[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ICANN-EU] Disclosure of ICANN At Large Membership information

On 2000-11-11 11:10:42 -0800, Mike Roberts wrote:

> The staff recognizes that there are entirely legitimate reasons
> for creating an active and participative At Large membership,
> which may include self-identification of membership status to
> other members and third parties.  Proposals which advance these
> goals and which carefully balance public information versus
> personal privacy concerns are welcome and should be discussed
> with Andrew McLaughlin <mclaughlin@icann.org>.

Putting aside the discussion whether or not members actually are
statutory members, I appreciate your invitation.  

Here are my proposals:

- Reaching the members.  Obviously, it's a huge problem for any
  activities concerning the at large members that it's not even
  possible to contact these members.  So we need some kind of
  communication channel - the bookmark collection currently done by
  Jody is a nice first step, but won't suffice.  Obviously, putting
  all these members onto an open mailnig list won't work.  Also, too
  much ICANN-related traffic may have adverse effects on those
  members who aren't interested in day-to-day ICANN politics.
  
  Thus, I'd suggest that ICANN sets up some kind of a moderated
  high-signal newsletter to which At Large Members can subscribe
  themselves. Announce that newsletter on your web site, and once
  via e-mail.

  Distribute the newsletter at most once per month.  Establish
  strict submission guidelines:

  -> plain text only
  -> maximum 2kB text
  -> maximum 5 URLs
  -> no flames, personal attacks, and the like
  -> possibly introduce a quota limiting the number of proposals per
     submitter and time slice

  Ideally, content would comprise announcements of discussion
  forums, conferences, pending events, and the like.

- Proving membership.

  The simplest thing to do would be to establish a cgi-bin on
  ICANN's web server, where at large members could log in with their
  PIN, ID, and password, and where they can request that an
  automatically-generated message confirming their membership is
  sent to a certain e-mail address.  This way, members keep control
  over their membership information.  However, the proof is
  relatively week, and may be falsified.
  
  This method could be augmented by adding a verification URL to the
  confirmation message:  Create a string of the form
  	
	<unique-id>+<expiry>+<hash>,

  where unique-id maps into the membership database, <expiry> says
  when the URL expires, and hash is a cryptographic hash over
  unique-id, expiry ("now + 48h"), and a secret only held by ICANN.
  Pass this string to an appropriate cgi-bin on ICANN's secure web
  server, which first verifies the hash and the expiration date, and
  then basically produces the confirmation message's content as a
  web page.
  
  This approach still gives individuals control over their personal
  data.  However, due to the use of the confirmation URL and the SSL
  server, the third party can get a non-fakable confirmation of the
  membership status.

  Additionally, a leaked verification URL will be worthless as soon
  as it has expired, which should help keeping the privacy dangers
  under control.  Finally, SSL doesn't generate anything you can use
  as a proof to be demonstrated towards a third party.

  Implementing this shouldn't be too hard.

Kind regards,
-- 
Thomas Roessler                         <roessler@does-not-exist.org>