Hi! Rob! > -----Original Message----- > From: OAuth <oauth-boun...@ietf.org> On Behalf Of Robert Wilton via > Datatracker > Sent: Thursday, February 4, 2021 6:20 AM > To: The IESG <i...@ietf.org> > Cc: oauth-cha...@ietf.org; draft-ietf-oauth-jwt-introspection- > respo...@ietf.org; oauth@ietf.org > Subject: [OAUTH-WG] Robert Wilton's Discuss on draft-ietf-oauth-jwt- > introspection-response-10: (with DISCUSS) > > Robert Wilton has entered the following ballot position for > draft-ietf-oauth-jwt-introspection-response-10: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Hi, > > Thank you for this document. > > I have a couple of process related questions regarding the legal aspects > considered in chapter 9 on privacy that I would like to discuss with the other > ADs on the telechat (hence raising it as a Discuss). > > My two questions are: > > (1) Is it appropriate for an RFC to specifying requirements relating to legal > issues and laws? Note, I think that the guidance that is provides is really > helpful and should be included in the document, but I'm a bit concerned as to > whether a standards track RFC should be stating formal > requirements/constraints related to enforcing legal requirements rather that > providing non-normative guidance. > > (2) Related to the first question, if the IESG believes believes that > providing > such requirements is okay, a further question is whether using RFC 2119 > language is appropriate, or whether this should use regular English? > > An example from section 9: > > The AS MUST ensure a > legal basis exists for the data transfer before any data is released > to a particular RS. The way the legal basis is established might > vary among jurisdictions and MUST consider the legal entities > involved.
I can see your point. I believe this language is here to make a very strong statement on the needed for operational policies that conform to the variety of privacy laws which often governs some of this data. I'll let the authors/co-chairs comment. To start the discussion, let me propose rough text that dilutes the legal mandate a bit but tries to keep the spirit of the intent. NEW The AS MUST conform to jurisdictional constraints for the data transfer before any data is released to a particular RS. These constraints will vary by jurisdictions; and their details and determining which apply to this release to RSs is outside the scope of this document. Regards, Roman > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
