Proposed High-Security TLD designation
Hello all, I hope that all my friends and associates who joined me at the Nairobi meeting arrived home well. While I might have liked a little ICANN-related down time upon returning, I was back in a conference call Wednesday regarding the proposed High Security TLD (HSTLD) verification proposal. For those who are not aware, the HSTLD proposal comes from ICANN staff as a way for TLDs (present or future, generic or cc) to be verified/certified as having security practices well beyond the core standard demanded of registries in their current relationships with ICANN. While the initial staff effort was to make this effort part of the new gTLD process, members of the committee are very committed to de-linking this from the DAG for many reasons. I by no means consider myself skilled in Internet security; I am on the HSZ advisory group because I have some solid experience in designing and implementing professional certification programs. Right now the committee comprises many people from contracted parties, security-related consultancies, ICANN staff and others; the only two people serving the public interest on this committee -- from either ALAC or NCSG -- are myself and John Levine. I am hoping that some people from within At-Large may have a look at the technical list of objectives and controls<https://st.icann.org/hstld-advisory/index.cgi?control_workspace_draft>being produced for consideration. This is a long and detailed list of the specific security issues intended to be applied to registrars, registries and registrants within a HSTLD. As I have write-access to that wiki page, I am able to insert comments throughout the document and not just at the end as a comment. If you have some concerns, or would like to modify or enhance the list, please let me know. Please note: this chart encompasses only the technical component of the HSTLD verification program. The non-technical components -- notably, the business and marketing models as well as the methods of testing the controls and administering the program -- are yet to be worked out and could be very controversial. But right now the technical work has made good progress and I would like to get feedback from our many people in At-Large who are concerned with the public-interest component of TLD security. The home website of the HSZ effort is at https://st.icann.org/hstld-advisory/index.cgi?hstld_advisory_group - Evan
You forgot me, how convenient... Toute connaissance est une réponse à une question On 18/03/2010, at 19:51, Evan Leibovitch <evan@telly.org> wrote:
Hello all,
I hope that all my friends and associates who joined me at the Nairobi meeting arrived home well.
While I might have liked a little ICANN-related down time upon returning, I was back in a conference call Wednesday regarding the proposed High Security TLD (HSTLD) verification proposal.
For those who are not aware, the HSTLD proposal comes from ICANN staff as a way for TLDs (present or future, generic or cc) to be verified/ certified as having security practices well beyond the core standard demanded of registries in their current relationships with ICANN. While the initial staff effort was to make this effort part of the new gTLD process, members of the committee are very committed to de-linking this from the DAG for many reasons.
I by no means consider myself skilled in Internet security; I am on the HSZ advisory group because I have some solid experience in designing and implementing professional certification programs. Right now the committee comprises many people from contracted parties, security-related consultancies, ICANN staff and others; the only two people serving the public interest on this committee -- from either ALAC or NCSG -- are myself and John Levine.
I am hoping that some people from within At-Large may have a look at the technical list of objectives and controls<https://st.icann.org/hstld-advisory/index.cgi?control_workspace_draft
being produced for consideration. This is a long and detailed list of the specific security issues intended to be applied to registrars, registries and registrants within a HSTLD.
As I have write-access to that wiki page, I am able to insert comments throughout the document and not just at the end as a comment. If you have some concerns, or would like to modify or enhance the list, please let me know.
Please note: this chart encompasses only the technical component of the HSTLD verification program. The non-technical components -- notably, the business and marketing models as well as the methods of testing the controls and administering the program -- are yet to be worked out and could be very controversial. But right now the technical work has made good progress and I would like to get feedback from our many people in At-Large who are concerned with the public-interest component of TLD security.
The home website of the HSZ effort is at https://st.icann.org/hstld-advisory/index.cgi?hstld_advisory_group
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
Just pulling your leg so you remember;) But yes the HSTLD needs more focus to not offer yet another meaningless certification It is all about reputation and today I do not not trust a company because they have SSL for instance Toute connaissance est une réponse à une question On 18/03/2010, at 21:01, Evan Leibovitch <evan@telly.org> wrote:
On 18 March 2010 03:26, Franck Martin <franck.martin@gmail.com> wrote:
You forgot me, how convenient...
