ICANN has announced a new process for registries to request
contract exemptions, which apparently has not been discussed by anyone that is
not an ICANN registry or staff. While it has good intentions arising out
of the Conficker attack, and apparently necessary if registries are not to
breach their contracts in some cases. But it could be abused, and must be
transparent eventually if not immediately. And so they are asking for
public comment now that it is implemented.
Is this something the BC wants to comment on? And if so,
does anyone care to lead with draft BC comments on this? Deadline is
November 1.
Mike Rodenbaugh
RODENBAUGH LAW
548 Market Street
San Francisco, CA 94104
From: ICANN News Alert
[mailto:communications@icann.org]
Sent: Thursday, October 01, 2009 5:30 PM
To: icann@rodenbaugh.com
Subject: ICANN News Alert -- Expedited Registry Security Request Process
Posted
News Alert
http://www.icann.org/en/announcements/announcement-01oct09-en.htm
Expedited Registry Security Request Process Posted
1
October 2009
Introduction
The Expedited Registry
Security Request (ERSR) is the result of a collaborative effort between ICANN
and gTLD registries to develop a process for quick action in cases where gTLD
registries:
- inform
ICANN of a present or imminent security incident to their TLD and/or the
DNS and
- request
a contractual waiver for actions they might take or have taken to mitigate
or eliminate the incident.
A contractual waiver is an
exemption from compliance with a specific provision of the Registry Agreement
for the time period necessary to respond to the Incident.
The ERSR web-based submission
procedure is now available and can be accessed at http://www.icann.org/en/registries/ersr/.
This new process is to be employed by gTLD registries exclusively for incidents
that require immediate action by the registry in order to avoid deleterious
effects to DNS stability or security. This process is not intended to replace requests
that should be made through the Registry Services
Evaluation Process (RSEP).
For the sake of DNS
stability, this process is going into effect immediately. ICANN welcomes
comments on it in order to improve its effectiveness and to ensure sufficient
safeguards are in place. Comments should be made to ersr@icann.org and can be seen at http://forum.icann.org/lists/ersr/.
The comment period will close on 1 November 2009.
Background
In late 2008, Internet
security researchers, operating system and antivirus software vendors
discovered the Conficker worm. Further, it was understood that the worm could infect
millions of computers by using tens of thousands of domain names that would be
auto-generated by the Conficker infection during a period of several months.
The operational response to containing Conficker was for registries to
preemptively block or register the domains that had been identified as targets
of the worm.
The response to Conficker
however posed a unique contractual issue for ICANN and gTLD registries as
registries are restricted in their ability to register names to themselves
other than through an ICANN-accredited registrar. Additionally, a waiver of
ICANN fees was appropriate. Given the severity of the Conficker threat, ICANN
provided verbal approval to registries to facilitate the registrations of
targeted domains and agreed to waive all fees associated with these
transactions.
As a result
of Conficker, ICANN and the gTLD registries worked to develop a process that
would enable registries to share information and take action in urgent security
situations – actions that might not be covered by their Registry Agreements.
ICANN then developed a draft ERSR and conducted consultations on the process
with gTLD registries, the gTLD Registry Constituency and ICANN-accredited
registrars that had been involved in the early stages of the community response
to Conficker. The product of this community effort is the Expedited Registry
Security Request.
|
