Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Carlton Samuels <carlton.samuels@xxxxxxxxx>]

Spot on analysis, IMHO.  +1.

-Carlton

==============================
Carlton A Samuels
Mobile: 876-818-1799
*Strategy, Planning, Governance, Assessment & Turnaround*
=============================


On Mon, Feb 4, 2013 at 9:40 AM, Metalitz, Steven <met@xxxxxxx> wrote:

>  These questions might be relevant to the Whois PDP that is slated for
> this year pursuant to the board’s November resolutions; but I don’t
> understand their relevance to our job.  ****
>
> ** **
>
> At most the question would be whether the “threat” changes if all gTLD
> registries were thick --- but that would first require agreement on what
> the “threat” is today.  This would be an extremely long path to take to our
> goal.  ****
>
> ** **
>
> In any case, if the “threat” is “disclosure of non-public registrant
> information,” then the threshold question is whether the transition to
> thick Whois has any impact whatsoever on “non-public registrant
> information.”  To my knowledge the answer is no, and so all the subsequent
> questions become irrelevant. ****
>
> ** **
>
> If, as our chair has stated, “we're edging pretty close to Beijing and
> need to think through what we're going to be able to deliver by then,” I
> think this type of excursion ought to be avoided.  ****
>
> ** **
>
> Steve Metalitz****
>
> *From:* owner-gnso-thickwhoispdp-wg@xxxxxxxxx [mailto:
> owner-gnso-thickwhoispdp-wg@xxxxxxxxx] *On Behalf Of *Mike O'Connor
> *Sent:* Sunday, February 03, 2013 7:30 PM
> *To:* Thick Whois WG
> *Subject:* [gnso-thickwhoispdp-wg] risk-assessment framework ****
>
> ** **
>
> hi all,****
>
> ** **
>
> i promised to send along some materials extracted from the DSSA (DNS
> Security and Stability Analysis) working group where i serve as GNSO
> co-chair and day-to-day project leader.  this is in the "break a large
> puzzle into smaller pieces" department.****
>
> ** **
>
> i've attached a one page summary of the process that we've been working on
> (it's based on NIST SP 800-30 for you in the security world), and thought
> i'd build a list of questions that people could use as a starting point in
> building risk scenarios associated with the transition from thin to thick
> Whois. ****
>
> ** **
>
> Questions:****
>
> ** **
>
> -- What is the description of the threat event?  [1st-try, open to
> editing, guess -- "disclosure of non-public registrant information"]****
>
>  ** **
>
> -- What is the source of this threat?  [options/examples -- criminals,
> governments, businesses, etc.]****
>
>
> -- What are the capability, intent and targeting of that threat source?***
> *
>
> ** **
>
> -- What vulnerabilities might these threat-sources exploit in order to
> achieve their aim?  [categories -- managerial, operational or technical
> vulnerabilities]****
>
>
> -- Where [registries, registrars?], and how severe are these
> vulnerabilities?****
>
> ** **
>
> -- What is the likelihood that such a threat would be initiated?****
>
> ** **
>
> -- What would the impact on the registrant be?****
>
> ** **
>
> -- How likely is it that this impact will be felt?
>
> -- How severe is the impact?
>
> -- What's the range of impact (how many registrants would this be a
> problem for)?****
>
> ** **
>
> ** **
>
> ** **
>
> if you want to read more about this DSSA stuff, here's a link to a page
> where you can download the final Phase I report;****
>
> ** **
>
>             https://community.icann.org/display/AW/Phase+1+Final+Report***
> *
>
> ** **
>
> and here's a link to a page where you can download an Excel worksheet that
> we've been developing as an alpha-test of this tool****
>
> ** **
>
>             https://community.icann.org/display/AW/Risk+Scenario+worksheet
> ****
>
> ** **
>
> thanks,****
>
> ** **
>
> mikey****
>
> ** **
>