Logo

051040043 - EPDP-Phase 2 April Team Call
James Bladel (RrSG)
36:31
Did she say “third hour"?
Marc Anderson (RySG)
36:42
she did
Julf Helsingius (NCSG)
36:56
Unfortunately yes...
Andrea Glandon
37:02
The call is scheduled for 3 hours today.
James Bladel (RrSG)
37:08
Understood.
Brian King (IPC)
37:10
We've had first breakfast, yes. But what about second breakfast?
Stephanie Perrin
37:54
Elevenses
James Bladel (RrSG)
38:03
Some coffee went up my nose when Terri said that
Alan Woods (RySG)
38:35
congrats!
James Bladel (RrSG)
38:41
Yah!
Mark Svancarek (BC)
38:51
Soon, we will ALL be part of GoDaddy Group
Brian King (IPC)
39:18
@MarkSv speaking of coffee up noses :-)
Volker Greimann (RrSG)
39:19
it would be if it were two hours long
Milton Mueller (NCSG)
39:51
Agree with Brian
Brian King (IPC)
40:17
I'm printing and framing this chat
James Bladel (RrSG)
41:01
+1 Alan
Franck Journoud (IPC)
41:05
last week i agreed with Milton. we are indeed living in interesting times
Milton Mueller (NCSG)
41:42
Brian, Bro!
Becky Burr (ICANN Board Liaison)
41:50
just to note that Chris and I have to step out for another meeting at the half hour
Brian King (IPC)
43:23
Milton, bro, right back at ya!
Terri Agnew
44:49
Reminder to select all panelist and attendees for chat option
Milton Mueller (NCSG)
47:23
..except, @terri, when we are talking nonsense ;-)
Alan Greenberg (ALAC)
50:39
This is a VERY different world than the one in which we made our decisions several months ago.
Berry Cobb
50:53
To be clear, my reference to no additional funds came from the Board letter when funds were approved in August 2020. Specifically, that is for FY20, as the source comes from the Contingency bucket. That said, if this group wishes to continue deliberations, that does not prevent the GNSO Council from requesting funds. Just to note that doing so will take additional actions from staff, council, Board to consider that request.
Berry Cobb
51:07
sorry. Agusut 2019
Mark Svancarek (BC)
51:37
The evolution mechanism needs to be resolved
Alan Greenberg (ALAC)
51:48
Berry, is ANYONE living the life they were in August?
Chris Disspain (ICANN Board Liaison)
52:31
All, FWIW, I don’t believe there will be an issue with the budget from the Board’s point of view
Berry Cobb
52:33
@Alan, I'm not disputing that. I do think there are larger risks to this effort than budget.
Volker Greimann (RrSG)
52:51
don’t take away our hope for freedom
Volker Greimann (RrSG)
53:37
ugh
Volker Greimann (RrSG)
57:24
so how long do we extend? the time between two rounds of gtlds?
Margie Milam (BC)
01:00:24
Also - some of us are actually involved in COVID related DNS mitigation efforts -- that are important to continue as a priority
James Bladel (RrSG)
01:00:47
+1 Margie. That’s been my life for the past few weeks
Margie Milam (BC)
01:01:21
& its important work that needs to continue Jame - thanks for all that extra work
James Bladel (RrSG)
01:01:59
(All credit to Ben and his team)
Volker Greimann (RrSG)
01:02:09
so the status quo is ok for now?
Milton Mueller (NCSG)
01:02:12
we all know that the pace of progress will expand to occupy the time availabe
Margie Milam (BC)
01:02:33
Thanks Ben for all your teams COVID work
Brian King (IPC)
01:03:05
@Milton yes if we're realistic. I think we need a new target, not an open-ended timeframe
Stephanie Perrin (NCSG)
01:03:07
Thanks to everyone who is working on the COVID mitigation efforts.
Hadia Elminiawi (ALAC)
01:03:49
@Volker the status quo in not great, but will we be able to implement what we agree on now under such circumstances ?
Volker Greimann (RrSG)
01:04:34
sure, our industry is not hit this hard
Volker Greimann (RrSG)
01:04:59
other question: who will chair for the extension?
