RE: [registrars] Information regarding Data Escrow
Jeff, I believe that part of what Iron Mountain is doing is looking at the data randomly and verifying that it is complete and correct. I think they have to report to ICANN that we have delivered properly formatted data, and that they look in detail at a subset of it for these purposes. So while I think your idea is a great one, I don't think it could be applied here, as Iron Mountain would need to have the keys. Rob. P.S. Hs anyone thought to ask Iron Mountain to give up their ICANN accreditation ? Seems to me that this contract is probably worth much more to them than the accreditation they are not using. They might be willing to just give it up in order to win the contract, thus removing all competitive concerns. From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Jeffrey Eckhaus Sent: Friday, August 24, 2007 11:21 AM To: registrars@gnso.icann.org Cc: Tim Cole; Mike Zupke Subject: [registrars] Information regarding Data Escrow All, I did not see this covered in the questionnaire from Iron Mountain, so maybe I missed this, but will there be a form of data encryption held by ICANN only? We have been thinking of solutions and one possible solution for the concerns of Iron Mountain looking at registrar data is using a form of public key cryptography, where the registrars are all given ICANN's public key and only ICANN holds the private key. All of the registrars will encrypt their data with that public key, and in the event that this data is necessary, the encrypted data can be delivered to ICANN and they can use the private key to decrypt it. This way, even if IRON Mountain does look at our data, it's useless to them in an encrypted form. Only ICANN can see the data If this was covered then I apologize, but if not would like this to be considered and thoughts from other Registrars Thanks Jeff -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Tim Ruiz Sent: Friday, August 17, 2007 10:36 AM To: registrars@gnso.icann.org Subject: RE: [registrars] FW: Information regarding Data Escrow Agreed. All valid issues we'll also consider before selecting ICANN's agent or another. And the separation issue should likely be covered whether the agent is currently accredited as a registrar or not, since that could obviously change. Tim -------- Original Message -------- Subject: RE: [registrars] FW: Information regarding Data Escrow From: "Nevett, Jonathon" <jnevett@networksolutions.com> Date: Fri, August 17, 2007 8:58 am To: "Tim Ruiz" <tim@godaddy.com>, <registrars@gnso.icann.org> I am reserving my comments on the escrow program and on Iron Mountain until a draft contract is available for review. I appreciate that Iron Mountain has provided answers to a questionnaire about how it would protect our customer data and how it would address the perceived conflict or interest situation, but we don't know how that will translate into a contract. Will Iron Mountain agree contractually to some sort of structural separation between its registrar business and this escrow arrangement? What contractual warranties will Iron Mountain provide that it will protect our customer data and cover us in case of a breach? Similarly, if ICANN wants to access the data for checking purposes, what contractual warranties and protections will it provide to registrars in order to give us comfort that our customer data will be protected? Perhaps ICANN should be negotiating with the top two bidders to ensure that the contract is as competitive as possible. Thanks. Jon -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Tim Ruiz Sent: Friday, August 17, 2007 8:46 AM To: registrars@gnso.icann.org Subject: RE: [registrars] FW: Information regarding Data Escrow Larry, appreciate your concerns. 1) Most likely, yes. Escrowing the beneficial user data behind private/proxied registrations is not required under the currently proposed process. But two points about that. First, speaking just for Go Daddy, while there are a large number of our domain names registered through Domains by Proxy the majority are not. Second, Domains by Proxy is willing to escrow the beneficial user data but not likely under the standard Escrow agreement. So that will be discussed with ICANN and hopefully worked out soon. And after our experience with assuming the RegisterFly names, I hope other registrars who offer private/proxied registrations will consider it as well. 2) You're assuming that Iron Mountain is currently mining data? Our records show no evidence of that at all. I would suggest that before making any judgement you look closely at who Iron Mountain is how they've built their publicly traded company on a worldwide reputation of trust and security. Corp. Domain management is a small part of their overall business. It's hard to imagine them sacrificing that reputation for what little they might gain from data that is otherwise public anyway. 3) I doubt that ICANN can select a provider that all registrars will be 100% happy with. So there is no requirement to use ICANN's selected agent. Some are going to use their own agent regardless. Is Iron Mountain more of a risk just because they are accredited any more so than another agent who isn't? You may have a different answer to that than we do. Fortunately, we'll all have a choice. Bottom line, registrars are under fire right now due to recent events. We need to get this escrow thing figured out and implemented. If we delay with the idea that we need a process that 100% of us are 100% happy with it will never get done. Tim
