I am OK with clarifying the description as privacy/data protection policy. I don't think it needs privacy in the parameter name. On Jul 8, 2014, at 2:59 PM, Mike Jones <michael.jo...@microsoft.com> wrote:
> I agree with Nat’s assessment. I’m fine updating the textual description of > the parameter, but we should not consider breaking changes to the parameter > names at this point. > > Do you have specific wording in mind, Hannes? > > -- Mike > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura > Sent: Tuesday, July 08, 2014 6:26 AM > To: Hannes Tschofenig > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri > > I am not against using the term "Privacy Policy" in the description. > Depending on the jurisdiction and language, direct translation of such > can be "Data Protection Policy", "Personal Data Protection Policy", etc., > instead so just dodging it by avoiding the label would be more politically > neutral, > but it could be fine after all. > > I am not fine with changing the parameter name though. > Slight variation in the parameter between the specs generally do not help the > developers. > > Nat > > > 2014-07-08 21:50 GMT+09:00 Hannes Tschofenig <hannes.tschofe...@gmx.net>: > For example, even Facebook calls this stuff "Privacy Policy URL". > > On 07/08/2014 02:43 PM, Nat Sakimura wrote: > > policy_uri came down from OpenID Connect Dynamic Client Registraiton 1.0 > > [1]. > > > > It goes: > > > > policy_uri > > OPTIONAL. URL that the Relying Party Client provides to the End-User > > to read about the how the profile data will be used. The value of > > this field MUST point to a valid web page. The OpenID Provider > > SHOULD display this URL to the End-User if it is given. If desired, > > representation of this Claim in different languages and scripts is > > represented as described in Section 2.1 > > > > <http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts>. > > > > It is clearly privacy related. In fact, it used to be a part of OpenID > > Connect Core in which the RP had to send it to obtain the permission. It > > is optional only because in certain enterprise type setting, it is > > unnecessary. In the consumer case, I regard it as essential. In any > > case, this is something a trust framework should set as its rule, and > > not the protocol itself. > > > > The draft -18 text goes: > > > > policy_uri > > URL that points to a human-readable Policy document for the > > client. The authorization server SHOULD display this URL to the > > end-user if it is given. The policy usually describes how an end- > > user's data will be used by the client. The value of this field > > MUST point to a valid web page. The value of this field MAY be > > internationalized, as described in Section 2.2 > > <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>. > > > > > > It has been converted to be a bit vague. I would +1 to tighten it up. > > Note that there is tos_uri to describe the Terms of Service by the > > client and poicy_uri is not intended for this purpose but only for the > > service/client's privacy policy. > > > > BTW, I just found that a lot of text are more or less the duplicate or > > re-statement of [1]. IMHO, it should try to refer the original document > > where possible as it is a referable standard, and put [1] in the > > Reference section as well. > > > > Best, > > > > Nat > > > > [1] http://openid.net/specs/openid-connect-registration-1_0.html > > > > > > 2014-07-08 21:10 GMT+09:00 Hannes Tschofenig <hannes.tschofe...@gmx.net > > <mailto:hannes.tschofe...@gmx.net>>: > > > > Hi all, > > > > two earlier reviews I have noticed that the policy_uri meta-data > > attribute is not correctly specified. I offered a suggestion and in both > > cases my request was ignored. > > > > Maybe there is a reason to reject my request but I am uncertain about > > the relationship with another meta-data attribute, the terms-of-service > > attribute. > > > > Here is what I said in my last review: > > http://www.ietf.org/mail-archive/web/oauth/current/msg12879.html > > > > " > > policy_uri: In my previous review I argued that the right terminology > > here is privacy notice and you can even re-use the IAPP terminology. > > Unless the policy URI has nothing to do with privacy I would prefer this > > terminology change. If you disagree I would prefer to have a > > description about what policy means in this context. > > " > > > > Could you guys explain? > > > > Ciao > > Hannes > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > -- > > Nat Sakimura (=nat) > > Chairman, OpenID Foundation > > http://nat.sakimura.org/ > > @_nat_en > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
