Resources for ICANN’s approach to GDPR compliance

These resources offer valuable input to developing relevant standards in any potential ICANN access model. They are derived from the Technical Study Group Report of March 6, 2019

WHOIS Protocol Specification
https://datatracker.ietf.org/doc/rfc3912/

HTTP Usage in the Registration Data Access Protocol (RDAP) https://datatracker.ietf.org/doc/rfc7480/

Security Services for the Registration Data Access Protocol (RDAP) https://datatracker.ietf.org/doc/rfc7481/

Registration Data Access Protocol (RDAP) Query Format https://datatracker.ietf.org/doc/rfc7482/

JSON Responses for the Registration Data Access Protocol (RDAP) https://datatracker.ietf.org/doc/rfc7483/

Finding the Authoritative Registration Data (RDAP) Service https://datatracker.ietf.org/doc/rfc7484/

Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
https://tools.ietf.org/html/rfc7525

OpenID Connect
https://openid.net/connect/

OAuth 2.0
https://oauth.net/2/

Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect
https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-openid/

OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens
https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/

Appendix 1. Frameworks and Guidelines for Secure Deployment of RDAP

Information Security

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
https://www.iso.org/standard/54534.html?browse=tc

ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
https://www.iso.org/standard/54533.html?browse=tc

SP 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

Risk Management

ISO 31000:2018 Risk management — Guidelines https://www.iso.org/standard/65694.html

SP 800-30 Rev. 1 Guide for Conducting Risk Assessments https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Business continuity

ISO 22301:2012 Societal security — Business continuity management systems — Requirements
https://www.iso.org/standard/50038.html

SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

Incident Response

ISO/IEC 27035-1:2016 Information technology — Security techniques — Information security incident management – – Part 1: Principles of incident management https://www.iso.org/standard/60803.html

ISO/IEC 27035-2:2016 Information technology — Security techniques — Information security incident management – – Part 2: Guidelines to plan and prepare for incident response
https://www.iso.org/standard/62071.html

ISO/IEC CD 27035-3 Information technology — Security techniques — Information security incident management — Part 3: Guidelines for incident response operations https://www.iso.org/standard/74033.html

SP 800-61 Rev. 2 Computer Security Incident Handling Guide https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Credential Management

21 SP 800-63-3 Digital Identity Guidelines https://csrc.nist.gov/publications/detail/sp/800-63/3/final

SP 800-63A Digital Identity Guidelines: Enrollment and Identity Proofing https://csrc.nist.gov/publications/detail/sp/800-63a/final

SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management https://csrc.nist.gov/publications/detail/sp/800-63b/final

SP 800-63C Digital Identity Guidelines: Federation and Assertions https://csrc.nist.gov/publications/detail/sp/800-63c/final

SAC 074 | SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle https://www.icann.org/resources/files/1194801-2015-11-03-en

ISO 21188:2018 Public key infrastructure for financial services — Practices and policy framework
https://www.iso.org/standard/63134.html