RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework

["Tim Ruiz" <tim@xxxxxxxxxxx>]

Threats of exposure of Personal Information? Isn't the Whois system by 
definition public? And in any event, how would this threat increase if we went 
from many down to one holding the information? Not being argumentative, just 
trying to understand what the threats are. Also, it seems if there are threats 
won't we encounter those as we go forward? Does there really need to be a 
separate exercise to identify them?


Tim


-------- Original Message --------
Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, February 4, 2013 11:08 am
To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor" <mike@xxxxxxxxxx>,"Thick 
Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>


I have yet to observe a single threat in both the transitions I've
participated over some 13 years of ICANN participation as a registrar
and service on the SSAC  -- in regards to the Escrow transition and
the registry transition for .ORG, both of which I actively
participated in.

If I had observed any issue that could be potentially identified as a
credible threat, in this regard, I'd be the first to raise it to your
attention.

-rick

On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg <alan.greenberg@xxxxxxxxx> wrote:
> Steve, I concur with your analysis. However, various posting have claimed
> dire results of the transition, and Mikey proposed that we do a threat
> analysis to try to understand how sever the problems is. Once someone comes
> up with a SPECIFIC threat, we can do this. If none can be construed (as we
> both hypothesize), then the job is done.
>
> Alan
>
>
> At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>
> These questions might be relevant to the Whois PDP that is slated for this
> year pursuant to the board�s November resolutions; but I don�t understand
> their relevance to our job.
>
> At most the question would be whether the �threat� changes if all gTLD
> registries were thick --- but that would first require agreement on what the
> �threat� is today.  This would be an extremely long path to take to our
> goal.
>
> In any case, if the �threat� is �disclosure of non-public registrant
> information,� then the threshold question is whether the transition to thick
> Whois has any impact whatsoever on �non-public registrant information.�  To
> my knowledge the answer is no, and so all the subsequent questions become
> irrelevant.
>
> If, as our chair has stated, �we're edging pretty close to Beijing and need
> to think through what we're going to be able to deliver by then,� I think
> this type of excursion ought to be avoided.
>
> Steve Metalitz
> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
> mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'Connor
> Sent: Sunday, February 03, 2013 7:30 PM
> To: Thick Whois WG
> Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>
> hi all,
>
> i promised to send along some materials extracted from the DSSA (DNS
> Security and Stability Analysis) working group where i serve as GNSO
> co-chair and day-to-day project leader.  this is in the "break a large
> puzzle into smaller pieces" department.
>
> i've attached a one page summary of the process that we've been working on
> (it's based on NIST SP 800-30 for you in the security world), and thought
> i'd build a list of questions that people could use as a starting point in
> building risk scenarios associated with the transition from thin to thick
> Whois.
>
> Questions:
>
> -- What is the description of the threat event?  [1st-try, open to editing,
> guess -- "disclosure of non-public registrant information"]
>
>
> -- What is the source of this threat?  [options/examples -- criminals,
> governments, businesses, etc.]
>
> -- What are the capability, intent and targeting of that threat source?
>
> -- What vulnerabilities might these threat-sources exploit in order to
> achieve their aim?  [categories -- managerial, operational or technical
> vulnerabilities]
>
> -- Where [registries, registrars?], and how severe are these
> vulnerabilities?
>
> -- What is the likelihood that such a threat would be initiated?
>
> -- What would the impact on the registrant be?
>
> -- How likely is it that this impact will be felt?
>
> -- How severe is the impact?
>
> -- What's the range of impact (how many registrants would this be a problem
> for)?
>
>
>
> if you want to read more about this DSSA stuff, here's a link to a page
> where you can download the final Phase I report;
>
>             https://community.icann.org/display/AW/Phase+1+Final+Report
>
> and here's a link to a page where you can download an Excel worksheet that
> we've been developing as an alpha-test of this tool
>
>             https://community.icann.org/display/AW/Risk+Scenario+worksheet
>
> thanks,
>
> mikey
>