On 19/12/18 2:34 AM, Andrew Newton wrote: > > I thought the token was passed by the EPP client (registrar) to the > EPP server (registry), the purpose of which is to show that the > verification occurred before the transaction. >
Thanks for pointing that out. A better way to phrase my concern would have been that the extension's functioning is dependent on data being shared with the VSP. The draft does describe some (not all of the necessary) aspects of that data sharing. Agree that the text could have been more accurate in reflecting that. Changes are incorporated below (will review the HRC section again in this light as well); for now, hope this reads better: Privacy Considerations ---------------------- The working of the described extension depends on the sharing of data of (or generated by) registrants with the Verification Service Provider (VSP), which is a third party. The specification leaves the scope of information shared with and stored by the VSP up to the policies of the locality. There may be no mechanisms for registrants to express preference for what information should shared with the VSP, in which case, registrants' sensitive personal information directly linked to the identities of the individual, such as contained in the contact mapping object, may be exposed to the VSP without user control. This personal information may be further correlated with other data sources available to the VSP. If a client seeks to implement or offer this extension, it MUST inform the registrant about about the exact information to be shared with the VSP.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