Sorry, Franck, it was an accidental omission.
I'm not sure what you mean as "convenient".
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
On 03/17/2010 11:51 PM, Evan Leibovitch wrote:
While I might have liked a little ICANN-related down time upon returning, I was back in a conference call Wednesday regarding the proposed High Security TLD (HSTLD) verification proposal.
The notion of armored TLDs is an idea with some merit. I was skeptical at first when folks came forward for .bank - I said "do a proof of concept prototype under a second level name". The response was that that required trust in the TLD provider. And they were right. I am not sure whether an operational DNSSEC chain from a root would obviate the need. In any case, the larger questions is this: Why is this any of ICANN's concern? Why can't a TLD operator create a product that has strength attributes and see what customers it can attract? Isn't that a better way to learn how to do it, to innovate, to adapt, than a pre-conceived design from on-high from ICANN? --karl--
In any case, the larger questions is this: Why is this any of ICANN's concern? Why can't a TLD operator create a product that has strength attributes and see what customers it can attract? Isn't that a better way to learn how to do it, to innovate, to adapt, than a pre-conceived design from on-high from ICANN?
I missed today's call, but the current process appears destined to produce yet another meaningless seal like TrustE. There's a guy who consults for the travel industry, and says they're very interested due to all the phishing and fake travel web sites. I pointed out that I've never seen a fake web site in .TRAVEL, so why don't they use that. Uh, because they like .COM. So why bother? Feel free to join in the fun, though. R's, John
On 18 Mar 2010, at 14:40, John R. Levine wrote:
In any case, the larger questions is this: Why is this any of ICANN's concern? Why can't a TLD operator create a product that has strength attributes and see what customers it can attract? Isn't that a better way to learn how to do it, to innovate, to adapt, than a pre-conceived design from on-high from ICANN?
I missed today's call, but the current process appears destined to produce yet another meaningless seal like TrustE.
There's a guy who consults for the travel industry, and says they're very interested due to all the phishing and fake travel web sites. I pointed out that I've never seen a fake web site in .TRAVEL, so why don't they use that. Uh, because they like .COM. So why bother?
*sigh* So he wants everyone to have .com, but the High Security Zone thing is only applicable to new TLDs .. I can see potential value in the concept, but I'd agree, why on earth is it ICANN's problem? If someone wants to setup .bank as a secure TLD for financial institutions then one of the USPs could be all this stuff
Feel free to join in the fun, though.
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
There's a guy who consults for the travel industry, and says they're very interested due to all the phishing and fake travel web sites. I pointed out that I've never seen a fake web site in .TRAVEL, so why don't they use that. Uh, because they like .COM. So why bother?
*sigh*
So he wants everyone to have .com, but the High Security Zone thing is only applicable to new TLDs ..
I can see potential value in the concept, but I'd agree, why on earth is it ICANN's problem? If someone wants to setup .bank as a secure TLD for financial institutions then one of the USPs could be all this stuff
So, who's job is going to be to monitor & certify that a HSTLD complies with the security requirements, etc, ICANN ? I believe this is another waste of time and resources in the ICANNsphere which does not provide any public benefit, if the new gTLD operator wants to add this level of security to attract financial institutions to be part of it, that's OK, but as Michelle says why ICANN needs to be involved ? Regards Jorge
On Fri, Mar 19, 2010 at 9:34 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
So, who's job is going to be to monitor & certify that a HSTLD complies with the security requirements, etc, ICANN ?
Of course. Who else but ICANN is qualified to propagate the myth that is ICANN. I suspect some made up committee in ICANN will oversea TLD quality control.
I believe this is another waste of time and resources in the ICANNsphere which does not provide any public benefit, if the new gTLD operator wants to add this level of security to attract financial institutions to be part of it, that's OK, but as Michelle says why ICANN needs to be involved ?
