17 August EPSRP Response DRAFT FINAL

SENT VIA EMAIL 19 SEPTEMBER 2017

To: Steve Crocker, Chair, ICANN Board

Cc: Chris Disspain, Mike Silber, Ram Mohan, Goran Marby

Re: Board letter regarding the reports of the EPSRP WG and of the SSAC: SAC084, 88 and 89

Dear Steve,

In response to your letter dated 24 April 2017 we are pleased to provide our joint ccNSO and SSAC

Response to ICANN Board on EPSRP on the three issues:

• On interpretation of RFC 6912

• On Similarity Findings

• On Mitigation measures

The response was prepared by a working party with both ccNSO and SSAC appointed members. Both the

ccNSO and SSAC have adopted the Response and support the recommendations in accordance with

respective internal rules and procedures.

Please let us know if the Board would like to receive an additional, joint briefing by SSAC and ccNSO.

On behalf of the ccNSO and SSAC,

Katrina Sataki and Patrik Fältström, Chairs.

Joint ccNSO SSAC Response to ICANN Board on EPSRP

Joint ccNSO SSAC Response to ICANN Board

A Joint Response from the ICANN Country Code Supporting Organization

(ccNSO) and the Security and Stability Advisory Committee (SSAC)

17 August 2017

Joint ccNSO SSAC Response to ICANN Board

Table of Contents

1. Introduction ................................................................................................... 3

2. Scope of the Working Party

’

s Recommendations ..................................... 4

3. Working Party Observations and Recommendations ............................... 5

3.1 On the Interpretation of RFC 6912 ................................................................. 5

3.2 On Similarity Evaluation Findings ................................................................. 5

3.3 On Mitigation Measures .................................................................................. 7

4. Proposed Changes to the IDN ccTLD Fast Track Implementation Plan .. 8

5. Acknowledgments ...................................................................................... 12

Joint ccNSO SSAC Response to ICANN Board on EPSRP

1. Introduction

In June 2015, the ICANN Board of Directors requested the ccNSO, in consultation with

other stakeholders including the Governmental Advisory Committee (GAC) and the

Security and Stability Advisory Committee (SSAC), to provide further guidance on and

refinement of the methodology of the second string similarity review process, including

the interpretation of its split recommendations.

The Board resolution followed a public review of the implementation of the Extended

Process Similarity Review Panel (EPSRP), its guidelines and recommendations. Since its

introduction in 2013, the EPSRP has reviewed three cases (one in Cyrillic and two in

Greek script) and published its findings in September 2014.

Based on the method used,

the EPSRP has provided separate recommendations for upper- and lower-case versions of

the applied for IDN ccTLD strings, given that from a visual similarity point of view

upper- and lower-case characters of the same letter are distinct entities.

The EPSRP found that one of the applied for Greek strings should be considered

confusingly similar with 2 two-letter codes in upper-case, and should not be considered

confusingly similar to any combination of two ISO 646-Basic Version (ISO 646-BV)

characters or with existing TLDs, applied for TLDs or reserved names in lower-case.

In January 2017, the ccNSO submitted the requested guidance and refinement to the

Board, which was based on the ccNSO EPSRP working group Final Report.

The SSAC

produced SAC 084,

088

and 089.

In April 2017, the ICANN Board of Directors suggested that the ccNSO and SSAC

should further collaborate to reach a common understanding and way forward on their

views with respect to the following three areas:

1. RFC 6912

2. Similarity Evaluation findings

3. Mitigation measures

In response to the Board request, the ccNSO and SSAC created a small, informal group

(Working Party) to address the questions of the Board's letter. This Working Party

developed a document (a common position). Both the SSAC and the ccNSO Council

approved this document.

See: https://www.icann.org/resources/pages/epsrp-reports-2014-10-14-en.

See: https://ccnso.icann.org/workinggroups/epsrp-final-report-27sep16-en.pdf.

See: https://www.icann.org/en/system/files/files/sac-084-en.pdf.

See: https://www.icann.org/en/system/files/files/sac-088-en.pdf.

See: https://www.icann.org/en/system/files/files/sac-089-en.pdf.

See: https://www.icann.org/en/system/files/correspondence/crocker-to-sataki-faltstrom-24apr17-en.pdf.

