Verisign Exploratory Consumer Impact Analysis
ICANN Folk, With regards to the topic of name collisions in the DNS, and ICANN’s proposal to mitigate risks related to the delegation of new gTLDs, Verisign submits the attached New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis study for your consideration. In a previous technical report provided to ICANN in March of 2013, also attached, Verisign cataloged unresolved issues in the new gTLD program's rollout, issues upon which we believed the security, stability, and safe introduction of new gTLDs is predicated. While, as stated at the time, most of the issues in that report were not new, we reiterated that many of the critical accompanying recommendations were unresolved, and remain unresolved. This was reinforced in April of 2013 in the SSAC’s SAC059, which conveyed to the ICANN Board that many critical issues related to the safe introduction of new gTLDs remain unresolved. To augment our March report, in this study we propose a novel set of measures that represent actual risks to end users, and illustrate their incidence by measuring operational threat vectors that could be used to orchestrate failures and attacks. We present our candidate quantification in the form of a Risk Matrix, and illustrate one possible way to interpret its results. What we find is that there are quantifiable signs that disruptions might occur if the current deployment trajectory is followed while outstanding recommendations remain unimplemented. We acknowledge that our study and risk matrix is by no means comprehensive, but we do believe that with systematic and an intellectually honest approach with sufficient consideration of community and subject matter expert input, and due consideration of "public interest", we can develop a sufficient risk matrix upon which systemic risk can be assessed. We reiterate that these recommendations to which we refer are not originally Verisign’s recommendations, but instead are recommendations from ICANN’s very own advisory committees. We believe that absent the implementation of these recommendations sufficient information cannot exist to make informed decisions about what constitutes risks. Furthermore, until an agreed upon risk matrix exists and sufficient information to inform that risk matrix established, what we have currently is not “risk” at all, but instead a great deal of “uncertainty”. Please let us know if we can provide any additional information or assistance. Respectfully, Danny McPherson CSO, VeriSign, Inc.