2023-01-05 IDNs EPDP - Meeting #64

Notes/ Action Items

Notes and Action Items - IDNs EPDP Call – 5 January 2023

Action Items

Action Item 1: Leadership Team to develop draft recommendation and response to Charter Question E3 based on today’s discussion.

Notes

Notes – IDN EPDP – 5 January 2023

Welcome and Chair Updates

• Today’s discussion will be a continuation of the topic from our last call, the risk assessment model as applied to String Similarity Review.
• As a reminder, the risk assessment is not an exact science. It is a subjective exercise. There is no right or wrong answer. This is a tool to see whether the added complexity and cost of the hybrid model is actually necessary.
• As a reminder, ICANN org provided some additional analysis to demonstrate that complexity.

Continuation of Risk Assessment - String Similarity Review

• Slide 5 – Risk Assessment Overview
• Purpose: Assess the inherent risk level of the two failure modes involving domains, understand whether the mitigation measures are commensurate with the risks, and assess the residual risk level after factoring in the mitigation measures
• Inherent Risk: The level of natural level of risk without doing anything to reduce the likelihood or mitigate the severity 
• Residual Risk: The amount of risk remaining after the inherent risks have been reduced by mitigation measures
• The specific risks being assessed are: 
• Risk 1: Denial of Service / No-Connection
• Risk 2: Misconnection
• Assess the Control Effectiveness, which reflects the effectiveness of mitigation measures. The mitigation measures being considered include two options: 
• Option 1: String Similarity Review Hybrid Model 
• Option 2: String Similarity Review Level 2 + String Confusion Objection Using the Hybrid Model
• Slide 6 – How to Apply to the Risk Assessment Model
• Slide 7 – Step 1: Describe Risks and Consequences
• Slide 8 – Step 2a: Assess Likelihood
• Staff example from personal experience: assigns a score of 2 for no-connection and 3 for misconnection.
• Comment: The staff example draws on personal experience as a web user. But how do we think about the universe of users we are talking about? Are we talking about all users of the Internet? For example, no-connection is quite common on the Internet globally for a variety of reasons, but it might be less common when looking at specific users or use cases.
• Response: For this exercise, we can only draw on our personal views as an EPDP Team in the context of the work we have done so far.
• Comment: It is difficult to make an assessment based on the current Internet experience in which variants are not available at the top-level. It is difficult to use this experience to make an assessment of the future state of the Internet. Each individual may also have a different experience with respect to the likelihood of the risks.
• Comment: The assessment is really focused on the relative values. If everyone agreed that likelihood is 5, that may point to a different result than if everyone felt that it was a 1.
• Question: Are we assessing the situation as it is now (with no variants at the the top level) or the potential likelihood if variants do exist at the top level in the future?
• Response: The focus is likely to be more on the future state, in the context of what we know about how the String Similarity Review will be conducted. This supports an assessment of whether we need the String Similarity Review to cover blocked variants because the potential severity and likelihood is high.
• Comment: The overall likelihoods of these two risks would increase once variants are implemented at the top level.
• ICANN org Comment: Some scripts are much more confusable than others. Our assessment of likelihood of a risk could vary based on the pair of scripts being considered. In some scripts where the risk is higher, it might make sense to take a deeper look compared to others. A single scale may not be appropriate across the board. Maybe there is a middle ground that would apply the hybrid model in some cases. In other cases, the level 2 model could be used. The review panel could, for example, design a system to determine when to use a hybrid approach.
• Comment: It would be helpful if ICANN org could break down what it views as the complexity of applying the hybrid model.
• Comment: It would be helpful if this group could think in terms of a framework for implementation rather than a set of hard rules. It’s possible to envision a situation where the approach for different scripts is different. It would be helpful to get guidance on the scripts, or criteria for determining which scripts, might introduce more or fewer risks?
• ICANN org Response: This would need a study.
• Comment: Additional research could potentially be done in the implementation phase on this topic.
• Comment: This differences in scripts may indicate that a higher-level recommendation could be appropriate that would create flexibility to design an evaluation process that fits the circumstances. In addition to differences between scripts, it may be that the needs for the evaluation change over time if risk level changes. In implementation, the evaluation panel could adjust the evaluation based on the script.
• Staff comment: This conversation may indicate that Level 2 is the minimum, but that use of the hybrid model is possible based on the assessment of the panel. The EPDP Team could provide implementation guidance about when the hybrid model may be appropriate if it chooses to do so.
• Leadership comment: This risk assessment exercise has been helpful because it has drawn out some novel ways we can think about the String Similarity Review. This group can provide implementation guidance about how the String Similarity Review can be done. In earlier discussions, we were leaning towards the hybrid model. On the principle of conservatism and taking into account that the introduction of variants is new, the EPDP Team still appears to think that conservatism is appropriate, but it also acknowledges that there may be a more nuanced implementation that takes into account variability of risks.
• Leadership question: There are other charter questions we put aside pending discussion on this topic. Will the proposed framing enable us to complete our work on the outstanding charter questions?
• Staff response: The EPDP Team can now return to the following topics and questions:
• Consequence of the String Similarity Review – treatment of a string that is rejected as a result of String Similarity Review and whether variants must also be rejected.
• Whether string contention resolution needs to be adjusted -- the EPDP team needs to consider whether the entire set of variants needs to be put in the contention set.
• String Confusion Objections – Does the EPDP Team still recommend the hybrid model?

Action Item 1: Leadership Team to develop draft recommendation and response to Charter Question E3 based on today’s discussion.

AOB

• ICANN76 update: The leadership team requested two sessions for the EPDP Team to meet at ICANN76 and is tentatively scheduled to hold both sessions on day 1 of the meeting (Saturday, 11 March).
• The target for publication of the Initial Report is April 2023. The leadership team hopes to be in the final stages of reviewing the Initial Report content by ICANN76.