RE: [ga] Registries & Security Safeguards

["Michael D. Palage" <Michael@xxxxxxxxxx>]

Danny,

If you have Jerry Archer's email please copy him on this response,
because I would like to engage him in a constructive dialog on this
topic.

First let's begin with the obvious disclosures. I consult with various
registrations authorities, including one which currently has a contract
pending before the ICANN Board for approval. As always, unless otherwise
stated my comments are written in an individual capacity.

To begin, Mr. Archer's makes several positive recommendations in which I
think there is strong merit. In fact the ICANN Board received several
confidential briefings regarding certain security and stability issues
during my time on the Board. For obvious security reasons, these matters
were not made publicly available. I think enhancing the security and
stability of the Internet is a common goal, in which there is almost
universal agreement among the ICANN community.

However, I struggle with the disconnect between these common goals and
Mr. Archer's comments in connection with both the .COM settlement
agreement and the .INFO, .ORG and .BIZ contract extensions. I believe
Mr. Archer's concern as articulated in NSI's press release yesterday is
along the following lines" ICANN cannot and should not depend on the
goodwill of registry operators, but instead should rely on contractual
provisions regarding necessary security and stability safeguards."

Again I find merit in this proposition as ICANN in my opinion has yet to
completely fulfill its enforcement/compliance obligations. This is a
concern that has been raised by other constituencies within the ICANN
community, most notably the Intellectual Property Constituency in
connection with Whois accuracy and access. These concerns were
specifically articulated in a letter to the Honorable Carlos M.
Gutierrez dated September 13, 2006 in which many leading global business
expressed these concerns within the context of the current MoU
negotiations.

My only concerns about Mr. Archer's comments are the following. First,
as documented by the ICANN SSAC last year in connection with the domain
name hijacking instances, there are certain security and stability
issues that need to be addressed within the domain name industry as a
whole, i.e. both registry and registrar. It appears that Mr. Archer's
comments were narrowly focused on just registries. Mr. Archer's feedback
in connection with security and stability concerns at a macro level
within the domain name registration authority community would be
insightful and much appreciated.

My second concern is in connection with the recently completed Amsterdam
consultation in which the GNSO leadership focused on the importance of
the new TLD process to account for opportunities for small businesses
and those from developing countries. This topic was specifically
relevant in connection with the amount of the application fees and
possibility of a grant system to help subsidize applications from
developing countries.  My concern here is that the security audits that
Mr. Archer discussed may unreasonably burden some of the smaller
registry operators whose operational budget is a fraction of some of the
larger for profit entities. This is not to say that smaller TLDs should
be held to a lesser standard that compromises the security and stability
of the Internet, but any compliance/audit system must be aware of market
mechanisms.

The final comment that I have is in connection with the existing PDP
process. I see nothing that would prevent the GNSO from initiating a PDP
along these lines, provided that there were suitable mechanisms to
protect the confidential nature of these breaches. Also I would
recommend that these initiatives be undertaken at a macro level.

I hope these comments produce a constructive dialog on this topic.

Best regards,

Michael D. Palage







-----Original Message-----
From: owner-ga@xxxxxxxxxxxxxx [mailto:owner-ga@xxxxxxxxxxxxxx] On Behalf
Of Danny Younger
Sent: Thursday, September 14, 2006 2:42 PM
To: ga@xxxxxxxxxxxxxx
Subject: [ga] Registries & Security Safeguards


FYI:

"An expert report released today concluded that in
proposals for the .com, .biz, .info and .org
registries, the Internet Corporation for Assigned
Names and Numbers (ICANN) has failed to ensure
adequate security safeguards." 

The report, written by leading security technology
expert Jerry Archer, entitled "DNS -- A System in
Crisis" recommends that oversight, planning and
testing provisions be implemented in the proposals to
run these registries before they are finalized.

The report may be found at this URL: 
http://onlinepressroom.net/networksolutions/

This report is a follow-up to Jerry's earlier comments
that were posted here:
http://forum.icann.org/lists/org-tld-agreement/msg00887.html

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com