RE: [gnso-thickwhoispdp-wg] risk-assessment framework
Steve, I concur with your analysis. However, various posting have claimed dire results of the transition, and Mikey proposed that we do a threat analysis to try to understand how sever the problems is. Once someone comes up with a SPECIFIC threat, we can do this. If none can be construed (as we both hypothesize), then the job is done. Alan At 04/02/2013 09:40 AM, Metalitz, Steven wrote: These questions might be relevant to the Whois PDP that is slated for this year pursuant to the board's November resolutions; but I don't understand their relevance to our job.At most the question would be whether the "threat" changes if all gTLD registries were thick --- but that would first require agreement on what the "threat" is today. This would be an extremely long path to take to our goal.In any case, if the "threat" is "disclosure of non-public registrant information," then the threshold question is whether the transition to thick Whois has any impact whatsoever on "non-public registrant information." To my knowledge the answer is no, and so all the subsequent questions become irrelevant.If, as our chair has stated, "we're edging pretty close to Beijing and need to think through what we're going to be able to deliver by then," I think this type of excursion ought to be avoided.Steve MetalitzFrom: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'ConnorSent: Sunday, February 03, 2013 7:30 PM To: Thick Whois WG Subject: [gnso-thickwhoispdp-wg] risk-assessment framework hi all,i promised to send along some materials extracted from the DSSA (DNS Security and Stability Analysis) working group where i serve as GNSO co-chair and day-to-day project leader. this is in the "break a large puzzle into smaller pieces" department.i've attached a one page summary of the process that we've been working on (it's based on NIST SP 800-30 for you in the security world), and thought i'd build a list of questions that people could use as a starting point in building risk scenarios associated with the transition from thin to thick Whois.Questions:-- What is the description of the threat event? [1st-try, open to editing, guess -- "disclosure of non-public registrant information"]-- What is the source of this threat? [options/examples -- criminals, governments, businesses, etc.]-- What are the capability, intent and targeting of that threat source?-- What vulnerabilities might these threat-sources exploit in order to achieve their aim? [categories -- managerial, operational or technical vulnerabilities]-- Where [registries, registrars?], and how severe are these vulnerabilities? -- What is the likelihood that such a threat would be initiated? -- What would the impact on the registrant be? -- How likely is it that this impact will be felt? -- How severe is the impact?-- What's the range of impact (how many registrants would this be a problem for)?if you want to read more about this DSSA stuff, here's a link to a page where you can download the final Phase I report;<https://community.icann.org/display/AW/Phase+1+Final+Report>https://community.icann.org/display/AW/Phase+1+Final+Reportand here's a link to a page where you can download an Excel worksheet that we've been developing as an alpha-test of this tool<https://community.icann.org/display/AW/Risk+Scenario+worksheet>https://community.icann.org/display/AW/Risk+Scenario+worksheet thanks, mikey
|