Matt Serlin (RrSG)
01:05:13
Yeah that I think is a big question after June 30
Matt Serlin (RrSG)
01:05:25
which I do think working with the GNSO now is a good idea
Hadia Elminiawi (ALAC)
01:05:47
I do agree though with Milton that we need to be committed to certain deadlines otherwise we shall have nothing done
Volker Greimann (RrSG)
01:06:12
no one blames you, Janis. if anything we envy you for getting out early ;-)
Brian King (IPC)
01:06:27
+1 Volker!
Brian King (IPC)
01:06:50
And we appreciate your significant efforts, Janis.
Rafik Dammak (GNSO Council Liaison)
01:06:55
yes
Milton Mueller (NCSG)
01:11:04
we don’t need to go through them as a plenary
Milton Mueller (NCSG)
01:12:06
we could enter our comments in the table over the course of a few days, then get an edited report from staff, and give it a final stamp of approval
Brian King (IPC)
01:13:51
Sounds like a good use of our time, Milton
Milton Mueller (NCSG)
01:16:20
I am making an unsigned assertion that you should do what Caitlin suggested
Marc Anderson (RySG)
01:16:33
lol Milton
Milton Mueller (NCSG)
01:16:37
sorry, “we” not “you"
Mark Svancarek (BC)
01:17:14
i'll sign that assertion
Hadia Elminiawi (ALAC)
01:18:59
It looks good
Brian King (IPC)
01:24:12
FYI, examples of signed assertions are in g) under Recommendation 1
Hadia Elminiawi (ALAC)
01:26:26
The assertions help the decision maker regardless of the method
Laureen Kapin (GAC)
01:30:40
The GAC will try to get its comments in (if any), hopefully by the end of the week.
Matt Serlin (RrSG)
01:30:55
Am exiting now and handing my RrSG slot over to Sarah Wyld…thanks Sarah!
Sarah Wyld (RrSG)
01:31:15
thank you!
Sarah Wyld (RrSG)
01:33:04
A good point!
Stephanie Perrin (NCSG)
01:34:23
Absolutely agree with Alan. Trust is very context specific.
Berry Cobb
01:34:45
Link to DD: https://docs.google.com/document/d/1NSxjQokvWM1lqhSUk-5gTsy7SlWP04S5mdDPLb_9AVo/edit#
Stephanie Perrin (NCSG)
01:35:35
One of the reasons I remain committed to the concept of an independent MS entity administering this SSAD is that trust needs to be dynamically assessed by the group.
Margie Milam (BC)
01:39:37
+1 Alan G
Brian King (IPC)
01:39:51
Seems this could go in automation section, authorization, Mechanism for Evolution, etc.
Sarah Wyld (RrSG)
01:40:31
whether the requestor understands the system has nothing to do with if they should be trusted to make valid requests which can be handled in an automate dway
Alan Woods (RySG)
01:40:58
+1 Sarah
Sarah Wyld (RrSG)
01:41:00
If any requestor is "trusted" so their responses are handled automatically, that should be opt-in like any other automated disclosures should also be opt-in
Stephanie Perrin (NCSG)
01:41:26
The fact that contracted parties inescapably gets to know their requestors is no reason to reify that in policy by accepting a concept of “trusted notifier”
Alan Woods (RySG)
01:42:00
thank you . It has no place in the policy - but in the individual procedure of the disclosing party.
Sarah Wyld (RrSG)
01:42:02
the fact that we know our repeat requestors is what led us to this view that we should not be required to automate for any of them
Margie Milam (BC)
01:42:32
@Alan - we are talking about having be included in the policy
Alan Woods (RySG)
01:43:03
agreed. I have an inkling that there are a number of requestors who I believe would consider themselves 'trusted', that would in fact require enhanced scrutiny in my current process and are indeed not considered to be very trusted at all.
Stephanie Perrin (NCSG)
01:43:27
It is inherently discriminatory, and should not be in policy.
