Hello All,

 

I look forward to seeing many of you next week in Seattle. I wanted to share some additional information I stumbled across while reviewing recent amendments to the  .COM Registry Agreement.

 

During our CPWG deep dive session on ICANN and Contracting Parties implementing policy through bilateral negotiations, I raised the example of the cybersecurity incident reporting that first appeared in the .COM agreement and then the new baseline Registry Agreement.  During the session, I asked both Avri and Becky, based upon their work on SubPro if they could point me in the direction of this topic being substantively discussed within the community before its inclusion in the baseline registry agreement.  Unfortunately, neither could recall this specific topic being discussed by the community before its appearance in the .COM Registry Agreement.  

 

In December of last year, ICANN and Verisign amended the Letter of Intent which is part of the .COM Registry Agreement. Paragraph 3 of the LOI states in relevant part that:

 

ICANN and Verisign shall work together in good faith to: (i) determine the

appropriate process for ICANN to publish certain information (as advised by the

Security and Stability Advisory Committee in its 03 November 2015 Advisory

(SAC074) and approved by the ICANN Board of Directors) contained in any

Registry Operator incident disclosure made pursuant to Appendix 11, Section (d)

of the .com Registry Agreement; and (ii) amend the .com and .net Registry

Agreements to permit such publication consistent with similar obligations for

other registry operators

 

See https://itp.cdn.icann.org/en/files/registry-agreements/multiple/verisign-loi-amendment-2-01-12-2024-en.pdf

 

 

Two things raised concerns that I wanted to share with the group and solicit your feedback on.

 

1. Since cybersecurity incident reporting is NOW part of the proposed baseline registry agreement, why is this work NOT part of the SubPro IRT community work? Why is ICANN Staff tripling down on bi-lateral negotiations with a contracting party while ignoring the clear guidance outlined in the ICANN bylaws regarding this type of policy development work? I think the community deserves an explanation.
2. During the Prep Week Call Xavier informed the community that VRSN and ICANN would let this LOI lapse at the end of the year, resulting in a 4 million dollar shortfall per year going forward. Now in the preamble to the LOI amendment they talk about valuable consideration. Does anyone else find it interesting that it appears that VRSN gets preferred treatment to negotiate important cybersecurity terms outside of the ICANN multistakeholder model, and as soon as they get what they want, VRSN just lets the LOI lapse?

 

As always, I am open to other alternative viewpoints on these facts, but I am struggling to find them to be totally honest

 

Best regards,

 

Michael