Joint ccNSO SSAC Response to ICANN Board

The following is the document the Working Party developed, which was approved by

both the SSAC and the ccNSO Council.

2. Scope of the Working Party’s Recommendations

The Working Party was invited to discuss and propose a common position on the topics

suggested by the ICANN Board of Directors, and find common ground with respect to

the EPSRP WG report and the SSAC Report and views.

As the scope of the original Board request made in June 2015 was limited, the views

expressed by the EPSRP WG were limited to that scope. Moving forward, the

observations and recommended interpretation by the Working Party should not be

interpreted or otherwise used in a broader context than for the limited scope as originally

intended: guidance on how to deal with confusingly similarity with two-letter codes [a-z,

A-Z], and hence these specific aspects of the IDN ccTLD Fast Track process and

recommended overall policy on the selection of IDN ccTLD strings.

The conclusions and recommendations of the Working Party might be used as input into

the review and discussion on how to deal with confusing similarity in general.

The Working Party first agreed on the following Description of Work items (DoW)

flowing from the Board request.

1. On RFC 6912, both the SSAC (SAC084) and the ccNSO EPSRP WG refer to RFC

6912, however with divergent interpretations.

The Working Party is expected to advise how to deal with these different

interpretations.

2. On similarity evaluation findings, with respect to the cases for which guidance was

sought (lower- versus upper-case), the ccNSO recommends that in the event there are

different outcomes for the lower- and upper-case evaluations, the evaluation of the

lower-case shall prevail. The ccNSO agrees that any process that evaluates a potential

TLD should be consistent with maintaining the security and stability of the DNS. The

SSAC has the view that a cautionary approach is appropriate where potential

confusability in both upper- and lower-case (where available) is included in the

evaluation.

The Working Party is expected to advise and provide clarification as to how the

cautionary approach supported by both the ccNSO and the SSAC could be included

in the evaluation process, in particular in light of the prevalence of the findings with

respect to lower-case as suggested by the ccNSO and its WG. Does this imply that

only lower-case should be considered? Or does the statement imply that both lower-

and upper-case findings should be taken into account, but only in cases of confusing

similarity in upper-case, mitigation measures should be considered and included in

the final analysis?

3. On mitigation measures, the ccNSO suggests that where potential confusability exists,

possible measures to mitigate risk should be enforced at the registry level and that

IDN ccTLD managers should be allowed to propose and implement risk mitigation

measures. The SSAC stresses that where potential confusability exists, a cautionary

Joint ccNSO SSAC Response to ICANN Board on EPSRP

approach is appropriate. At a minimum, mitigation measures proposed by the registry

(applicant) should be part of the overall string evaluation.

The Working Party is expected to develop a proposal on how such a process should

look like, and how to determine whether the proposed measures are adequate and

whether to review implementation from time to time.

3. Working Party Observations and Recommendations

The working party has the following observations and recommendations.

3.1 On the Interpretation of RFC 6912

As noted both SSAC (SAC084) and the ccNSO EPSRP WG (in the Final report) refer to

RFC 6912, however with divergent interpretations.

The Working Party notes that interpretation of standards should not be compromised

between those who make different interpretations. In cases of disagreement on

interpretation of documents published by standards organizations or associated groups,

we suggest that the authors of the document or the body that approved its publication

may be requested to provide its interpretation of the meaning and scope of what was

written, and if the document can be applied to the subject matter. (In the case of RFC

6912, this would include the named authors or the Internet Architecture Board.)

3.2 On Similarity Evaluation Findings

The Board noted that with respect to the cases for which guidance was sought (lower-

versus upper-case), the ccNSO recommends that in the event there are different outcomes

for the lower- and upper-case evaluations, the evaluation of the lower-case shall prevail.

The Board also observed that the ccNSO agrees that any process that evaluates a potential

TLD should be consistent with maintaining the security and stability of the DNS.

With respect to the SSAC view, the Board noted that the SSAC has the view that a

cautionary approach is appropriate where potential confusability in both upper- and

lower-case (where available) is included in the evaluation.

As said, the scope of the Working Party is limited to the scope of the original Board

request, i.e., to provide guidance on the findings of the EPSRP with respect to two-letter

codes in upper- and lower-case.

