ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

[ga] registry contracts and security/stability issues

  • To: ga@xxxxxxxxxxxxxx
  • Subject: [ga] registry contracts and security/stability issues
  • From: Danny Younger <dannyyounger@xxxxxxxxx>
  • Date: Wed, 30 Aug 2006 07:20:16 -0700 (PDT)
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=FMbiH/TXtoi6QBm6aYWJlBEEwiLY7D5Z5Q2+y1/HYVwf7Bwbo9SVqrBNxrUbYJggV49/YCQ4rqOYt4Bon32w+W3A2TvfE6ZoEiBknwALgQjlpqP8D0MRKEVPZDk5qQo/XkGAta/l1XiA96ijXSOXho4Kp/A1gyUI6hX+M2Ns4hc= ;
  • Sender: owner-ga@xxxxxxxxxxxxxx

Every so often I come across a public comment that
really grabs my attention.  Consider the following:

[excerpt] "There is much talk on security and
stability of the Internet infrastructure and how the
proposed registry agreements for .info, .biz, .org and
others strengthen security and stability.  My over
thirty years as a computer and security consultant
leads me to believe that the Internet will not be well
protected by these proposed agreements.  

In fact, ICANN-despite U.S. Department of Commerce's
(DOC) publicly stated belief that it is uniquely
qualified to perform the technical Domain Name System
(DNS) functions that are critical to the security and
stability of the Internet-has failed to create an
appropriate contractual basis for the protection and
sufficient oversight of the security and stability of
the Internet.  

Unfortunately, the proposed contracts fail to provide
many elements of a good security model, including
requirements for timely:

*         Disclosure and mitigation of any security
breach; 

*         Disclosure of the level and type of any
serious security breach attempts and remediation
plans;

*         Disclosure and mitigation of any suspected
security-related failures;

*         Disclosure and mitigation of known security
vulnerabilities;

*         Implementation of contingency and disaster
recovery plans; and

*         Security testing and/or auditing."

http://forum.icann.org/lists/biz-tld-agreement/msg00837.html

It would be interesting to hear the view of the
Stability and Security Committee on this topic.  For
example, the .asia contract has a clause that states: 
"9. Fail Over Practice.  The registry shall practice
fail over between data centers not less frequently
than once every two years."  

Are the registries being contractually held to a
sufficiently high standard regarding security
considerations?  



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



<<< Chronological Index >>>    <<< Thread Index >>>