Sarah Wyld (RrSG)
01:43:35
+1 Alan W
James Bladel (RrSG)
01:43:45
In my view: this is a novel feature, we can already tell are significant areas of divergence, and our group doesn’t have the luxury of schedule to spend on this.
Alan Woods (RySG)
01:43:53
the agreed was at Sarah. An no Margie, subjective measurements have no place in policy.
Stephanie Perrin (NCSG)
01:44:04
Obviously, we have requirements in the accreditation section that accreditation authorities remove members who violate standards.
Brian King (IPC)
01:45:02
We have a good section allowing (but not requiring) registrars to automate certain types of requests. How about we add "requestors" to that section?
Stephanie Perrin (NCSG)
01:45:21
no
Brian King (IPC)
01:45:22
Sorry, "contracted parties," not just registrars
Sarah Wyld (RrSG)
01:45:27
The text itself is confusing, because it doesn't explain what happens after the requestor goes through the additional scrutiny
Sarah Wyld (RrSG)
01:45:39
so my concerns re automation were indeed inferring that as the eventual result of this unclear proposal
Stephanie Perrin (NCSG)
01:46:51
Sarah, exactly. We have conflated several concepts, it takes a while to put all the concepts back into their discrete boxes.
Milton Mueller (NCSG)
01:46:56
it’s pretty clear that this discussion is unnecessary and needs to be stopped
Milton Mueller (NCSG)
01:47:03
let’s move on
Hadia Elminiawi (ALAC)
01:50:21
It is an assertion granted to the requestor based on the use of the system
Stephanie Perrin (NCSG)
01:50:55
This could be sorted out in co-controller agreements, noting that discretion remains with the contracted parties at all times, and not with ICANN as owner of the policy and co-controller.
Alan Woods (RySG)
01:51:44
re 'requestors' as a category of automation - I add No to that too.
Chris Lewis-Evans(GAC)
01:54:45
+1 Marc
Brian King (IPC)
01:55:06
No doubt this is complex.
Marc Anderson (RySG)
01:56:03
4th bullet also doesn't take into account the possibility of going back to the requestor for more information
Milton Mueller (NCSG)
01:56:44
there can be loops if requests are incomplete but the basic structure is correct
Mark Svancarek (BC)
01:58:39
A little bit too simplified :-)
Mark Svancarek (BC)
01:59:18
But good clarification from Caitlin that relationship between IDP and AccredAuth is flexible
Stephanie Perrin (NCSG)
02:02:14
That would depend on each organization, in my opinion.
Stephanie Perrin (NCSG)
02:02:30
Depends on the size of the organization.
Mark Svancarek (BC)
02:02:33
+1 Stephanie.
Sarah Wyld (RrSG)
02:02:39
I think the initial report talked about individuals OR entities getting accredited
Mark Svancarek (BC)
02:02:54
+1 Sarah
Sarah Wyld (RrSG)
02:02:59
so it seems problematic if several employees from the same company are using the same login
Alan Woods (RySG)
02:03:02
+1 Sarah - this does seem like a weird mix
Sarah Wyld (RrSG)
02:03:12
we should instead have each person get their own login and the system knows they all belong to a specific org
Stephanie Perrin (NCSG)
02:03:28
The accredited entity is accountable for how it uses and delegates its credentials, it is up to the Accreditation Authority to audit that use and delegation.
Sarah Wyld (RrSG)
02:03:32
that way their actions can be tracked and controlled and also related back to who they work for
Mark Svancarek (BC)
02:04:09
Th e highlighted bullet is specific to individuals
Sarah Wyld (RrSG)
02:04:31
the highlighted bullet talks about both individual and organization users, though?
Sarah Wyld (RrSG)
02:04:43
indivduals acting on behalf of an org, I mean.
Marc Anderson (RySG)
02:04:44
@Mark Sv - I don't think it is - at least I don't read it that way
Mark Svancarek (BC)
02:04:56
oops, I am wrong, sorry
Sarah Wyld (RrSG)
02:06:13
right, so each individual person needs a unique credential, and if they work on behalf of an org that should be part of their cred
Stephanie Perrin (NCSG)
02:06:30
Accreditation credentials also have to accommodate contracted parties. The accountability rests with the accredited entities…the accreditation authority is going to have to develop more complex systems including delegation and revocation of secondary credentials.
