Skip to main content

Board Risk Committee (RC) – Minutes

RC Attendees: Steve Crocker, Ram Mohan, Thomas Narten, Gonzalo Navarro, Mike Silber – Chair, Judith Duavit Vazquez, and Suzanne Woolf

Other Board Attendees: Bruce Tonkin

Staff Attendees: Akram Atallah – Chief Operational Officer; John Jeffrey – General Counsel and Secretary; Jeff Moss – Chief Security Officer; Geoff Bickers, Megan Bishop, Samantha Eisner, Elise Gerich, Daniel Halloran, Patrick Jones, and Amy Stathos

The following is a summary of discussions, actions taken and actions identified:

  1. Minutes of Previous Meeting: The RC approved the minutes of its previous meeting in October 2012.

  2. Review of Action Items: The RC reviewed the open action items from the previous meeting, noting that research is ongoing relating to the use of cloud computing and mobile devices and work is underway to update internal policies. The other open action items are addressed on the agenda.

  3. DNS Risk Management Framework: Staff provided an update on the development of a DNS Risk Management Framework. A draft is expected to be provided to the RC in advance of the RC's meeting in Beijing.

  4. Update on Risk Matrix (IT Department): The RC received an update on the identification of risks within the IT department and the work ongoing to mitigate those risks.

  5. Coordinated Disclosure Process: Staff provided the RC with an update on a proposal to address the Security, Stability & Resiliency Review Team's recommendation 15, regarding ICANN acting as a facilitator in the responsible disclosure and dissemination of DNS security threats and mitigation techniques. The RC began a discussion of when the RC is looking for reporting on these events and in the coordinated disclosure process. The RC requested that staff produce a sample of some high level reporting on incidents were ICANN is an impacted party, to determine if the level of reporting is sufficient. The RC noted that it does not wish to be an extra step in the incident-response environment.

    • Action:

      • Staff to produce samples of reporting incidents for RC consideration.

  6. Planning for next meeting: The RC reviewed the proposed topics for its next meeting. One of the areas for review are the risk matrices for a couple of departments within ICANN. Staff also provided an update on how the Security Team will be working throughout the organization to roll out the development of risk matrices for the remainder of departments. The RC requested some regularity of reporting when there are material changes to the risk matrices for the organization. The RC also requested that New gTLD Program risks be incorporated into the broader risk matrix for the organization, noting that editing may be appropriate where some of the risks may give rise to conflicts of interest issues, and confirmed that Incident reports related to the New gTLD Program are more appropriate for consideration by the New gTLD Program Committee.

    • Action:

      • Staff to provide a proposal for discussion on the appropriate level of reporting against the risk matrix and definition of what should be run as an annual program for review by the RC.

  7. Any Other Business: The RC requested a status on an incident review requested by the RC at a recent meeting.

Published on 8 May 2014

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."