Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Rick Wesson <rick@xxxxxxxxxxxxxxxxxxxxxxxx>]

I have yet to observe a single threat in both the transitions I've
participated over some 13 years of ICANN participation as a registrar
and service on the SSAC  -- in regards to the Escrow transition and
the registry transition for .ORG, both of which I actively
participated in.

If I had observed any issue that could be potentially identified as a
credible threat, in this regard, I'd be the first to raise it to your
attention.

-rick

On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg <alan.greenberg@xxxxxxxxx> wrote:
> Steve, I concur with your analysis. However, various posting have claimed
> dire results of the transition, and Mikey proposed that we do a threat
> analysis to try to understand how sever the problems is. Once someone comes
> up with a SPECIFIC threat, we can do this. If none can be construed (as we
> both hypothesize), then the job is done.
>
> Alan
>
>
> At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>
> These questions might be relevant to the Whois PDP that is slated for this
> year pursuant to the board’s November resolutions; but I don’t understand
> their relevance to our job.
>
> At most the question would be whether the “threat” changes if all gTLD
> registries were thick --- but that would first require agreement on what the
> “threat” is today.  This would be an extremely long path to take to our
> goal.
>
> In any case, if the “threat” is “disclosure of non-public registrant
> information,” then the threshold question is whether the transition to thick
> Whois has any impact whatsoever on “non-public registrant information.”  To
> my knowledge the answer is no, and so all the subsequent questions become
> irrelevant.
>
> If, as our chair has stated, “we're edging pretty close to Beijing and need
> to think through what we're going to be able to deliver by then,” I think
> this type of excursion ought to be avoided.
>
> Steve Metalitz
> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
> mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'Connor
> Sent: Sunday, February 03, 2013 7:30 PM
> To: Thick Whois WG
> Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>
> hi all,
>
> i promised to send along some materials extracted from the DSSA (DNS
> Security and Stability Analysis) working group where i serve as GNSO
> co-chair and day-to-day project leader.  this is in the "break a large
> puzzle into smaller pieces" department.
>
> i've attached a one page summary of the process that we've been working on
> (it's based on NIST SP 800-30 for you in the security world), and thought
> i'd build a list of questions that people could use as a starting point in
> building risk scenarios associated with the transition from thin to thick
> Whois.
>
> Questions:
>
> -- What is the description of the threat event?  [1st-try, open to editing,
> guess -- "disclosure of non-public registrant information"]
>
>
> -- What is the source of this threat?  [options/examples -- criminals,
> governments, businesses, etc.]
>
> -- What are the capability, intent and targeting of that threat source?
>
> -- What vulnerabilities might these threat-sources exploit in order to
> achieve their aim?  [categories -- managerial, operational or technical
> vulnerabilities]
>
> -- Where [registries, registrars?], and how severe are these
> vulnerabilities?
>
> -- What is the likelihood that such a threat would be initiated?
>
> -- What would the impact on the registrant be?
>
> -- How likely is it that this impact will be felt?
>
> -- How severe is the impact?
>
> -- What's the range of impact (how many registrants would this be a problem
> for)?
>
>
>
> if you want to read more about this DSSA stuff, here's a link to a page
> where you can download the final Phase I report;
>
>             https://community.icann.org/display/AW/Phase+1+Final+Report
>
> and here's a link to a page where you can download an Excel worksheet that
> we've been developing as an alpha-test of this tool
>
>             https://community.icann.org/display/AW/Risk+Scenario+worksheet
>
> thanks,
>
> mikey
>