James Bladel (RrSG)
02:06:33
From a liability perspective, I think SSAD operator would prefer to bind organizations (like Microsoft or Facebook) to the terms of use of the data, rather than individuals.
Alan Woods (RySG)
02:06:59
well, misuse of the Org accreditation, is a misuse of an Org accreditation. That is a matter for ensuring that they are managing their credential, including delegations, properly.
Mark Svancarek (BC)
02:07:09
Seems like an accred implementation detail. But i really can't think of a case where additional granularity hurts anyone
Stephanie Perrin (NCSG)
02:07:51
This would have to be included in breach disclosure arrangements, to ensure that each accredited entity takes accountability for its authorization of its requestors, and has apportioned its liability.
Brian King (IPC)
02:08:33
Sounds good. I really like how Sarah explained it above.
Alan Greenberg (ALAC)
02:08:40
@Mark, it may be an implementation detail for the SSAD, but as a necessary commitment for a group accred, it is policy.
Alan Woods (RySG)
02:08:57
+1 Stephanie
Alan Woods (RySG)
02:09:35
we disagree.
Stephanie Perrin (NCSG)
02:09:46
Why is five here? What does accreditation have to do with routing of requests?
Alan Greenberg (ALAC)
02:10:41
Def. not accreditation.
Mark Svancarek (BC)
02:11:15
move to another section
Alan Woods (RySG)
02:11:36
ha …. tell that to our requesters! :D
Margie Milam (BC)
02:13:18
Or is not responding
Mark Svancarek (BC)
02:13:37
Rr out of business does seem like a scenario where the CGM can perform correct routing
James Bladel (RrSG)
02:13:53
And that’s the purpose of the Data Escrow system?
Margie Milam (BC)
02:14:35
-the registrar can still be in business so the escrow doesn't apply but is wholesale NOT complying with requests
James Bladel (RrSG)
02:14:56
Registrar active but not responding: Compliance.
Margie Milam (BC)
02:15:05
that can take months though
James Bladel (RrSG)
02:15:10
Registrar DOA and not responding : Data Escrow
Margie Milam (BC)
02:15:12
so no data in the meantime?
Thomas Rickert (ISPCP)
02:16:08
AlanG encouraging forum shopping? Wow :-)
Alan Greenberg (ALAC)
02:17:00
I am amazed! When we first had this discussion, there was NO objection to this request flag!
Brian King (IPC)
02:18:22
@AlanW, I won't take the mic to take the group's time with the conversation, but the hybrid model we agreed to pursue comes with a mechanism for evolution to move toward more centralization, which is has always been the IPC's goal. Nothing disingenuous intended.
Alan Greenberg (ALAC)
02:18:28
If it is lawful to go to the Ry directly, it is lawful to do it through the SSAD!
Franck Journoud (IPC)
02:18:44
not to speak for Mark Sv, but by "we won't have an evolution mechanism" may mean "we'll have a mechanism, but no evolution"
Alan Woods (RySG)
02:19:35
+1 james
Mark Svancarek (BC)
02:19:37
+1 James
Volker Greimann (RrSG)
02:20:49
that ”study”has it's flaws.
Stephanie Perrin (NCSG)
02:21:25
Brian K, your concept of the hybrid model is definitely not congruent with my concept.
Sarah Wyld (RrSG)
02:22:06
yeah I didn't think the mechanism was necessarily intended to move towards centralization of disclosure decisions
Terri Agnew
02:22:32
Got it
Hadia Elminiawi (ALAC)
02:22:41
ok - sounds good
Margie Milam (BC)
02:22:43
I'm dropping off now - Steve will step in
Terri Agnew
02:30:24
We have started back up
Franck Journoud (IPC)
02:31:25
Sarah and Stephanie: can you explain what your concept of the evolution is? the mechanism isn't called "oversight" or "implementation" or even "adaptation", so clearly its mission is to enable the evolution from one model to another - at whatever pace and to whatever degree. and the email traffic and calls we had support this conclusion.
