Comments on "Expedited Registry Security Request Process"

[Patrick Mevzek <contact@xxxxxxxxxxxx>]

Following the ICANN announcement at
http://icann.org/en/announcements/announcement-01oct09-en.htm
please find below my comments on this new process.


As I understand it with the background given, this process was
created to handle cases such as the Conficker worm. Will it be needed
in the future for many other cases? Only time would tell, but this
should show that, with any addition of a new process, there should be
a plan to assess the process usefulness in some point in the future
like 1 or 2 years after its start. This would ensure that this
process (and others) could be enhanced or even removed if it happens
not to be useful as is.
Otherwise I fear that with any single special event, a new process
may be started, where in fact the situation would not really ask for
it
(as I already said in other comment periods, see
http://forum.icann.org/lists/irtp-b/msg00003.html )

I think for the public (that is here basically everyone except ICANN
and the registry submitting an ERSR) it would be useful that the
webpage at http://icann.org/en/registries/ersr/ archives requests.

This could go something like that:
- as soon as the request is submitted by registry and validated by
ICANN the public webpage should at least show the time of the request
and the registry involved, without any other detail for now
- echoing George Kirikos previous comments, the AAR (After-Action
Report) should be mandatory, even if released in two phases, first 
time with some missing elements, and then only later with all data. 
The AAR should among other things specify which specific provisions of
contracts have been exempted during the ERSR, from which time to
which time, and the rationale behind it, related to the incident that
was being handled by the registry. If possible, the report should
give ideas and details of what the consequences would have been for
the registry, for ICANN, for the public, if the exemptions had not
been granted at that time.
 

All this public data would then be useful to assess, like said at the
beginning, at some point in the future, if the process itself was
effective and how it was used by registries.
Without this information the process can be abused, or, even more
dangerous, there could be an assumption it is/it would be abused,
even if it is not the case.
The data would also be useful for searchers worldwide, related to DNS
security and incident handling.


And as a minor technical point, I would advise ICANN to put the
webpage currently at http://www.icann.org/cgi/registry-sec only in
some kind of protected website to be accessed only by registries, as
it is of no need for the general public, and could only lead to false
requests (volontarily or not), and more burden on ICANN staff to
separate true requests from garbage.


A side note related to all comments periods and not specifically
this one about ERSR:
It would be useful for the webpage at
http://www.icann.org/en/public-comment/ to have its own RSS feed
which would include notifications of:
- new comment openings following some ICANN announcement
- change of comment periods, when extended
- reminders, like 1 week before closing date

Another step after that could also prove to be useful: feeds for
each mailing-list related to comments and/or a possibility to
subscribe to receive comments by emails.
And while not essential, a redesign of http://forum.icann.org/ to
have at least a graphical design close to http://www.icann.org/ would
certainly be welcome, and feel it more integrated.
Also, even with the ConfirmSystem some spam seems to get through,
like at
http://forum.icann.org/lists/vrsn-btappa-amendment/msg00005.html
And there are always emails sent that, while not spam, are completely
unrelated to the comment period itself.
So during the analysis period after the closing, ICANN staff could do
some clean-up in the web archives and/or bypassers could be able to
tag posts that seem to be spam or unrelated, as it is more and more
done elsewhere when archiving publicly email records.

Maybe there would be a need to open a comment period to discuss on
how to best handle comment periods :-) ?

-- 
Patrick Mevzek
Dot and Co <http://www.dotandco.com/> <http://www.dotandco.net/>
<http://www.dotandco.net/ressources/icann_registrars/prices>
<http://icann-registrars-life.dotandco.net/>