Joint Meeting: SSAC and ALAC

ICANN72 | 19 October 2021

Agenda

• Welcome and introduction (Maureen Hilyard)
• Introduction of SSAC Speakers and Papers (Andrei Kolesnikov)
• SAC118 - EPDP-Temp Spec Phase 2A (Tara Whalen and Steve Crocker)
• SAC119 - GNSO Transfer Policy Review (Steve Crocker)
• Comments of behalf of CPWG (Jonathan Zuck)
• Q&A - moderated by Oliver Crepin-Leblond
• Conclusion (Maureen Hilyard)

| 2

SAC118: SSAC Comments on Initial Report of the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data Team – PHASE 2A

Steve Crocker

| 3

| 3

SAC118: Summary

• EPDP-Temp Spec Phase 2A Topics
• Distinguishing Natural versus Legal Persons (9 questions)
• Feasibility of Unique Contacts (2 questions)
• SSAC Observations
• The System for Standardized Access/Disclosure (SSAD) is a new differentiated access system proposed to centrally handle requests for non-public registration data
• There are three competing interests at work in the policy deliberations: privacy advocates, data requesters, and data controllers
• SSAC believes it is very important for security investigators to get access to domain name registration data
• A timely, reliable, effective, and efficient differentiated access system would make it possible to achieve a result that would be an improvement for all of the competing interests

| 4

SAC118: Recommendations

Recommendation 1: The Generic Name Supporting Organization (GNSO) and ICANN org should focus their attention on building and operating an effective differentiated access system.

​

​

​

​

​

| 5

SAC118: Recommendations

Recommendation 2: On Legal Versus Natural Persons

• A data element should be defined that denotes the legal status of the registrant.
• This data element should be displayed as part of the publicly available data.
• Registrants should be classified as either natural or legal persons. This should be required at the time of registration, for all new domain registrations. Registrars should be required to ask at relevant times whether the registrant is natural or legal.
• Registrants currently are able to and should continue to have the option of making their contact data publicly available. Legal person registrants should also have the ability to protect their data via privacy and proxy services.

​

​

​

​

​

​

​

| 6

SAC118: Recommendations

Recommendation 3: On Feasibility of Pseudonymous Email Contact

• The two policy objectives--namely (A1) the ability to quickly and effectively contact the registrant without disclosing personal data, and (A2) A common identifier that helps investigators to correlate registrations with common contacts should be considered separately.
• To achieve policy objective (A1), registrars should deploy (or continue to deploy) methods to support registrant-based email contact. The SSAC further recommends uniform requirements for safeguards be developed for the registrant-based email contact.
• To achieve policy objective (A2), additional research is needed on the methods, their efficacy, and their tradeoffs. We recommend the EPDP Phase 2A not specify a method for correlating registrations with a common contact at this time.

​

​

​

​

​

​

​

| 7

SAC119: Feedback to the GNSO Transfer Policy Review PDP WG

Steve Crocker

| 8

| 8

SAC119: Summary

• SSAC believes that it is important for registrants to experience a secure, stable, and smooth transition when transferring registrations between registrars.
• There are two specific security risks the SSAC highlighted:
• A registrant’s domain name is at risk of experiencing a discontinuity of DNS resolution, and when DNSSEC is in use, a discontinuity of validation, during a registration transfer if the transfer of DNS services is not considered during the process.
• A registrant’s domain name is at increased risk of being hijacked if the authInfo code is not managed according to best practice security principles

| 9

Discussion

| 10

| 10

Thank you

| 11

| 11