Sarah Wyld (RrSG)
02:32:07
I think this mechanism should be allowed to propose implementation changes, not new policy nor new contractual requirements.
Sarah Wyld (RrSG)
02:32:50
requiring centralization of the disclosure decision is a policy decision that should not be made outside this epdp (or by this epdp either)
Steve DelBianco (BC Alternate - will join last hour)
02:33:08
Whatever the term of accreditation, any accreditation could be challenged at any time if there is evidence of failure to abide by terms of accreditation, and that could be handled in Policy implementation.
Milton Mueller (NCSG)
02:33:32
Franck, we never accepted the idea that we would “evolve” from hybrid to centralized. We always understood evolution to mean making incremental improvements without having to go through a burdensome policy development process
Sarah Wyld (RrSG)
02:33:57
And Rec 19 does not mention centralization
Milton Mueller (NCSG)
02:34:40
Renewal of accreditation should not be as costly as initial accreditation
Alan Woods (RySG)
02:35:03
I think that makes sense Milton.
Steve DelBianco (BC Alternate - will join last hour)
02:35:14
Registrar Accreditation term is 5 years. This is not an arbitrary term
Sarah Wyld (RrSG)
02:35:37
But the Rr is required to update their info with ICANN very quickly if it ever changes. Can we require the same of the requestor? That'd be helpful
Sarah Wyld (RrSG)
02:35:51
My concern with a long accreditation term is that the requestor info gets outdated with no requirement to keep it up to date
Mark Svancarek (BC)
02:35:58
Right now I am hearing that the MfE can't even accommodate a single new automation use case -that such a thing, even though seemingly incremental, would require a PDP. Hopefully I am confused about that
Sarah Wyld (RrSG)
02:36:41
mechanism can provide guidance on which categories should be automated, but I don't think they should be able to mandate automation
Alan Woods (RySG)
02:36:46
Yes Sarah. AS a disclosing party, the older the accreditation, the less weight that can be placed on it in our review. That is a worry. I think we are trying to be pragmatic and open expectation here.
Stephanie Perrin (NCSG)
02:37:16
Franck thanks for the question. I have a lengthy chunk in my comments that I am trying to wedge into the grid, if I may I will answer you there.
Sarah Wyld (RrSG)
02:38:34
Yes, let's just get the info verified often
Sarah Wyld (RrSG)
02:38:38
and an obligation to keep the info up to date
Stephanie Perrin (NCSG)
02:39:59
Annual verification through self attestation would not be all of course. Revocation of privileges needs to be audited more often, it is a major cause of data breach in some situations, I do not believe we have good data on whether it is a problem in this situation.
Sarah Wyld (RrSG)
02:40:31
annual is not frequent enough
Sarah Wyld (RrSG)
02:40:39
unless we also include an obligation to update asap if info is outdated
Stephanie Perrin (NCSG)
02:41:47
Again, breach accountability agreements have a remarkable ability to focus the mind on these details. I would be looking for audit trails....
Steve DelBianco (BC Alternate - will join last hour)
02:43:55
Sarah, are you saying that an accredited requestor must update any changed info whenever it changes, not just once per year? If so, fine.
Sarah Wyld (RrSG)
02:46:00
Steve - yes ,an accredited requestor must keep all their info up to date and so they must update when anything changes, that is what I would suggest
Mark Svancarek (BC)
02:46:07
+1 Volker
Brian King (IPC)
02:46:27
+1 Sarah
Hadia Elminiawi (ALAC)
02:47:11
+1 Volker
Stephanie Perrin (NCSG)
02:48:14
It is important to permit contracted parties to mistrust the identity of a requestor as represented.
Steve DelBianco (BC Alternate - will join last hour)
02:48:19
Our policy draft makes a distinction between “validate” and “Verify”. Is it safe to assume that we are each being precise about that distinction?
