I agree that ICANN should have no role in this matter.  I was intrigued by the suggestion of a clearinghouse in the ECO model, but it is lean on details.  I want to hear more.

I agree that existing bodies (eg. Cybercrime treaty signatories, Interpol) have methods already to accredit their members.  they just need to get on with it.  The standard I am thinking of would be similar to

1)  ISO 17024:2012 Conformity assessment – general requirements for bodies operating certification of persons.  ISO/IEC 17024:2012 contains principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons; and

2)  ISO 27021:2017 Information technology – Security techniques – Competence requirements for information security management system professionals.  ISO/IEC 27021:2017 specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conforms to ISO/IEC 27001

Basically, the addition to these security requirements would be compliance with data protection principles, which could be assured by meeting CAN/CSA-Q830.  Accreditation to the potential standard which would be developed, drawing extensively from experts present in the stakeholder community at ICANN, could then be achieved totally independently from ICANN, in a global manner, with the possibility of independent audit of the quality standards the individual or organization claims to follow.  I would suggest that the APWG already has procedural and policy documents that would be good inputs to such a standards development process.

cheers Stephanie Perrin

On 2018-02-15 15:35, Andrew Sullivan wrote:
Hi,

On Thu, Feb 15, 2018 at 12:44:32PM -0500, Stephanie Perrin wrote:

Barcelona meeting to discuss accreditation requirements for cybersecurity an
IP actors who want to retain access to personal data in a tiered access
solution.

What do you mean by "accreditation"?

It seems to me there are two models.

One is that ICANN is a gate-keeper, and makes decisions about everyone
who wants access to these things.

Another is that ICANN relies on various sector- or industry-related
bodies to do that work, and ICANN just acts as a clearing house.  So,
for instance, ICANN could decide that INTERPOL gets to decide what a
police officer is, and ICANN simply accepts that definition.

It strikes me that quite possibly both mechanisms could be needed,
with the first providing a fallback when someone has a legitimate need
but doesn't have a relevant approved community group to rely on.

A nice thing about option (2) is that ICANN then doesn't need to be in
the business of making a lot of decisions.  If there's already some
international or treaty body that governments accept, then ICANN can
just incorporate that acceptance all on its own.  (This is similar to
how ICANN doesn't need to decide who a country is.)  Even better, the
mechanism for such accreditation is for the "accrediting organization"
to run an OAuth server.  That way, the org in question could change
its membership all it wanted without informing or even having anything
to do with ICANN.  An OAuth profile would identify that kind of
account, and the user would get the appropriate access.  This is just
how it works when you "use Google" to long into a non-Google site.
It's an already-invented technology that is ready to go for RDAP
today.  You can see it working IIRC in Scott Hollenbeck's testbed/demo
system.

We have the technology today, ready to go and waiting, to make this
easy.  Let's please not design a new accreditation system that gets
ICANN into the business of evaluating every professional claim on the
Internet.

Best regards,

A