Re: Re: [gnso-thickwhoispdp-wg] risk-assessment framework

[Carlton Samuels <carlton.samuels@xxxxxxxxx>]

+1.  To follow the line is to commit to the FUD!

It really isn't rocket science. I am focused on the result; publicly
accessible registrant data, circumscribed by type.

We know what the instrument compels; the relevant clauses in the contract
are straight-forward enough.  Yes, I am perfectly willing to listen to
contrarian interpretations, all to objective.

But embracing all this risk profile business - IMHO - would serve only to
build some contraindications to the results.

-Carlton

==============================
Carlton A Samuels
Mobile: 876-818-1799
*Strategy, Planning, Governance, Assessment & Turnaround*
=============================


On Tue, Feb 5, 2013 at 9:56 AM, Tim Ruiz <tim@xxxxxxxxxxx> wrote:

>
>
> We're not considering any changes to access, data collected, or related
> policy. We are only considering who the repository(ies) should be. Let's
> not allow this to become more complicated than it needs to be.
>
> Tim
>
>
> -------- Original Message --------
> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
> From: "Balleste, Roy" <rballeste@xxxxxxx>
> Date: Tue, February 5, 2013 8:52 am
> To: "Tim Ruiz" <tim@xxxxxxxxxxx>,"Alan Greenberg" <
> alan.greenberg@xxxxxxxxx>
> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor" <mike@xxxxxxxxxx>,"Thick
> Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>
> Perhaps the question should be, what new threats we have now have to
> consider.  The Internet world has changed.  Any recommendations that we
> make will affect millions of users for years to come.
> If I may, a suggestion, please read the submission from NCUC.
>
> Roy Balleste, J.S.D.
> Professor of Law
> Law Library Director
> St. Thomas University
> 16401 NW 37th Avenue
> Miami Gardens, FL 33054  USA
> 1-305-623-2341
>
>
> -----Original Message-----
> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [mailto:
> owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
> Sent: Tuesday, February 05, 2013 9:44 AM
> To: Alan Greenberg
> Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
> Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
>
>
> Threats of exposure of Personal Information? Isn't the Whois system by
> definition public? And in any event, how would this threat increase if we
> went from many down to one holding the information? Not being
> argumentative, just trying to understand what the threats are. Also, it
> seems if there are threats won't we encounter those as we go forward? Does
> there really need to be a separate exercise to identify them?
>
>
> Tim
>
>
> -------- Original Message --------
> Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
> From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
> Date: Mon, February 4, 2013 11:08 am
> To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
> CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike O'Connor" <mike@xxxxxxxxxx>,"Thick
> Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
>
>
> I have yet to observe a single threat in both the transitions I've
> participated over some 13 years of ICANN participation as a registrar
> and service on the SSAC  -- in regards to the Escrow transition and
> the registry transition for .ORG, both of which I actively
> participated in.
>
> If I had observed any issue that could be potentially identified as a
> credible threat, in this regard, I'd be the first to raise it to your
> attention.
>
> -rick
>
> On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg <alan.greenberg@xxxxxxxxx>
> wrote:
> > Steve, I concur with your analysis. However, various posting have claimed
> > dire results of the transition, and Mikey proposed that we do a threat
> > analysis to try to understand how sever the problems is. Once someone
> comes
> > up with a SPECIFIC threat, we can do this. If none can be construed (as
> we
> > both hypothesize), then the job is done.
> >
> > Alan
> >
> >
> > At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
> >
> > These questions might be relevant to the Whois PDP that is slated for
> this
> > year pursuant to the board�s November resolutions; but I don�t understand
> > their relevance to our job.
> >
> > At most the question would be whether the �threat� changes if all gTLD
> > registries were thick --- but that would first require agreement on what
> the
> > �threat� is today.  This would be an extremely long path to take to our
> > goal.
> >
> > In any case, if the �threat� is �disclosure of non-public registrant
> > information,� then the threshold question is whether the transition to
> thick
> > Whois has any impact whatsoever on �non-public registrant information.�
>  To
> > my knowledge the answer is no, and so all the subsequent questions become
> > irrelevant.
> >
> > If, as our chair has stated, �we're edging pretty close to Beijing and
> need
> > to think through what we're going to be able to deliver by then,� I think
> > this type of excursion ought to be avoided.
> >
> > Steve Metalitz
> > From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
> > mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'Connor
> > Sent: Sunday, February 03, 2013 7:30 PM
> > To: Thick Whois WG
> > Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
> >
> > hi all,
> >
> > i promised to send along some materials extracted from the DSSA (DNS
> > Security and Stability Analysis) working group where i serve as GNSO
> > co-chair and day-to-day project leader.  this is in the "break a large
> > puzzle into smaller pieces" department.
> >
> > i've attached a one page summary of the process that we've been working
> on
> > (it's based on NIST SP 800-30 for you in the security world), and thought
> > i'd build a list of questions that people could use as a starting point
> in
> > building risk scenarios associated with the transition from thin to thick
> > Whois.
> >
> > Questions:
> >
> > -- What is the description of the threat event?  [1st-try, open to
> editing,
> > guess -- "disclosure of non-public registrant information"]
> >
> >
> > -- What is the source of this threat?  [options/examples -- criminals,
> > governments, businesses, etc.]
> >
> > -- What are the capability, intent and targeting of that threat source?
> >
> > -- What vulnerabilities might these threat-sources exploit in order to
> > achieve their aim?  [categories -- managerial, operational or technical
> > vulnerabilities]
> >
> > -- Where [registries, registrars?], and how severe are these
> > vulnerabilities?
> >
> > -- What is the likelihood that such a threat would be initiated?
> >
> > -- What would the impact on the registrant be?
> >
> > -- How likely is it that this impact will be felt?
> >
> > -- How severe is the impact?
> >
> > -- What's the range of impact (how many registrants would this be a
> problem
> > for)?
> >
> >
> >
> > if you want to read more about this DSSA stuff, here's a link to a page
> > where you can download the final Phase I report;
> >
> >             https://community.icann.org/display/AW/Phase+1+Final+Report
> >
> > and here's a link to a page where you can download an Excel worksheet
> that
> > we've been developing as an alpha-test of this tool
> >
> >
> https://community.icann.org/display/AW/Risk+Scenario+worksheet
> >
> > thanks,
> >
> > mikey
> >
>
>
>
>
>
>
>