<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-thickwhoispdp-wg] risk-assessment framework
- To: Tim Ruiz <tim@xxxxxxxxxxx>
- Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
- From: Volker Greimann <vgreimann@xxxxxxxxxxxxxxx>
- Date: Tue, 05 Feb 2013 16:05:19 +0100
+1 to Tim's comments.
We're not considering any changes to access, data collected, or related policy.
We are only considering who the repository(ies) should be. Let's not allow this
to become more complicated than it needs to be.
Tim
-------- Original Message --------
Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
From: "Balleste, Roy" <rballeste@xxxxxxx>
Date: Tue, February 5, 2013 8:52 am
To: "Tim Ruiz" <tim@xxxxxxxxxxx>,"Alan Greenberg" <alan.greenberg@xxxxxxxxx>
CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor" <mike@xxxxxxxxxx>,"Thick Whois
WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
Perhaps the question should be, what new threats we have now have to consider.
The Internet world has changed. Any recommendations that we make will affect
millions of users for years to come.
If I may, a suggestion, please read the submission from NCUC.
Roy Balleste, J.S.D.
Professor of Law
Law Library Director
St. Thomas University
16401 NW 37th Avenue
Miami Gardens, FL 33054 USA
1-305-623-2341
-----Original Message-----
From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
[mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
Sent: Tuesday, February 05, 2013 9:44 AM
To: Alan Greenberg
Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
Threats of exposure of Personal Information? Isn't the Whois system by
definition public? And in any event, how would this threat increase if we went
from many down to one holding the information? Not being argumentative, just
trying to understand what the threats are. Also, it seems if there are threats
won't we encounter those as we go forward? Does there really need to be a
separate exercise to identify them?
Tim
-------- Original Message --------
Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, February 4, 2013 11:08 am
To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor" <mike@xxxxxxxxxx>,"Thick Whois
WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
I have yet to observe a single threat in both the transitions I've
participated over some 13 years of ICANN participation as a registrar
and service on the SSAC -- in regards to the Escrow transition and
the registry transition for .ORG, both of which I actively
participated in.
If I had observed any issue that could be potentially identified as a
credible threat, in this regard, I'd be the first to raise it to your
attention.
-rick
On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg <alan.greenberg@xxxxxxxxx> wrote:
Steve, I concur with your analysis. However, various posting have claimed
dire results of the transition, and Mikey proposed that we do a threat
analysis to try to understand how sever the problems is. Once someone comes
up with a SPECIFIC threat, we can do this. If none can be construed (as we
both hypothesize), then the job is done.
Alan
At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
These questions might be relevant to the Whois PDP that is slated for this
year pursuant to the board�s November resolutions; but I don�t understand
their relevance to our job.
At most the question would be whether the �threat� changes if all gTLD
registries were thick --- but that would first require agreement on what the
�threat� is today. This would be an extremely long path to take to our
goal.
In any case, if the �threat� is �disclosure of non-public registrant
information,� then the threshold question is whether the transition to thick
Whois has any impact whatsoever on �non-public registrant information.� To
my knowledge the answer is no, and so all the subsequent questions become
irrelevant.
If, as our chair has stated, �we're edging pretty close to Beijing and need
to think through what we're going to be able to deliver by then,� I think
this type of excursion ought to be avoided.
Steve Metalitz
From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'Connor
Sent: Sunday, February 03, 2013 7:30 PM
To: Thick Whois WG
Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
hi all,
i promised to send along some materials extracted from the DSSA (DNS
Security and Stability Analysis) working group where i serve as GNSO
co-chair and day-to-day project leader. this is in the "break a large
puzzle into smaller pieces" department.
i've attached a one page summary of the process that we've been working on
(it's based on NIST SP 800-30 for you in the security world), and thought
i'd build a list of questions that people could use as a starting point in
building risk scenarios associated with the transition from thin to thick
Whois.
Questions:
-- What is the description of the threat event? [1st-try, open to editing,
guess -- "disclosure of non-public registrant information"]
-- What is the source of this threat? [options/examples -- criminals,
governments, businesses, etc.]
-- What are the capability, intent and targeting of that threat source?
-- What vulnerabilities might these threat-sources exploit in order to
achieve their aim? [categories -- managerial, operational or technical
vulnerabilities]
-- Where [registries, registrars?], and how severe are these
vulnerabilities?
-- What is the likelihood that such a threat would be initiated?
-- What would the impact on the registrant be?
-- How likely is it that this impact will be felt?
-- How severe is the impact?
-- What's the range of impact (how many registrants would this be a problem
for)?
if you want to read more about this DSSA stuff, here's a link to a page
where you can download the final Phase I report;
https://community.icann.org/display/AW/Phase+1+Final+Report
and here's a link to a page where you can download an Excel worksheet that
we've been developing as an alpha-test of this tool
https://community.icann.org/display/AW/Risk+Scenario+worksheet
thanks,
mikey
--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann@xxxxxxxxxxxxxxx
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht
nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder
telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann@xxxxxxxxxxxxxxx
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is
addressed. Furthermore it is not permitted to publish any content of this
email. You must not use, disclose, copy, print or rely on this e-mail. If an
addressing or transmission error has misdirected this e-mail, kindly notify the
author by replying to this e-mail or contacting us by telephone.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|