Money. Thats the nature of MLM marketing scams. regards joe baptista
On 18 Mar 2010, at 06:51, Evan Leibovitch wrote:
I by no means consider myself skilled in Internet security; I am on the HSZ advisory group because I have some solid experience in designing and implementing professional certification programs. Right now the committee comprises many people from contracted parties, security-related consultancies, ICANN staff and others; the only two people serving the public interest on this committee -- from either ALAC or NCSG -- are myself and John Levine.
So registrars and registries exist in a vacuum and don't care about the public??? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
On 18 March 2010 07:23, Michele Neylon :: Blacknight <michele@blacknight.ie>wrote:
On 18 Mar 2010, at 06:51, Evan Leibovitch wrote:
I by no means consider myself skilled in Internet security; I am on the HSZ advisory group because I have some solid experience in designing and implementing professional certification programs. Right now the committee comprises many people from contracted parties, security-related consultancies, ICANN staff and others; the only two people serving the public interest on this committee -- from either ALAC or NCSG -- are myself and John Levine.
So registrars and registries exist in a vacuum and don't care about the public???
Based on many of the comments I've heard within the group that CONSTANTLY come back to arguing over first principles such as "mandatory versus optional" long after the rest of the group has decided and moved on, ducking behind legal arguments and pushing for an absolutely useless program that allows them to cherry-pick what measures they'll self-certify ... yes. At least in this context. There have been _many_ points in the group's discussions in which I found that the public interest was an afterthought ... if indeed a thought at all ... until I interjected. The contracted parties want something cheap and easy to implement, and by my own judgement absolutely do NOT have the public interest in mind in these discussions. John's reference, "race to the bottom", has been evident on more than one occasion. The very injection of the asinine "report card model" is evidence enough that expediency trumps utility or public interest, and it is from my POV mainly the contracted parties that have been championing this particular kind of absurdity. - Evan
The HSTLD proposal is bull. This has nothing to do with security and everything to do with the DNSSEC make work project. This is nothing more then a marketing proposal. If ICANN staff want a secure DNS they should be supporting DNScurve as a solution. Not embarking on useless make work projects. regards joe baptista On Thu, Mar 18, 2010 at 2:51 AM, Evan Leibovitch <evan@telly.org> wrote:
Hello all,
I hope that all my friends and associates who joined me at the Nairobi meeting arrived home well.
While I might have liked a little ICANN-related down time upon returning, I was back in a conference call Wednesday regarding the proposed High Security TLD (HSTLD) verification proposal.
For those who are not aware, the HSTLD proposal comes from ICANN staff as a way for TLDs (present or future, generic or cc) to be verified/certified as having security practices well beyond the core standard demanded of registries in their current relationships with ICANN. While the initial staff effort was to make this effort part of the new gTLD process, members of the committee are very committed to de-linking this from the DAG for many reasons.
I by no means consider myself skilled in Internet security; I am on the HSZ advisory group because I have some solid experience in designing and implementing professional certification programs. Right now the committee comprises many people from contracted parties, security-related consultancies, ICANN staff and others; the only two people serving the public interest on this committee -- from either ALAC or NCSG -- are myself and John Levine.
I am hoping that some people from within At-Large may have a look at the technical list of objectives and controls< https://st.icann.org/hstld-advisory/index.cgi?control_workspace_draft
being produced for consideration. This is a long and detailed list of the specific security issues intended to be applied to registrars, registries and registrants within a HSTLD.
As I have write-access to that wiki page, I am able to insert comments throughout the document and not just at the end as a comment. If you have some concerns, or would like to modify or enhance the list, please let me know.
Please note: this chart encompasses only the technical component of the HSTLD verification program. The non-technical components -- notably, the business and marketing models as well as the methods of testing the controls and administering the program -- are yet to be worked out and could be very controversial. But right now the technical work has made good progress and I would like to get feedback from our many people in At-Large who are concerned with the public-interest component of TLD security.
The home website of the HSZ effort is at https://st.icann.org/hstld-advisory/index.cgi?hstld_advisory_group
- Evan _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
participants (7)
-
Evan Leibovitch -
Franck Martin -
Joe Baptista -
John R. Levine -
Jorge Amodio -
Karl Auerbach -
Michele Neylon :: Blacknight