Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx>]

mostly out of scope again.

On Sun, Feb 3, 2013 at 4:29 PM, Mike O'Connor <mike@xxxxxxxxxx> wrote:
> hi all,
>
> i promised to send along some materials extracted from the DSSA (DNS
> Security and Stability Analysis) working group where i serve as GNSO
> co-chair and day-to-day project leader.  this is in the "break a large
> puzzle into smaller pieces" department.

this isn't even remotely with our charter, its another group, outside
of our remit. What did you smoke during that nap of yours?

> i've attached a one page summary of the process that we've been working on
> (it's based on NIST SP 800-30 for you in the security world), and thought
> i'd build a list of questions that people could use as a starting point in
> building risk scenarios associated with the transition from thin to thick
> Whois.


first of all  NIST SP 800-30 dos not apply to the issues regarding
thick-vs-thin whois publication. Rather than respond individually to
each assertion listed below, please restate how you think this applies
to our charter? whois is a publication activity which has no bearing
on registry or registrar security. NIST SP 800-30 is so completely off
topic for our charter  -- could you draw me a picture of how (you as
chair) see this line of questioning as applicable to our mandate? On,
second thought -- I'll draw you a box and out side if it are your
questions, within the box are our remit.

we have one question to answer, one recommendation to make: Is the
move thick or thin something ICANN should recommend. Your questions
below have no bearing on answering this one question. None of your
questions below derive from NIST SP 800-30 as is is not within our
charter to make *any* risk assessment, regardless of the fact that
there is none to make...

please, please, lets move this conversation forward and refine our
dialog to: if moving com/net to a thick whois publishing architecture
or specify why the move would some how be bad. Ideally we could
enumerate the pros/cons.

wtf?

-rick

> Questions:
>
> -- What is the description of the threat event?  [1st-try, open to editing,
> guess -- "disclosure of non-public registrant information"]
>
>
> -- What is the source of this threat?  [options/examples -- criminals,
> governments, businesses, etc.]
>
> -- What are the capability, intent and targeting of that threat source?
>
>
> -- What vulnerabilities might these threat-sources exploit in order to
> achieve their aim?  [categories -- managerial, operational or technical
> vulnerabilities]
>
> -- Where [registries, registrars?], and how severe are these
> vulnerabilities?
>
>
> -- What is the likelihood that such a threat would be initiated?
>
>
> -- What would the impact on the registrant be?
>
> -- How likely is it that this impact will be felt?
>
> -- How severe is the impact?
>
> -- What's the range of impact (how many registrants would this be a problem
> for)?
>
>
>
>
> if you want to read more about this DSSA stuff, here's a link to a page
> where you can download the final Phase I report;
>
> https://community.icann.org/display/AW/Phase+1+Final+Report
>
> and here's a link to a page where you can download an Excel worksheet that
> we've been developing as an alpha-test of this tool
>
> https://community.icann.org/display/AW/Risk+Scenario+worksheet
>
> thanks,
>
> mikey
>
>
>
>
>
>
> PHONE: 651-647-6109, FAX: 866-280-2356, WEB: www.haven2.com, HANDLE:
> OConnorStP (ID for Twitter, Facebook, LinkedIn, etc.)
>
>