As noted by the Board, the ccNSO makes a distinction between lower- and upper-case

confusing similarity findings. Effectively the following cases can be distinguished:

1. Both the upper- and lower-case forms of the requested IDN ccTLD string are found

NOT to be confusingly similar to any two-letter code [aa-zz; AA-ZZ];

2. Upper-case form of the requested IDN ccTLD string is found to be confusingly

similar to at least one two-letter code [AA-ZZ], while the lower-case form of the

same IDN ccTLD string is found NOT to be confusingly similar with any two-letter

code [aa-zz];

3. The upper-case is found NOT to be confusingly similar to any two-letter code [A-Z],

Joint ccNSO SSAC Response to ICANN Board

while the lower-case is found to be confusingly similar with at least one two-letter

code [aa-zz];

4. Both the upper- and lower-case form of the requested IDN ccTLD string are found to

be confusingly similar with at least one two-letter code [aa-zz; AA-ZZ].

All parties agree that the first case, no confusing similarity, should pass. There is also an

agreement that the third and the fourth cases should not pass, because from the risk

management perspective the risks associated with these cases are too high, and at this

stage it is very difficult if not infeasible to mitigate the risks.

With respect to the second case, the upper case of the requested IDN ccTLD string is

found confusingly similar to at least one two-letter code [AA-ZZ], the ccNSO noted that

the evaluation of the lower case should prevail. According to the Board, SSAC noted that

a cautionary approach is appropriate where potential confusability in both upper- and

lower-case (where available) is included in the evaluation.

The Working Party understands from its ccNSO members that it was never the ccNSO’s

intention to state that only lower-case matters. According to the CCWG EPSRP final

report if a string is found to be confusingly similar in upper-case and not in lower-case,

the applicant should be allowed to propose mitigation measures to address the risks

associated with confusion.

With respect to the SSAC position, the Working Party believes that SSAC’s view is that

instead of a binary choice, risk is a continuum. Thus, in case of confusing similarity a

cautionary approach dictates that the residual of the risk should be mitigated to a

minimal. From the SSAC’s perspective, confusability is independent of whether the

string is in upper or lower case.

The Working Party takes this to imply that if a requested string is found confusingly

similar to an existing or applied for TLD, the IDN ccTLD requestor should be allowed to

propose mitigation measures to reduce the risks associated with the confusing similarity

to an acceptable level. Those proposed mitigation measures should be evaluated together

with the confusability that is detected, and should include specific consideration of

confusability from the perspective that any domain name may be displayed in either

upper- or lower-case, depending on the software application and regardless of the user’s

familiarity with the language or script.

In the view of the Working Party these two positions are reconcilable, in particular with

respect to the case under discussion. The level of the threshold, or the acceptable level of

residual risk when confusability is evaluated in context of the proposed mitigation

methods, needs to be determined.

Joint ccNSO SSAC Response to ICANN Board on EPSRP

3.3 On Mitigation Measures

To evaluate possible confusing similarity of the requested IDN ccTLD strings in the Fast

Track process, ICANN has appointed the following two panels:

• DNS Stability Panel.

An external and independent panel that conducts the initial

DNS Stability Evaluation, which includes a string similarity review of the

requested IDN ccTLD string.

• Extended Process Similarity Review Panel (EPSRP).

In the event that a finding

of string confusion and contention (under Implementation Plan 5.5

) has been made

by the DNS Stability Panel, The EPSRP, only upon the request of the IDN ccTLD

applicant, conducts a review of the requested IDN ccTLD string, using the same

criteria for string confusion and contention, however with a methodology different

from the one used by the DNS Stability Panel.

Following the methodology in its guidelines the EPSRP provides separate

recommendations for upper- and lower- case versions of the applied for IDN ccTLD

strings as it believes that from a visual similarity point of view, upper- and lower-case

characters of the same letter are distinct entities.

Both the DNS Stability Panel and the EPSRP evaluate whether a requested IDN ccTLD

string should be considered confusingly similar. Both do so without taking into account

mitigation measures. Assuming that risk mitigation standards should be taken into

account in the final analysis, the application procedure needs to be adjusted to allow such

an analysis in the following ways:

• The starting point for the analysis are the results from the DNS Stability Panel or

the EPSRP evaluation.

• If found confusingly similar only in upper-case, allow the requestor to suggest

mitigation measures that take into account the conditions mentioned above.

(varying display of the string in different software applications and varying level

of the user’s familiarity with the language or script).

