Hi Farzenah
The Supplemental Recommendations that result from this process, once approved by Council and adopted by the Board, will be consensus policy, just as the original SSAD recommendations
would have been. That is the expected process and the output the Team is meant to deliver.
My view is that authentication is within scope for that exercise. The SSAD recommendations include recommendations on authentication, including with respect to authentication of
governmental entities. Indeed, the RDRS SC considered this very point “While the concept of authenticating government entities remains relevant, the SC suggests modifying this recommendation. For instance, it could leverage ongoing GAC/PSWG efforts to establish
trusted LEA credentials and focus accreditation on such high-need users rather than building a broad system for all government entities.” Of course, if a consensus of the Supplemental Recommendations Team concludes differently, they can say so.
Regarding the public comment input on the urgent requests timeline, this was not a task that fell to Council. This comment was conducted by Org in the context of its implementation
work on the Registration Data Policy. Council is merely acknowledging that it has been informed that the issue of the timeline has been concluded.
As a reminder of how Council agreed on the path forward to close the potential gap of authentication, this was under discussion in Council for some time. The views of all SG/Cs,
via their Councillors, were requested more than once on our mailing list, prior to our reaching a decision and conveying that decision to the attending ICANN Board members, Wes Hardaker and Greg diBiase, at our Council meeting on 16 April. In particular:
- Wes and Greg raised this issue during one of our
working sessions at ICANN 85 on 8 March, and suggested three possible paths forward;
- This was followed the same day by an
email from Caitlin setting out the Board’s three options;
- Council, together with SG/C Chairs, further discussed during the informal Council session on 11 March;
- During Council’s discussions at ICANN 85, Samantha Demetriou suggested that Council consider the approach which has subsequently been agreed-upon;
- This proposed approach was reiterated on the mailing list on 17 March, with a request for feedback before the April Council meeting;
- Councillors were reminded of this action item by
email on 31 March and expressly asked that “If you disagree with the path proposed by Sam or believe the Council should consider one of the other alternatives, I encourage you to share this on the list in advance of the upcoming Council meeting so that
we have a fulsome discussion.”
- The issue was included on the agenda for the 16 April meeting, which was first circulated to Council on 2 April.
With no further feedback or objection to the path proposed by Sam having been received either prior to or at the April Council meeting, that path was communicated to Wes and Greg.
The letter, a draft of which I am about to share for Council’s review, is a formal confirmation of that for the record.
From: farzaneh badii via council <council@icann.org>
Sent: 22 April 2026 20:12
To: Council@icann.org
Subject: [council] Authentication and supplemental review team
Hello,
I was reading the notes and there is this action item: Action
Item: Council to formally notify the Board of the decision to incorporate authentication as part of the work on Supplemental Recommendations on SSAD
and to confirm the urgent request timeline and associated policy language can be published as an update to the Registration Data Policy.
In
the document on ICANN org Proposed Timeline for Urgent Requests
which we (NCSG) provided public comment on, under section 3.9 it says that: “Authenticated Requestor” means a law enforcement requestor or trusted/competent
authority that is authenticated through an authentication mechanism implemented pursuant to
ICANN Consensus Policy."
But we are asking the supplemental team to come up with a consensus policy? How are you reconciling the two while supplemental team is not supposed to make new policy?
Also sorry I missed this but did we ever discuss the public comments that were received on urgent request timeline? In our NCSG public comment we are clear about two
things: we need more clarification on the criteria of urgent request (imminent threat etc) and we do think that for authentication we need a PDP. I have attached our public comment.
Now to have a path forward, I suggest the following (have not discussed with NCSG especially number 1):
1. Ask the supplemental review team to address the urgent request timeline and criteria and a few things that need more clarification such as what it means to "respond"
to law enforcement. That is not new policymaking in my opinion. We are only interpreting and clarifying the criteria and we will discuss human rights impact as well.
2. Discuss how to go about authentication in a way that the supplemental team does not come up with new policy. I know doing an EPDP is a lot of work but I just can't
see any other way. Maybe we can have more suggestions by the staff on how to do the authentication piece quickly. We have mentioned in our public comment why we think a PDP on authentication is necessary. But if there are other ways to address our concerns
then would love to hear them.
Best regards,
Farzaneh