ICANN Resolutions » Refinement of string similarity review in IDN ccTLD Fast Track Process
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
Whereas, the ICANN Board of Directors approved the Final Implementation Plan for IDN ccTLD Fast Track Process on 30 October 2009 (http://www.icann.org/en/minutes/resolutions-30oct09-en.htm#2).
Whereas, as part of a review and update to the Implementation Plan, the ccNSO Council, following the development of the IDN ccTLD String Selection recommendations, requested the ICANN Board to include a two-panel process for string similarity evaluation (http://ccnso.icann.org/node/38787).
Whereas, the ICANN Board of Directors approved the Update to the IDN ccTLD Fast Track Implementation in order to implement the two-panel process for string similarity review. The Extended Process Similarity Review Panel (EPSRP) was approved for inclusion in the IDN ccTLD Fast Track process on 27 June 2013, and ICANN organization was directed to develop the relevant Guidelines and update the Final Implementation Plan accordingly (https://www.icann.org/resources/board-material/resolutions-2013-06-27-en...).
Whereas, following the 2013 update, and upon the request of the relevant applicants, the pending IDN ccTLD strings under the Fast Track process were evaluated through the EPSRP process, and the EPSRP reports for the three applications were published with evaluation results on the ICANN website on 14 October 2014 (https://www.icann.org/resources/pages/epsrp-reports-2014-10-14-en). One application received a split result, based on evaluations of potential confusion in both lowercase and uppercase representations of the applied-for string.
Whereas, public feedback was received during the third annual review of the IDN ccTLD Fast Track process on issues related to the experimental methodology and results reported by the EPSRP, including the interpretation of the EPSRP's split recommendations on confusing similarity in regards to uppercase and lowercase forms of the applied-for string (https://www.icann.org/public-comments/idn-cctld-fast-track-2015-01-15-en).
Whereas, following the public comment for the third annual review, on 25 June 2015 the ICANN Board resolved to ask the ccNSO, in consultation with other stakeholders, including GAC and SSAC, to provide further guidance on and refinement of the methodology of second string similarity review process (https://www.icann.org/resources/board-material/resolutions-2015-06-25-en...).
Whereas, in response to a letter from the Board seeking additional clarifications the ccNSO and SSAC provided a joint response on 19 September 2017, proposing changes to the Final Implementation Plan for the IDN ccTLD Fast Track Process.
Resolved (2017.10.29.05), the Board thanks the ccNSO, GAC and SSAC for collaborating to address the issue related to string similarity review and for developing the "Joint ccNSO SSAC Response to ICANN Board on EPSRP".
Resolved (2017.10.29.06), the Board approves amending the Final Implementation Plan for IDN ccTLD Fast Track Process as suggested in the Joint ccNSO SSAC Response. The President and CEO, or his Designee(s), is directed to incorporate the amendment into the Implementation Plan previously adopted by the Board on 30 October 2009 (and amended on 5 November 2013) and implement the amendment as soon as practicable.
Why the Board is addressing the issue?
On 5 November 2013, ICANN organization published an updated Final Implementation Plan for the IDN ccTLD Fast Track Process [PDF, 851 KB] including the Guidelines [PDF, 86 KB] for the Extended Process Similarity Review Panel (EPSRP), implementing the two-panel string similarity review, as per the resolution by the Board on 27 June 2013. Following the update, three eligible IDN ccTLD Fast Track applicants, for Bulgaria (in Cyrillic), European Union (in Greek) and Greece (in Greek), exercised their option to undergo the second similarity review. The EPSRP completed the review and ICANN organization published these reports on 14 October 2014.
For each application, the EPSRP documented its findings with respect to the applied-for string. The reports each included a detailed description of the methodology and results of the experiments for string similarity. The EPSRP did not aggregate its findings for a string based on experiments conducted on uppercase and lowercase forms of the string. The EPSRP concluded that from a visual similarity point of view, uppercase and lowercase characters are distinct entities. And given that there is no scientific or policy basis as to how to combine results of uppercase and lowercase similarity found for IDN ccTLDs, the EPSRP could only provide separate recommendations for each of these forms. Therefore, where the findings of the EPSRP are split based on different findings for confusing similarity for uppercase and lowercase forms of a string, there is no mechanism to deduce single aggregated recommendation of the second string similarity review done by EPSRP.
Based on this experience of the EPSRP analysis, during the third review of the IDN ccTLD Fast Track Process, the community provided public comments raising issues regarding the methodology of the EPSRP, including the assessment of split recommendations (e.g., confusing similarity in uppercase but not in lowercase).
To address these comments, the Board (through resolution 2015.06.25.16) asked the ccNSO, in consultation with other stakeholders, including GAC and SSAC, to provide further guidance on and refinement of the methodology of second string similarity review process, including the interpretation of split recommendations, to be applied to the relevant current and subsequent cases in the IDN ccTLD Fast Track Process as well as to inform the proposed policy for the selection of the IDN ccTLD strings.
The relevant working group of the ccNSO, in collaboration with GAC members, published its report [PDF, 274 KB] for a public comment before finalization. SSAC submitted an alternative view in SAC 084 [PDF, 218 KB] and then in SAC 088 [PDF, 72 KB] and SAC 089 [PDF, 128 KB]. At the request of the Board the ccNSO and SSAC worked together to reach a solution, which ccNSO and SSAC chairpersons provided as a joint response [PDF, 215 KB] to the Board on 19 September 2017.
