On 12/19/18 4:19 PM, Andrew Newton wrote:
> On Wed, Dec 19, 2018 at 5:22 AM Gurshabad Grover
> <gursha...@cis-india.org> wrote:
>>
>>
>> Privacy Considerations
>> ----------------------
>> The working of the described extension depends on the sharing of data of
>> (or generated by) registrants with the Verification Service Provider
>> (VSP), which is a third party. The specification leaves the scope of
>> information shared with and stored by the VSP up to the policies of the
>> locality. There may be no mechanisms for registrants to express
>> preference for what information should shared with the VSP, in which
>> case, registrants' sensitive personal information directly linked to the
>> identities of the individual, such as contained in the contact mapping
>> object, may be exposed to the VSP without user control. This personal
>> information may be further correlated with other data sources available
>> to the VSP.
>>
>> If a client seeks to implement or offer this extension, it MUST inform
>> the registrant about about the exact information to be shared with the VSP.
>>
>
> I disagree with the MUST. What the registrant is informed of or not is
> entirely a policy matter and not up to the IETF. At best, this should
> be a lowercase "should".
>
The distinction between policy and technology seems superficial here. The
creation of the possibility of using a VSP in EPP can also be seen as a policy
decision.
Unless you could provide a clear definition for the distinction of course.
Best,
Niels
> -andy
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext
>
--
Niels ten Oever
Researcher and PhD Candidate
Datactive Research Group
University of Amsterdam
PGP fingerprint 2458 0B70 5C4A FD8A 9488
643A 0ED8 3F3A 468A C8B3
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