• Review of the suggested mitigation measures and,

• Finally, document agreement and commitment to implement the proposed

mitigation measures.

See for full description: Module 4.2 Fast Track Implementation Plan,

https://www.icann.org/en/system/files/files/idn-cctld-implementation-plan-05nov13-en.pdf

See for description: Module 4.3 Fast Track Implementation Plan,

https://www.icann.org/en/system/files/files/idn-cctld-implementation-plan-05nov13-en.pdf

Fast Track Implementation Plan, https://www.icann.org/en/system/files/files/idn-cctld-implementation-

plan-05nov13-en.pdf

Joint ccNSO SSAC Response to ICANN Board

To date such a procedure has already been included in the IDN ccTLD Fast Track

Process (section 5.6.3, see below: proposed changes to IDN ccTLD Fast Track

Implementation Plan) and has been recommended for the overall IDN ccTLD policy.

As discussed in this document section 3.2, the Working Party believes that the positions

of the ccNSO and SSAC are reconcilable. However, the level of acceptable residual risk

needs to be determined as well as the method of how it should be determined and

evaluated.

It is the view of the Working Party that there is no general hard and fast rule with respect

to the mitigation measures that should be implemented or with respect to the acceptable

level of risk. It all depends very much on the circumstances, context and interplay of

proposed measures and current and future risks associated with the confusing similarity

of proposed strings. Therefore, it is recommended that each case is evaluated

independently.

The intended manager for the requested IDN ccTLD, and, if needed, supported by the

relevant government, should propose mitigation measures, which are then reviewed,

discussed and, if accepted by all involved, agreed upon.

Therefore, it is suggested to amend the IDN ccTLD Fast Track Process and to review

and, if necessary, suggest adjustments to the overall IDN ccTLD policy

recommendations.

4. Proposed Changes to the IDN ccTLD Fast Track

Implementation Plan

In light of its observations and recommendations, the Working Party proposes the

following changes to section 5.6.3 of the FT Implementation plan (marked in yellow and

bold). The Working Party also suggests that the recommended overall policy for the

selection of IDN ccTLD strings should be amended accordingly.

5.6.3 DNS Stability Evaluation

The DNS Stability Evaluation Sub-Processes are graphically described in Figure 5.4, 5.5

and 5.6.

The request and associated material will be provided to the DNS Stability Panel (see

Module 4 for details) and the string evaluation will begin. This evaluation consists of two

main components:

1. a detailed technical check in which compliance with all the technical string

requirements referenced in Module 3 is verified, and

The IDN ccTLD Fast Track Process was amended to accommodate the option of an applied for string

that may have been found confusingly similar to the same string in ASCII.

Joint ccNSO SSAC Response to ICANN Board on EPSRP

2. an evaluation of confusability with any Reserved Name, existing TLDs (both

ccTLDs and gTLDs), or potential future TLDs.

If the DNS Stability Panel finds that additional linguistic expertise is necessary to satisfy

the latter component of the evaluation, such can be requested through ICANN. ICANN

will in return request assistance, specific information, or a full confusability review. The

specific expertise needed will partly depend on the actual string in question.

If any issues with the selected string are discovered in this review, the DNS Stability

Panel can request clarification from the requester through ICANN.

The DNS Stability Panel will usually conduct its review within 30 days, unless it informs

ICANN staff otherwise, and delivers its report to ICANN staff, who communicates the

findings to the requester.

In the event that the DNS Stability Panel determines a requested IDN ccTLD string is

confusingly similar and the requester has been informed as such by ICANN, the requester

may call for the second and final Extended Process Similarity Review and provide

additional documentation and clarification referring to aspects in the report of the DNS

Stability Panel. The requester should notify ICANN within three (3) calendar months

after the date of notification by ICANN that a review by the EPSRP is requested, and

include the additional documentation, if any. After receiving the notification from the

requester, ICANN shall call on the EPSRP.

The EPSRP conducts its evaluation of the string based on the methodology and criteria

developed for it, as described in Module 4.3, and, taking into account, but not limited to,

all the related documentation from the requester, including submitted additional

documentation, IDN tables and the findings of the DNS Stability Panel. The EPSRP may

seek further clarification from the requester through ICANN staff, if necessary.