Stephanie Perrin (NCSG)
02:48:47
Not safe at all IMHO Steve
Hadia Elminiawi (ALAC)
02:49:13
agree its an implementation issue which lies with the hands of the accreditation entity which will be audited for its decisions
Steve DelBianco (BC Alternate - will join last hour)
02:49:46
From page 16: Validation - Establish the soundness or correctness of a construct.● Verify - To test or prove the truth or accuracy of a fact or value. (Example:Identity Providers Verify the identity of the requestor prior to issuing an IdentityCredential.)
Stephanie Perrin (NCSG)
02:49:53
Our definitions are occasionally the vehicle of our compromise, or failure to reach agreement, and are thus wooly
Steve DelBianco (BC Alternate - will join last hour)
02:52:26
Verify and Validate are both used in the RAA and have distinct meanings and obligations. ICANN Compliance knows how to do this.
Daniel Halloran (ICANN Org)
02:53:13
For reference, the fee for an application for registrar accreditation is currently US$3500 https://www.icann.org/resources/pages/financials-55-2012-02-25-en
Stephanie Perrin (NCSG)
02:54:11
+1 Marc, but I would argue strongly for a separate section on implementation guidance that explains the compromises and lingering disagreements that we have on these matters.
Stephanie Perrin (NCSG)
02:55:26
Given the ambit of our common understandings, I am loathe to hand this over to an IRT without explicitly underlining the areas where if they run into issues they have to come back to the EPDP for clarification of what the policy says.
Stephanie Perrin (NCSG)
02:58:49
Losing youMarc
Milton Mueller (NCSG)
03:00:56
tell that bird to shut up
Brian King (IPC)
03:01:20
Sarah and I like the bird
Milton Mueller (NCSG)
03:01:26
hopefully not offending the Bird SG
Franck Journoud (IPC)
03:02:05
Bird SG now supporting centralization and automation. Well done, Milton.
Milton Mueller (NCSG)
03:03:50
Only the Jackdaws and Starlings
James Bladel (RrSG)
03:03:53
Need to drop at 9:30P. Thanks all.
Alan Woods (RySG)
03:06:47
they are a separate controller in a separate data processing sphere.
Stephanie Perrin (NCSG)
03:07:16
Precisely. This is outside the remit of ICANN
Mark Svancarek (BC)
03:08:22
Thanks for clarifying
Stephanie Perrin (NCSG)
03:09:10
It is not that we should not be promoting good behaviour and compliance with law.
Brian King (IPC)
03:09:45
Thanks, AlanW.
Brian King (IPC)
03:10:19
Janis, I think we could live with that (striking the code of conduct language)
Alan Woods (RySG)
03:10:39
ohhh…. eep. that is an oversight then
Georgios Tselentis (GAC)
03:10:48
"Set of rules" seems appropriate
Alan Woods (RySG)
03:10:50
we should strike that footnote
Stephanie Perrin (NCSG)
03:12:24
Have we sought any legal advice on codes of conduct? I am not suggesting that we do, just inquiring
Brian King (IPC)
03:12:41
@Stephanie, no we haven't.
Stephanie Perrin (NCSG)
03:13:00
I seem to recall Ruth being asked the question at a face to face and giving a cogent and helpful reply on the matter
Stephanie Perrin (NCSG)
03:13:32
They all blur in my mind, but I think it was the Toronto meeting.
Berry Cobb
03:16:06
Marc, can you come back with proposed language to make clear of your concern?
Marc Anderson (RySG)
03:16:24
no - keep the existing language
Volker Greimann (RrSG)
03:28:42
thank you!
Stephanie Perrin (NCSG)
03:28:43
+1000 Janis
Brian King (IPC)
03:28:45
+1 to keep meetings to 2 hours
Laureen Kapin (GAC)
03:29:27
+1 Janis - it's vey hard to stay focused for three hours (plunging benefits). Thanks for this suggestion.
Hadia Elminiawi (ALAC)
03:31:21
Thank you all bye for now
Sarah Wyld (RrSG)
03:31:25
thanks, all
Marc Anderson (RySG)
03:31:29
stay safe all
Julf Helsingius (NCSG)
03:31:31
thanks all
Thomas Rickert (ISPCP)
03:31:34
thanks and bye all