[dssa] Requesting Public Comments

["Mike O'Connor" <mike@xxxxxxxxxx>]

Hi all,

Just a note to highlight that it would be extremely helpful if your respective 
constituencies and supporting organizations could contribute public comments 
regarding the work of the DSSA so far.  The initial public comment period is 
closed and the reply-period is going to close just after the Toronto meeting, 
so time is drawing short.  Especially given that we'd like to review those 
comments *during* the Toronto meeting.

Here are a few points to consider when you lobby your respective organizations:

-- The comments don't necessarily need to be long.  A simple "the DSSA is doing 
fine" would suffice in a pinch, although some words explaining why would be 
helpful.  Since the DSSA is one of those cross-community working groups, we 
could use some guidance as to whether we're doing that work in a way that is 
satisfactory.

-- The DSSA made some fairly interesting observations in its Phase 1 Report and 
it would be good to get a sense from your respective organizations as to 
whether we're on the right track.  I've included the picture-book Executive 
Summary in this post to remind you of the high spots.  Again, "you're doing 
fine" is an acceptable response although again a few words of support would be 
welcome.  

And of course the most important comments are those that take issue with 
something we've done -- we will listen to those and try to set ourselves on the 
right track.

Here's a link to the Public Comment Forum for our work.  Please encourage your 
membership to contribute.

        
http://www.icann.org/en/news/public-comment/dssa-phase-1-report-14aug12-en.htm

Thanks,

Mikey

1. Executive Summary

This is the first of two reports from the DNS Security and Stability Analysis 
working group.   The goal of this document is to bring forward the substantial 
work that has been completed to date and describe the work that remains. 

This has been in many respects a “pioneering” cross-constituency 
security-assessment effort that has developed knowledge and processes that 
others will hopefully find helpful and can be reused in the future.

The DSSA has:
Established a cross-constituency working group and put the organizational 
framework to manage that group in place
Clarified the system, organizational and functional scope of the effort
Developed an approach to handling confidential information, should such 
information be required for certain assessments
Selected and tailored a risk-assessment methodology to structure the work
Developed and tested mechanisms to rapidly collect and consolidate 
risk-assessment scenarios across a broad and diverse group of interested 
participants
Used an “alpha-test” of those systems to develop the high-level risk-scenarios 
in this report.  Those scenarios will serve as the starting point for the 
remainder of the effort

Work that remains:
Perform a proof of concept to refine and streamline the methodology on one 
broad risk-scenario topic with the goal of reducing cycle time and making it 
more accessible to a broader community
Roll the methodology out to progressively broader groups of participants to 
introduce the methodology to the community and further improve the process and 
tools on the way to completing the assessment

1.1. Key findings

The DSSA has a number of observations to share with the community after 
completing the first phase of its work.  Those observations are summarized 
here, presented in more detail in the body of this report and in some cases 
presented in even more detail in the Appendix.   The working group has also 
developed a series of tools that can be used by any DNS provider to conduct 
risk assessments.  Those tools, and extremely detailed documentation of the 
assessment, are available on the working group wiki.

1.1.1. Risk Scenarios

The DSSA has analyzed five broad risk scenarios.  These will be explored in 
more depth during the next phase of the effort.  Those scenarios are:
Gaps in policy, management, or leadership lead to splitting the root
“Reductive” forces (security, risk-mitigation, control through rules, etc.) 
lead to splitting the root
Widespread natural disaster brings down the root or a major TLD
Attacks exploiting technical vulnerabilities of the DNS bring down the root or 
a major TLD
Inadvertent technical mishap brings down the root or a major TLD

1.1.2. Scope

The DSSA analyzed several scope issues that needed to be resolved in order to 
complete the work. 
Scope of “the DNS” used by the working group
The functional context of the DSSA within a broader risk management framework
The organizational context of the DSSA vis a vis the SSR-RT and DNRMF efforts

1.1.3. Approach

The DSSA also embarked on developing methodologies that were required in order 
for the working group to complete its assignments.  These methods may be useful 
in other contexts, both inside and outside of ICANN.   These include:
A protocol for handling confidential information
A tailored “compound sentence” risk-assessment methodology based on the NIST 
800-30 and 800-53 standards
An approach to risk assessment that accommodates the unique security assessment 
requirements of the multi-stakeholder DNS ecosystem

1.1.4. Remaining work
The DSSA realized that a detailed assessment of the risk scenarios it has 
identified is likely to take a substantial amount of time.   The DSSA, after 
consultation with its chartering ACs and SOs, broke its work into two phases.  
This report summarizes the work to date, while the next phase will:
Take that work to a more detailed level,
Refine the approach and methods developed so far, and
Explore whether it is feasible to transition this one-time effort into an 
ongoing function to maintain an up to date assessment of DNS risk.




- - - - - - - - -
phone   651-647-6109  
fax             866-280-2356  
web     http://www.haven2.com
handle  OConnorStP (ID for public places like Twitter, Facebook, Google, etc.)