Framework for Registry Operators to Respond to Security Threats

This is a collaborative work space for the Security Framework Drafting Team.

Status

The Framework has been published on 20 October 2017 with an announcement: https://www.icann.org/news/announcement-2-2017-10-20-en

Next Steps 

The SFDT will conduct a public session at ICANN60 to present the Framework and discuss the future plans for the Framework and SFDT.

https://schedule.icann.org/event/CbGb/icann-gdd-security-framework-for-registry-operators

Background 

While developing the terms of the Registry Agreements in the new gTLD Program, the New gTLD Program Committee of the ICANN Board (NGPC) resolved to include the so called “security checks” into Specification 11 section 3b (see the New gTLD Registry Agreement).

While doing so, the NGPC recognized that these terms were general guidelines which omitted specific details because there are multiple ways for Registry Operators to implement such security checks. In order to allow for careful and fulsome consideration of these implementation details, the NGPC Proposal for Implementation of GAC Safeguards Applicable to All New gTLDs called for ICANN to solicit community participation to develop a framework for “Registry Operators to respond to identified security risks that pose an actual risk of harm (…)”.

After conducting a preliminary consultation with a group of registries and GAC representatives, ICANN has formed a Framework Drafting Team composed of volunteers from affected parties to draft a Framework for Registry Operators to Respond to Security Threats.

Registries, Registrars and GAC representatives (including form the Public Safety Working Group) have joined the drafting effort.

Objectives and Drafting Principles

The ultimate objective of the Framework for Registry Operators to Respond to Security Threats is to reduce the impact on Internet users of new gTLD domain-related security threats though timely industry self-regulation.

In line with the NGPC Proposal, the Framework should provide the necessary details for “Registry Operators to respond to identified security risks that pose an actual risk of harm, notification procedures, and appropriate consequences, including a process for suspending domain names until the matter is resolved, while respecting privacy and confidentiality”.

The Framework is intended to become a set of non-binding standards to serve as a reference for self-regulation by New gTLD Registries and Registrars as well any other interested contracted party. The community may consider the Framework as a building block for future policy work.

The objective of the Framework Drafting Team is to produce the substance of a Framework, grounded in:

• Industry experience,
• Accepted best practices (if any), and
• Consultation with the memberships of relevant communities.

The Framework is expected to be composed of principles, definitions, methods, procedures, and more generally elements that can be mutually acceptable to all parties. 

A Draft Framework will be submitted to the community for Public Comments. Input from the community will be considered by the Drafting Team to produce a finalized Framework for publication and implementation by interested parties. 

Once finalized, the initial Framework could become an evolutionary document, to be reviewed and revised as circumstances require. And other documents could be added to supplement the guidance document. The purpose is to promote collaboration among all stakeholders in a voluntary manner.

Project Timeline

• 31 July 2015 - First meeting of Security Framework Drafting Team

• 4 September 2015 - Initial Draft Framework for consultation with relevant communities

• 2 October 2015   - Revised Draft Framework for discussion during ICANN 54

• 9 March 2016 - SFDT Meeting in ICANN55

• November 2016 - Multiple meetings at ICANN57 to resolve differences

• 14 March 2017 - SFDT agreement on draft after 4 meetings (ICANN58)

• April 2017 - Review by RySG, RrSG and GAC

• June/July 2017  - Draft Framework open for Public Comment
• 12 July 2017: SFDT presented the Framework to public: https://www.icann.org/news/announcement-3-2017-07-06-en

• August/September 2017 - Public Comment summary and analysis report / Update the Framework

• 20 October 2017 - Publication of Framework on icann.org

• 29 October 2017 - Public presentation of the Security Framework at ICANN60