Peter, I agree that the sentence "The data verified by the VSP MUST be stored by the VSP along with the generated verification code to address any compliance issues." should be changed. The proposal that I posted (https://mailarchive.ietf.org/arch/msg/regext/UWdcY2q-9JkSlASV0UJcUGPJJyQ) to the list is to revise the sentence to "The VSP MUST store the proof of verification and the generated verification code; and MAY store the verified data." and to add text to the Security Considerations section associated with the storage of the verification data. A sentence such as "The Verification Service Provider (VSP) MUST store the verification data in compliance with the applicable privacy laws and regulations.". — JG
James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 10/5/18, 12:10 PM, "regext on behalf of Peter Koch" <regext-boun...@ietf.org on behalf of p...@denic.de> wrote: On Fri, Oct 05, 2018 at 09:59:43AM -0400, Andrew Sullivan wrote: > and I'm all in favour of that. What you are arguing, however, is in > line with the way the IETF ended up doing the BEHAVE WG: we wouldn't this case is probably more related to the discussion around RFC 2804. > I think it would be quite good for the document to note that it has > the implications you are pointing to, which might be a reason for > people not to embrace it. The downsides should be noted. But to me, There is of course the danger of misinterpretation, even though the draft at hand is not necessarily the best example: policy might be encouraged by the presence of a technical standard. Just don't run a laundry. A locality MAY require the client to have data verified in accordance with local regulations or laws utilizing data sources not available to the server. The data verified by the VSP MUST be stored by the VSP along with the generated verification code to address any compliance issues. The signer certificate and the digital signature of the verification code MUST be verified by the server. The MAY in the first quote might be accidental, but the first MUST in the second definitely is policy rather than protocol. -Peter _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
