Hi Mike, I’ve consolidated answers to your questions into a single email, responses below. From your first email:
Would there not always be a "reasonable likelihood of manipulation"?
The forms of manipulation contemplated by the NCAP Study 2 report are non-trivial to implement, in terms of time, effort and resources, so we expect it to be rare and likely detectable. The burden of proof would be on the applicant.
On 15 Jan 2025, at 14:44, Mike Rodenbaugh via SubPro-IRT <subpro-irt@icann.org> wrote:
Hi All, Section 3 of this document re Initial Assessment needs to be fleshed out, a lot, please. The prefaces are important:
[text from AGB module elided]
And that's it. This seems incredibly arbitrary on its face, and likely will result in a very significant expense and delay for any application identified as high-risk. So again I have some questions (some repeated, some new)... What specific and objective criteria will be used by the sole "expert evaluator" to decide whether any string is high-risk?
ICANN org plans to publish separate documents describing the assessment criteria and methodology for the initial assessment, temporary delegation reviews, and mitigation plan reviews. These documents will be developed in a similar manner as the String Similarity Review Guidelines. We'll update the AGB module to make reference to these documents.
How will anyone be a competent expert at this anyway, and how will they be chosen?
ICANN org plans to issue Request For Proposal(s) to select vendor(s) for the initial assessment and mitigation plan reviews. The RFPs will require that bidders demonstrate the appropriate knowledge and expertise.
How will any decision be challenged?
The revised AGB text includes details on challenges to mitigation plan review decisions that are uniform with the approaches taken in other AGB modules.
How will any Risk Mitigation Plan be monitored if it is kept secret by ICANN? What really is the risk of undetectable malicious interference, which is the only purported reason to keep these Plans secret?
Mitigation Plans won’t be kept secret - their publication will only be postponed. As mentioned above, that postponement will only be agreed if the applicant can demonstrate a reasonable likelihood that there will be manipulation or other reasonable need. The effectiveness of mitigation plans can be determined without them being published, since the technical measurements (such as those that will be available through the Name Collision Observatory) will remain available for review, both by ICANN and the wider community.
Also, 3 months to come up with an acceptable Risk Mitigation Plan may not be enough. There appears to be very few people who understand any of this, much less can competently come up with a plan acceptable to whatever panel of experts ICANN hires, based on who knows what criteria. Those few people are likely to be in very high demand. There needs to be either a longer deadline, or at least an opportunity for an extension if applicant is making reasonable efforts towards developing a Plan.
That’s acknowledged. We had contemplated allowing a 3-month extension. The next update to the AGB module will include this. Gavin. -- Gavin Brown Principal Engineer, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) https://www.icann.org