choice).

Action: Leadership team to draft poll to test level of support/opposition to two proposed WG agreements. All WG members are encouraged to participate in the poll no later than COB 17 February.

c. Discuss DN Purchase/Sale as a purpose for processing and associated data needs

DEFERRED

4. Confirm agreements for polling & next steps

Action: Staff to record draft criteria as shown on slide 3 of handout in working document for future reference.

Proposed WG Agreement (to be polled): Domain Name Certification is a legitimate purpose for processing registration data, based on the following definition: Information collected by a certificate authority to enable contact between the registrant, or a technical or administrative representative of the registrant, to assist in verifying that the identity of the certificate applicant is the same as the entity that controls the domain name.

Action: Leadership team to draft poll to test level of support/opposition to two proposed WG agreements. All WG members are encouraged to participate in the poll no later than COB 17 February.

5. Confirm next meeting: Wednesday 21 February at 06:00 UTC

Note two F2F WG meetings are tentatively scheduled for ICANN61:
- Saturday March 10, 2018 (8.30-12.00 local time)
- Wednesday March 14, 2018 (15.15-18.30 local time)

Content

Space Tools

Versions Compared

Old Version 21

New Version Current

Key