With this resolution, the Board now concludes the 2015 review of the Fast Track program and moves forward with the update to the Final Implementation Plan for the IDN ccTLD Fast Track Process as suggested in the joint ccNSO and SSAC response. Addressing this issue is aligned with ICANN's Mission as stated at Section 1.1(a)(i) of the ICANN Bylaws: "Coordinates the allocation and assignment of names in the root zone of the Domain Name System." With this outstanding issue cleared, the review cycle for the Implementation Plan can now commence.
What concerns or issues were raised by the community?
SSAC provided initial input in SAC 084 [PDF, 218 KB] and further clarified in SAC 088 [PDF, 72 KB] and SAC 089 [PDF, 128 KB] that in case of a split recommendation "the default finding should be to reject the label if confusability exists in either form", maintaining that the use of principles of conservatism, inclusion and stability following RFC 6912 be applied to processes like EPSRP. However, the ccNSO Council noted the Unicode Technical Report # 36: Unicode Security Considerations states that the "use of visually confusable characters in spoofing is often overstated … [which] account for a small proportion of phishing problems" which may be mitigated by measures suggested in the Unicode report. In joint response, the ccNSO and the SSAC agree on a process to address the concerns raised by SSAC by allowing the requester to propose measures to be reviewed by experts to determine if confusable similarity is effectively mitigated.
What significant materials did the Board review?
The Board has reviewed various materials and factors in its deliberations and in taking its action today. The relevant and significant materials include, but are not limited to, the following:
Final Implementation Plan for IDN ccTLD Fast Track Process [PDF, 851 KB] - 5 Nov. 2013
Guidelines for the Extended Process Similarity Review Panel (EPSRP) for the IDN ccTLD Fast Track Process [PDF, 86 KB] - 4 Dec. 2013
Unicode Technical Report # 36: Unicode Security Considerations – 19 September 2014
Extended Process Similarity Review Panel (EPSRP) Reports for IDN ccTLD Applications – 14 October 2014
Public comments on the annual review of the IDN ccTLD Fast Track process – 17 March 2015
The ICANN Board Resolution 2015.06.25.16 – 25 June 2015
The response to the public comment on the draft report [PDF, 274 KB] by the WG on EPSRP – 20 July 2016
SAC 084: SSAC Comments on Guidelines for the Extended Process Similarity Review Panel for the IDN ccTLD Fast Track Process [PDF, 218 KB] - 31 August 2016
GAC comment on EPSRP Working Group – Public Comment [PDF, 261 KB] – 28 September 2016
SAC 088: SSAC Response to ccNSO Comments on SAC084 [PDF, 72 KB] - 06 November 2016
GAC Advice to Board, Point 7, in the GAC Communiqué at ICANN 57 [PDF, 638 KB] – 8 November 2016
SAC 089: SSAC Response to ccNSO Comments on SAC084 [PDF, 128 KB] - 12 December 2016
ccNSO Letter to ICANN Board re: EPSRP Final Report – 30 January 2017
ccNSO WG on EPSRP – Final Report [PDF, 894 KB] – 6 January 2017
Joint ccNSO SSAC Response to ICANN Board [PDF, 215 KB] - 19 September 2017
What factors did the Board find to be significant?
The Board has noted that the ccNSO and the SSAC members have worked together to converge on an effective mechanism, which addresses the competing concerns raised during the process. IDN ccTLD requestor should propose effective risk mitigation measures to address the security concerns earlier raised by the SSAC.
Are there positive or negative community impacts?
This decision has a positive impact because it clarifies the ambiguity in the second similarity review guidelines, in case of a split recommendation, allowing IDN ccTLD string evaluations to proceed so long as effective risk mitigation measures can be determined and implemented. This decision also supports the public interest through expanding the potential availability of IDN ccTLDs to additional countries and territories in support of local Internet users.
Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?
Upon implementation, there are fiscal impacts because ICANN organization must engage relevant experts to review the mitigation strategies proposed by the requestor.
Are there any security, stability or resiliency issues? What concerns or issues were raised by the community?
The joint response from the SSAC and ccNSO explains that there are four ways uppercase and lowercase forms of the applied-for string can be found confusingly similar. In the first case where neither is found confusingly similar, the string should pass the evaluation. In the second and third cases where the lower case is found confusingly similar, whether uppercase is found confusingly similar or not, the associated risks are too high and difficult to mitigate, so the string should not pass. In the fourth case, where lowercase is not similar but uppercase is confusingly similar, SSAC notes a cautionary approach is appropriate. The joint response notes that SSAC's view is that risk is a continuum and in this fourth case cautionary approach could be for the IDN ccTLD requestor to propose mitigation measures, which are deemed sufficient to reduce the risks to an acceptable level by relevant experts. Only then the string can pass the string similarity evaluation.
Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?
The update suggested by ccNSO was already subject to required public comment after the initial report was drafted. The comments included a response from the GAC in support of the findings and a response from SSAC through SSAC 084 with further responses in SAC 088 and SAC 089 suggesting an alternative approach. To overcome the diverging views that manifested following the public comment, ccNSO and SSAC have worked together to clarify their positions and find common ground, which is presented in their joint response to the Board. Further public comment is not needed to incorporate the adjustment suggested in Final Implementation Plan for the IDN ccTLD Fast Track Process by the joint ccNSO and SSAC response. This is an Organizational Administrative Function for which no public comment is required.