[as an individual]
On 12/19/18 9:40 AM, Niels ten Oever wrote:
On 12/19/18 4:19 PM, Andrew Newton wrote:
On Wed, Dec 19, 2018 at 5:22 AM Gurshabad Grover
<gursha...@cis-india.org> wrote:
Privacy Considerations
----------------------
The working of the described extension depends on the sharing of data of
(or generated by) registrants with the Verification Service Provider
(VSP), which is a third party. The specification leaves the scope of
information shared with and stored by the VSP up to the policies of the
locality. There may be no mechanisms for registrants to express
preference for what information should shared with the VSP, in which
case, registrants' sensitive personal information directly linked to the
identities of the individual, such as contained in the contact mapping
object, may be exposed to the VSP without user control. This personal
information may be further correlated with other data sources available
to the VSP.
If a client seeks to implement or offer this extension, it MUST inform
the registrant about about the exact information to be shared with the VSP.
I disagree with the MUST. What the registrant is informed of or not is
entirely a policy matter and not up to the IETF. At best, this should
be a lowercase "should".
The distinction between policy and technology seems superficial here. The
creation of the possibility of using a VSP in EPP can also be seen as a policy
decision.
No, Andrew is correct here. This is not a place for normative language.
The guidance seems reasonable, but the formulation is overreaching. I
would propose: "Clients are encouraged to inform registrants about the
exact information to be shared with the VSP."
/a
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
