Dear Ben,
Thanks for your suggestions. I think I can add this paragraph in the section of
security consideration.
The organization object may have personally identifiable information, such as
<org:contact>. This information is not a required element in this document
which can be provided on a voluntary basis. If it is provided, both client and
server MUST ensure that authorization information is stored and exchanged with
high-grade encryption mechanisms to provide privacy services, which is
specified in RFC5733. The security considerations described in[RFC5730] or
those caused by the protocol layers used by EPP will apply to this
specification as well.
Regards,
Linlin
Linlin Zhou
From: Ben Campbell
Date: 2018-10-25 10:08
To: Linlin Zhou
CC: iesg; regext-chairs; Pieter Vandepitte; draft-ietf-regext-org; regext
Subject: Re: [regext] Ben Campbell's No Objection on draft-ietf-regext-org-11:
(with COMMENT)
On Oct 24, 2018, at 8:50 PM, Linlin Zhou <zhoulin...@cnnic.cn> wrote:
Dear Ben,
Maybe I did not make this item clarified. I'd like to have some more
explanations. You are right that the EPP organization object may have a
<contact> element, but this is not a required information. There may be some
possibilities as follows,
1. If the organizations do not want to provide this information to protect the
privacy, the <contact> could be empty.
2. If the organizations have no issues on the privacy, they can input the
contact identifier created according to RFC5733.
a. In RFC5733, required info including contact id, contact name, city,
country code, email and authentication info.
b. Optional info including contact organization, street, state or province,
postal code, voice, fax and disclose elements choices.
"Authorization information is REQUIRED to create a contact object. ......Both
client and server MUST ensure that authorization information is stored and
exchanged with high-grade encryption
mechanisms to provide privacy services." was specified in RFC5733.
The organization object may have personally identifiable information, such as
<org:contact>. This information is not a required element in this document
which can be provided on a voluntary basis. If it is provided, both client and
server MUST ensure that authorization information is stored and exchanged with
high-grade encryption mechanisms to provide privacy services, whichi is
specified in RFC5733.
Hi,
Your last paragraph above is the sort of thing I had in mind. It would be
helpful to include it in the draft. I
Thanks!
Ben.
Regards,
Linlin
Linlin Zhou
From: Ben Campbell
Date: 2018-10-25 01:32
To: Linlin Zhou
CC: iesg; regext-chairs; Pieter Vandepitte; draft-ietf-regext-org; regext
Subject: Re: [regext] Ben Campbell's No Objection on draft-ietf-regext-org-11:
(with COMMENT)
Thanks for your response. It all looks good, except for one item below:
Thanks!
Ben.
On Oct 24, 2018, at 5:05 AM, Linlin Zhou <zhoulin...@cnnic.cn> wrote:
[...]
§9: The org element can contain contact information, possibly including
personally identifiable information of individuals. Doesn’t this have privacy
implications that should be discussed here or in a privacy considerations
section?
[Linlin] This document is an object extension of EPP that follows all the
security requirements for EPP. We do not hope to add any more secure
considerations in this document. So this element can be "zero" if you do not
like to provide.
I don’t understand how your answer addresses my question. As far as I can tell,
this document creates a new object that can contain personally identifiable
information (PII). Is that incorrect?
Is there text in EPP that already talks about PII that can be cited?
[...]
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
