ICANN ICANN Email List Archives

[ersr]


<<< Chronological Index >>>    <<< Thread Index    

Amended Summary of ERSR Public Comments

  • To: "ersr@xxxxxxxxx" <ersr@xxxxxxxxx>
  • Subject: Amended Summary of ERSR Public Comments
  • From: Craig Schwartz <craig.schwartz@xxxxxxxxx>
  • Date: Wed, 18 Nov 2009 12:23:26 -0800

This amended summary includes a comment from the Registries Stakeholder Group 
(RySG). The RySG comment was submitted on 16 November and its posting to the 
comment forum was inadvertently delayed until after the forum was closed on 17 
November and after the summary was posted. The issue with the RySG comment was 
identified late in the evening on 17 November and they were requested to 
resubmit their comment and that was done today, 18 November.


Summary of public comments for:
Expedited Registry Security Request

18 November 2009

BACKGROUND

The public comment period was created to solicit feedback from the Internet 
community on the Expedited Registry Security Request (ERSR) process.


The Expedited Registry Security Request (ERSR) was developed to provide a 
process for gTLD registries who inform ICANN of a present or imminent security 
incident (hereinafter referred to as "Incident") to their TLD and/or the DNS to 
request a contractual waiver for actions it might take or has taken to mitigate 
or eliminate an Incident. A contractual waiver is an exemption from compliance 
with a specific provision of the Registry Agreement for the time period 
necessary to respond to the Incident. The ERSR was designed to allow 
operational security to be maintained around an Incident while keeping relevant 
parties (e.g., ICANN, other affected providers, etc.) informed as appropriate.

SUMMARY AND ANALYSIS

The public comment period was open from 1 October 2009 through 16 November 
2009. The three comments received were generally supportive and included 
feedback on language improvements to clarify the process and mechanisms for 
increased accountability and transparency. The public comments for this forum 
are archived at http://forum.icann.org/lists/ersr/.

George Kirikos' (Leap.com) comments appear to be supportive of the ERSR 
provided some measures for increased transparency are added. For example, Mr. 
Kirikos has suggested that all ERSRs be posted to ICANN's website similarly to 
how RSEP requests are handled. Further, Mr. Kirikos suggested there be a public 
archive of requests and a RSS feed. Lastly, Mr. Kirikos commented that, "The 
After-Action Report appears to simply be optional, and that is not good enough, 
nor timely enough."  Mr. Kirikos' comments may be viewed in their entirety at 
http://forum.icann.org/lists/ersr/msg00000.html.

Patrick Mevzek (Dot and Co). Mr. Mevzek's comments appear to be supportive of 
the ERSR and he has requested measures be taken to review the process after a 
year or two of implementation to assess its effectiveness and perhaps the need 
for such a process at all, based upon the number of requests. Similar to Mr. 
Kirikos' comments, Mr. Mevzek requested there be a public archive for requests 
and that an After-Action Report should be mandatory. Mr. Mevzek also suggested 
the ERSR submission form be housed in a secure and registry-only accessible 
location on ICANN's website to avoid false requests. Mr. Mevzek also submitted 
a number of comments about ICANN's public comment process which are not germane 
to this comment period. Those unrelated comments have been forwarded to ICANN's 
Corporate Affairs office. Mr. Mevzek's comments may be viewed in their entirety 
at http://forum.icann.org/lists/ersr/msg00001.html.

David Maher on behalf of the Registries Stakeholder Group (RySG). The RySG's 
members, gTLD registries, are the customers for the ERSR and their comments 
included recommended changes to language to improve and clarify the process. 
The first comment was that the current definition of a security incident is too 
broad and that there are security incidents that registries do not have any 
technical ability to mitigate. Their recommendation, viewable in the comment, 
is to amend the language to include "registry" when referring to information 
and systems in the definition. The second comment pertains to the source 
document for defining the critical functions of a gTLD registry. The ERSR 
references critical functions as defined in ICANN's gTLD Registry Continuity 
Plan and the RySG has suggested the appropriate reference is how critical 
operations are defined in gTLD registry agreements. The RySG comments may be 
viewed in their entirety at http://forum.icann.org/lists/ersr/msg00003.html.



CONCLUSION



This summary should not be considered a full and complete recitation of every 
comment, concern, or recommendation contained in the public comments.  It is an 
attempt to capture in broad terms the nature and scope of the comments.  This 
summary has been prepared in an effort to highlight key elements of these 
submissions in an abbreviated format, not to replace them.  Every effort has 
been made to avoid mischaracterizations and to present fairly the views 
provided.  Any failure to do so is unintentional.


NEXT STEPS

This summary of public comments will be used to inform and improve transparency 
and accountability around ICANN's Expedited Registry Security Request Process. 
At the time of this writing, ICANN had not received any ERSR requests.



CONTRIBUTORS are in order of appearance and number of postings if more than one:

George Kirikos (Leap.com)
Patrick Mevzek (Dot and Co)
David Maher (Registries Stakeholder Group)


Craig Schwartz
Chief gTLD Registry Liaison
ICANN




<<< Chronological Index >>>    <<< Thread Index    

Privacy Policy | Terms of Service | Cookies Policy