Summary of ERSR Public Comments

[Craig Schwartz <craig.schwartz@xxxxxxxxx>]

Summary and analysis of public comments for:
Expedited Registry Security Request

17 November 2009

BACKGROUND

The public comment period was created to solicit feedback from the Internet 
community on the Expedited Registry Security Request (ERSR) process.


The Expedited Registry Security Request (ERSR) was developed to provide a 
process for gTLD registries who inform ICANN of a present or imminent security 
incident (hereinafter referred to as "Incident") to their TLD and/or the DNS to 
request a contractual waiver for actions it might take or has taken to mitigate 
or eliminate an Incident. A contractual waiver is an exemption from compliance 
with a specific provision of the Registry Agreement for the time period 
necessary to respond to the Incident. The ERSR was designed to allow 
operational security to be maintained around an Incident while keeping relevant 
parties (e.g., ICANN, other affected providers, etc.) informed as appropriate.

SUMMARY

The public comment period was open from 1 October 2009 through 16 November 
2009. Two comments were received from individuals and the remarks were 
generally supportive with some feedback on better mechanisms for accountability 
and transparency in the process. The public comments for this forum are 
archived at http://forum.icann.org/lists/ersr/.

George Kirikos' (Leap.com) comments appear to be supportive of the ERSR 
provided some measures for increased transparency are added. For example, Mr. 
Kirikos has suggested that all ERSRs be posted to ICANN's website similarly to 
how RSEP requests are handled. Further, Mr. Kirikos suggested there be a public 
archive of requests and a RSS feed. Lastly, Mr. Kirikos commented that, "The 
After-Action Report appears to simply be optional, and that is not good enough, 
nor timely enough."  Mr. Kirikos' comments may be viewed in their entirety at 
http://forum.icann.org/lists/ersr/msg00000.html.

Patrick Mevzek (Dot and Co). Mr. Mevzek's comments appear to be supportive of 
the ERSR and he has requested measures be taken to review the process after a 
year or two of implementation to assess its effectiveness and perhaps the need 
for such a process at all based upon the number of requests. Similar to Mr. 
Kirikos' comments, Mr. Mevzek requested there be a public archive for requests 
and that an After-Action Report should be mandatory. Mr. Mevzek also suggested 
the ERSR submission form be housed in a secure and registry-only accessible 
location on ICANN's website to avoid false requests. Mr. Mevzek also submitted 
a number of comments about ICANN's public comment process which are not germane 
to this comment period. Those unrelated comments have been forwarded to ICANN's 
Corporate Affairs office. Mr. Mevzek's comments may be viewed in their entirety 
at http://forum.icann.org/lists/ersr/msg00001.html.



CONCLUSION



This summary should not be considered a full and complete recitation of every 
comment, concern, or recommendation contained in the public comments.  It is an 
attempt to capture in broad terms the nature and scope of the comments.  This 
summary has been prepared in an effort to highlight key elements of these 
submissions in an abbreviated format, not to replace them.  Every effort has 
been made to avoid mischaracterizations and to present fairly the views 
provided.  Any failure to do so is unintentional.


NEXT STEPS

This summary of public comments will be used to inform and improve transparency 
and accountability around ICANN's Expedited Registry Security Request Process. 
At the time of this writing, ICANN had not received any ERSR requests.



CONTRIBUTORS are in order of first appearance and number of postings if more 
than one:

George Kirikos (Leap.com)
Patrick Mevzek (Dot and Co)


Craig Schwartz
Chief gTLD Registry Liaison
ICANN