The findings of the EPSRP shall be reported to ICANN and will be publicly announced

on the ICANN website. This report shall include and document the findings of the

EPSRP, including the rationale for the final decision and, in case of string similarity

findings a reference to the strings that are considered confusingly similar and examples

where the panel observed this similarity.

If the requester has not notified ICANN within three (3) calendar months after the date of

notification by ICANN of DNS Stability Panel findings, the Termination Process will be

initiated. See section 5.4.

If according to the EPSRP the requested string should not be considered confusingly

similar, the requested IDN ccTLD string is valid on string similarity grounds.

If the DNS Stability Evaluation reveals no issues the requester is notified that the DNS

Stability Evaluation has successfully been completed and that the requested string(s) will

be queued for public posting.

In the event that the DNS Stability Panel or the EPSRP determines a requested IDN

ccTLD string is confusingly similar to an existing or applied for gTLD, or an existing

Joint ccNSO SSAC Response to ICANN Board

two-letter ASCII ccTLD, corresponding to the same country or territory as the requesting

country or territory entity, the DNS Stability Panel or the EPSRP shall document this in

its report to ICANN.

If, at the time of the request or within two months after receiving the notification of the

findings of the DNS Stability Panel, the requester, and, if considered necessary by

ICANN, the relevant public authority, provide(s) a clarification that documents and

demonstrates to ICANN that:

1. The intended manager for the requested IDN ccTLD and the manager for the existing

or applied for TLD are one and the same entity; and

2. The intended manager shall request the delegation for the IDN ccTLD string if

validated; and

3. The IDN ccTLD and existing or applied for TLD shall remain to be managed by one

and the same entity, and

4. The intended manager shall present to the evaluation panel specific and pre-arranged

conditions with the goal to mitigate the risk of user confusion as of the moment the

IDN ccTLD becomes operational, which is evaluated together with the evaluation of

confusability.

then the requested string is deemed to have passed the DNS Stability Panel and/or the

EPSRP evaluation.

If clarifications are insufficient or cannot be provided, the Termination Process will be

initiated. See section 5.4.

Further, in the event that the DNS Stability Panel and/or EPSRP determines a

requested IDN ccTLD string is confusingly similar to an existing TLD the DNS

Stability Panel and/or the EPSRP shall document this finding in its report to

ICANN.

If, at the time of the request or within three months after receiving the notification

of the findings of the DNS Stability Panel or the EPSRP, the requestor, and, if

considered necessary by ICANN, the relevant public authority, provide(s) a

clarification that documents and demonstrates to ICANN that:

• The intended manager shall propose, agree upon and implement adequate

pre-arranged risk mitigation measures with the goal to reduce the potential

risk of user confusion as of the moment the IDN ccTLD becomes operational,

including specific consideration of confusability from the perspective that

any domain name may be displayed in any case (lower- or upper-case),

depending on the software application and regardless of the user’s

familiarity with the language or script

• These measures are agreed upon by the time the delegation request of the

IDN ccTLD string is submitted

Joint ccNSO SSAC Response to ICANN Board on EPSRP

then the requested string is deemed to have passed the DNS Stability Panel and/or

the EPSRP string evaluation.

If the intended IDN ccTLD manager does not propose mitigation measures or does

not implement the agreed upon risk mitigation measures sufficiently within the

timeline described above, the Termination Process will be initiated. See section 5.4.

To determine whether the proposed risk mitigation measures are adequate ICANN

will consult experts in the area of relevant Risk Mitigation measures and the IDN

ccTLD string requestor. The proposed measures are to be evaluated together with

the finding of the confusability evaluation.

Transitional arrangement

If an IDN ccTLD string request submitted under the IDN ccTLD Fast Track

Process is still in the process post EPSRP, the requestor has the option to submit

mitigation measures within three (3) calendar months of the date of the update of

the IDN ccTLD Fast Track Implementation Plan as proposed.

Joint ccNSO SSAC Response to ICANN Board

5. Acknowledgments

The ccNSO and SSAC wishes to thank the following ccNSO, SSAC and ICANN staff

members for their time, contributions, and review in producing this joint response.

Working Party

Hiro Hotta (ccNSO)

Jeff Bedser (SSAC)

Suzanne Woolf (SSAC)

Wafa Dahmani (ccNSO)

ICANN staff

Bart Boswinkel

Steve Sheng