Rob: The following was one of the questions and answers in the disclosure statement. I agree with you that ICANN should push Iron Mountain to de-accredit its registrar. Thanks. Jon 10. If the applicant is an ICANN-accredited registrar, would it terminate, assign, or otherwise divest itself of its accreditation? Iron Mountain does not believe that its accreditation in the DNMS business area is in conflict with its ability to perform the RDE services to ICANN and the registrars. We would request that ICANN refer to the responses in this document about the controls and separation of our business operations and our response on May 31, 2005 to Mr. Kurt Pritz about our approval for accreditation. The link to this letter on your website is http://www.icann.org/correspondence/johnson-to-pritz-31may05.pdf. Iron Mountain is willing to discuss this further with ICANN to understand its concerns but does not currently plan to terminate, assign or otherwise divest itself of its accreditation. ________________________________ From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Rob Hall Sent: Friday, August 24, 2007 1:06 PM To: Jeffrey Eckhaus; registrars@gnso.icann.org Cc: Tim Cole; Mike Zupke Subject: RE: [registrars] Information regarding Data Escrow Jeff, I believe that part of what Iron Mountain is doing is looking at the data randomly and verifying that it is complete and correct. I think they have to report to ICANN that we have delivered properly formatted data, and that they look in detail at a subset of it for these purposes. So while I think your idea is a great one, I don't think it could be applied here, as Iron Mountain would need to have the keys. Rob. P.S. Hs anyone thought to ask Iron Mountain to give up their ICANN accreditation ? Seems to me that this contract is probably worth much more to them than the accreditation they are not using. They might be willing to just give it up in order to win the contract, thus removing all competitive concerns. From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Jeffrey Eckhaus Sent: Friday, August 24, 2007 11:21 AM To: registrars@gnso.icann.org Cc: Tim Cole; Mike Zupke Subject: [registrars] Information regarding Data Escrow All, I did not see this covered in the questionnaire from Iron Mountain, so maybe I missed this, but will there be a form of data encryption held by ICANN only? We have been thinking of solutions and one possible solution for the concerns of Iron Mountain looking at registrar data is using a form of public key cryptography, where the registrars are all given ICANN's public key and only ICANN holds the private key. All of the registrars will encrypt their data with that public key, and in the event that this data is necessary, the encrypted data can be delivered to ICANN and they can use the private key to decrypt it. This way, even if IRON Mountain does look at our data, it's useless to them in an encrypted form. Only ICANN can see the data If this was covered then I apologize, but if not would like this to be considered and thoughts from other Registrars Thanks Jeff -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Tim Ruiz Sent: Friday, August 17, 2007 10:36 AM To: registrars@gnso.icann.org Subject: RE: [registrars] FW: Information regarding Data Escrow Agreed. All valid issues we'll also consider before selecting ICANN's agent or another. And the separation issue should likely be covered whether the agent is currently accredited as a registrar or not, since that could obviously change. Tim -------- Original Message -------- Subject: RE: [registrars] FW: Information regarding Data Escrow From: "Nevett, Jonathon" <jnevett@networksolutions.com> Date: Fri, August 17, 2007 8:58 am To: "Tim Ruiz" <tim@godaddy.com>, <registrars@gnso.icann.org> I am reserving my comments on the escrow program and on Iron Mountain until a draft contract is available for review. I appreciate that Iron Mountain has provided answers to a questionnaire about how it would protect our customer data and how it would address the perceived conflict or interest situation, but we don't know how that will translate into a contract. Will Iron Mountain agree contractually to some sort of structural separation between its registrar business and this escrow arrangement? What contractual warranties will Iron Mountain provide that it will protect our customer data and cover us in case of a breach? Similarly, if ICANN wants to access the data for checking purposes, what contractual warranties and protections will it provide to registrars in order to give us comfort that our customer data will be protected? Perhaps ICANN should be negotiating with the top two bidders to ensure that the contract is as competitive as possible. Thanks. Jon -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Tim Ruiz Sent: Friday, August 17, 2007 8:46 AM To: registrars@gnso.icann.org Subject: RE: [registrars] FW: Information regarding Data Escrow Larry, appreciate your concerns. 1) Most likely, yes. Escrowing the beneficial user data behind private/proxied registrations is not required under the currently proposed process. But two points about that. First, speaking just for Go Daddy, while there are a large number of our domain names registered through Domains by Proxy the majority are not. Second, Domains by Proxy is willing to escrow the beneficial user data but not likely under the standard Escrow agreement. So that will be discussed with ICANN and hopefully worked out soon. And after our experience with assuming the RegisterFly names, I hope other registrars who offer private/proxied registrations will consider it as well. 2) You're assuming that Iron Mountain is currently mining data? Our records show no evidence of that at all. I would suggest that before making any judgement you look closely at who Iron Mountain is how they've built their publicly traded company on a worldwide reputation of trust and security. Corp. Domain management is a small part of their overall business. It's hard to imagine them sacrificing that reputation for what little they might gain from data that is otherwise public anyway. 3) I doubt that ICANN can select a provider that all registrars will be 100% happy with. So there is no requirement to use ICANN's selected agent. Some are going to use their own agent regardless. Is Iron Mountain more of a risk just because they are accredited any more so than another agent who isn't? You may have a different answer to that than we do. Fortunately, we'll all have a choice. Bottom line, registrars are under fire right now due to recent events. We need to get this escrow thing figured out and implemented. If we delay with the idea that we need a process that 100% of us are 100% happy with it will never get done. Tim
participants (2)
-
Nevett, Jonathon -
Rob Hall