RE: [gnso-thickwhoispdp-wg] risk-assessment framework

["Metalitz, Steven" <met@xxxxxxx>]

These questions might be relevant to the Whois PDP that is slated for this year 
pursuant to the board's November resolutions; but I don't understand their 
relevance to our job.

At most the question would be whether the "threat" changes if all gTLD 
registries were thick --- but that would first require agreement on what the 
"threat" is today.  This would be an extremely long path to take to our goal.

In any case, if the "threat" is "disclosure of non-public registrant 
information," then the threshold question is whether the transition to thick 
Whois has any impact whatsoever on "non-public registrant information."  To my 
knowledge the answer is no, and so all the subsequent questions become 
irrelevant.

If, as our chair has stated, "we're edging pretty close to Beijing and need to 
think through what we're going to be able to deliver by then," I think this 
type of excursion ought to be avoided.

Steve Metalitz
From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx 
[mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'Connor
Sent: Sunday, February 03, 2013 7:30 PM
To: Thick Whois WG
Subject: [gnso-thickwhoispdp-wg] risk-assessment framework

hi all,

i promised to send along some materials extracted from the DSSA (DNS Security 
and Stability Analysis) working group where i serve as GNSO co-chair and 
day-to-day project leader.  this is in the "break a large puzzle into smaller 
pieces" department.

i've attached a one page summary of the process that we've been working on 
(it's based on NIST SP 800-30 for you in the security world), and thought i'd 
build a list of questions that people could use as a starting point in building 
risk scenarios associated with the transition from thin to thick Whois.

Questions:

-- What is the description of the threat event?  [1st-try, open to editing, 
guess -- "disclosure of non-public registrant information"]

-- What is the source of this threat?  [options/examples -- criminals, 
governments, businesses, etc.]

-- What are the capability, intent and targeting of that threat source?

-- What vulnerabilities might these threat-sources exploit in order to achieve 
their aim?  [categories -- managerial, operational or technical vulnerabilities]

-- Where [registries, registrars?], and how severe are these vulnerabilities?

-- What is the likelihood that such a threat would be initiated?

-- What would the impact on the registrant be?

-- How likely is it that this impact will be felt?

-- How severe is the impact?

-- What's the range of impact (how many registrants would this be a problem 
for)?



if you want to read more about this DSSA stuff, here's a link to a page where 
you can download the final Phase I report;

            https://community.icann.org/display/AW/Phase+1+Final+Report

and here's a link to a page where you can download an Excel worksheet that 
we've been developing as an alpha-test of this tool

            https://community.icann.org/display/AW/Risk+Scenario+worksheet

thanks,

mikey