Perhaps the question should be, what new threats
we have now have to consider. The Internet
world has changed. Any recommendations that we
make will affect millions of users for years to come.
If I may, a suggestion, please read the submission from NCUC.
Roy Balleste, J.S.D.
Professor of Law
Law Library Director
St. Thomas University
16401 NW 37th Avenue
Miami Gardens, FL 33054 USA
1-305-623-2341
-----Original Message-----
From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx
[mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Tim Ruiz
Sent: Tuesday, February 05, 2013 9:44 AM
To: Alan Greenberg
Cc: Metalitz, Steven; Mike O'Connor; Thick Whois WG
Subject: RE: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
Threats of exposure of Personal Information?
Isn't the Whois system by definition public? And
in any event, how would this threat increase if
we went from many down to one holding the
information? Not being argumentative, just
trying to understand what the threats are. Also,
it seems if there are threats won't we encounter
those as we go forward? Does there really need
to be a separate exercise to identify them?
Tim
-------- Original Message --------
Subject: Re: [gnso-thickwhoispdp-wg] risk-assessment framework
From: "Rick Wesson" <rick@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, February 4, 2013 11:08 am
To: "Alan Greenberg" <alan.greenberg@xxxxxxxxx>
CC: "Metalitz, Steven" <met@xxxxxxx>,"Mike
O'Connor" <mike@xxxxxxxxxx>,"Thick Whois WG" <gnso-thickwhoispdp-wg@xxxxxxxxx>
I have yet to observe a single threat in both the transitions I've
participated over some 13 years of ICANN participation as a registrar
and service on the SSAC -- in regards to the Escrow transition and
the registry transition for .ORG, both of which I actively
participated in.
If I had observed any issue that could be potentially identified as a
credible threat, in this regard, I'd be the first to raise it to your
attention.
-rick
On Mon, Feb 4, 2013 at 7:17 AM, Alan Greenberg
<alan.greenberg@xxxxxxxxx> wrote:
> Steve, I concur with your analysis. However, various posting have claimed
> dire results of the transition, and Mikey proposed that we do a threat
> analysis to try to understand how sever the problems is. Once someone comes
> up with a SPECIFIC threat, we can do this. If none can be construed (as we
> both hypothesize), then the job is done.
>
> Alan
>
>
> At 04/02/2013 09:40 AM, Metalitz, Steven wrote:
>
> These questions might be relevant to the Whois PDP that is slated for this
> year pursuant to the board�s November
resolutions; but I don�t understand
> their relevance to our job.
>
> At most the question would be whether the �threat� changes if all gTLD
> registries were thick --- but that would
first require agreement on what the
> �threat� is today. This would be an extremely long path to take to our
> goal.
>
> In any case, if the �threat� is �disclosure of non-public registrant
> information,� then the threshold question
is whether the transition to thick
> Whois has any impact whatsoever on
�non-public registrant information.� To
> my knowledge the answer is no, and so all the subsequent questions become
> irrelevant.
>
> If, as our chair has stated, �we're edging
pretty close to Beijing and need
> to think through what we're going to be able to deliver by then,� I think
> this type of excursion ought to be avoided.
>
> Steve Metalitz
> From: owner-gnso-thickwhoispdp-wg@xxxxxxxxx [
> mailto:owner-gnso-thickwhoispdp-wg@xxxxxxxxx] On Behalf Of Mike O'Connor
> Sent: Sunday, February 03, 2013 7:30 PM
> To: Thick Whois WG
> Subject: [gnso-thickwhoispdp-wg] risk-assessment framework
>
> hi all,
>
> i promised to send along some materials extracted from the DSSA (DNS
> Security and Stability Analysis) working group where i serve as GNSO
> co-chair and day-to-day project leader. this is in the "break a large
> puzzle into smaller pieces" department.
>
> i've attached a one page summary of the process that we've been working on
> (it's based on NIST SP 800-30 for you in the security world), and thought
> i'd build a list of questions that people could use as a starting point in
> building risk scenarios associated with the transition from thin to thick
> Whois.
>
> Questions:
>
> -- What is the description of the threat event? [1st-try, open to editing,
> guess -- "disclosure of non-public registrant information"]
>
>
> -- What is the source of this threat? [options/examples -- criminals,
> governments, businesses, etc.]
>
> -- What are the capability, intent and targeting of that threat source?
>
> -- What vulnerabilities might these threat-sources exploit in order to
> achieve their aim? [categories -- managerial, operational or technical
> vulnerabilities]
>
> -- Where [registries, registrars?], and how severe are these
> vulnerabilities?
>
> -- What is the likelihood that such a threat would be initiated?
>
> -- What would the impact on the registrant be?
>
> -- How likely is it that this impact will be felt?
>
> -- How severe is the impact?
>
> -- What's the range of impact (how many registrants would this be a problem
> for)?
>
>
>
> if you want to read more about this DSSA stuff, here's a link to a page
> where you can download the final Phase I report;
>
> https://community.icann.org/display/AW/Phase+1+Final+Report
>
> and here's a link to a page where you can download an Excel worksheet that
> we've been developing as an alpha-test of this tool
>
> https://community.icann.org/display/AW/Risk+Scenario+worksheet
>
> thanks,
>
> mikey
>