Gurshabad, Can you provide your latest proposed section(s) on the list for consideration by the WG?
Thanks, — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 1/2/19, 11:44 AM, "Gould, James" <jgo...@verisign.com> wrote: Gurshabad, For the defined purpose of draft-ietf-regext-verificationcode, the VSP needs to be defined as an entity, but the VSP's verification process is not defined and is out-of-scope. The use of examples in an IETF draft does not classify as guidance. The only obligation of the VSP within draft-ietf-regext-verificationcode is to generate a technically compliant verification code and to store the proof of verification and the generated verification code. There is no concrete definition defined within draft-ietf-regext-verificationcode of: - the forms of verifications performed by a VSP, - the data that must be passed for verification, - how the verification data is processed, - the data sources that are used to perform the verification, - the interface(s) or protocol(s) used by a VSP, and - other policies and technical details of a VSP. The majority of your considerations (Privacy and identified paragraphs from the HR) is focused on the policies and interfaces / protocols of the VSP that is by design out-of-scope from draft-ietf-regext-verificationcode. My recommendation is to strictly focus your proposed considerations text on the scope of draft-ietf-regext-verificationcode, that includes the definition of the verification code (e.g., digitally signed, typed identifier that provides proof of verification) and the passing of the verification code between the client (registrar) and the server (registry) over EPP. > I recommend that inclusion of these sort of elements be brought up to > the IETF-level. Not sure what you mean here. I think there is enough clarity from the chairs and the IESG that it is entirely up to the WG about what to include in the WG draft. [0][1][2] Yes, it is my position that the proposed text included in your proposed sections as non-technical and focused on policy elements that the WG is not qualified to discuss and come to consensus on. If you desire to have these sort of sections in WG drafts, it is best for it to be handled at the IETF-level and not at the WG-level. Can you provide your latest proposed section(s) on the list for consideration by the WG? We also need to continue to hear from others in the working group. Thanks, — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 12/28/18, 5:49 AM, "Gurshabad Grover" <gursha...@cis-india.org> wrote: On 26/12/18 8:02 PM, Gould, James wrote: > [...] The thread with Andrew Newton did not clarify the applicability of the Privacy Considerations, but addressed two technical issues related to fixing the described relationship of the client with the server, and fixing the inappropriate inclusion of a normative policy statement. The clearly out of scope elements of the HR Considerations section include the following bulleted items that are only associated with the VSP, and have nothing to do with draft-ietf-regext-verificationcode. [...] > For the context of the considerations, let's look at some text from the draft: "The VSP has access to the local data sources and is authorized to verify the data. Examples include verifying that the domain name is not prohibited and verifying that the domain name registrant is a valid individual, organization, or business in the locality." "It is up to the VSP and the server to define the valid values for the "type" attribute. Examples of possible "type" attribute values include "domain" for verification of the domain name, "registrant" for verification of the registrant contact, or "domain-registrant" for verification of both the domain name and the registrant. The typed signed code is used to indicate the verifications that are done by the VSP." "The VSP MUST store the proof of verification and the generated verification code; and MAY store the verified data." So, the draft (1) describes the role of the VSP; (2) has guidance on what types of verification the VSP can perform; and (3) places certain obligations on the VSP. So, I think it's unfair to say that considerations that touch upon the VSP's role "have nothing to do with draft-ietf-regext-verificationcode." Re: text of the considerations... The proposed privacy considerations rely entirely on the draft and the guidance in RFC6973 (very commonly used across working groups to write privacy considerations). Specifically, the excerpts above and the following items in RFC6973: * "Are there expected ways that information exposed by the protocol will be combined or correlated with information obtained outside the protocol?" [3] * "Does the protocol provide ways for initiators to express individuals' preferences to recipients or intermediaries with regard to the collection, use, or disclosure of their personal data?" [4] The proposed text addresses these, and in fact, uses terminology from only the draft and RFC6973. Similarly, most HR considerations directly follow from the privacy considerations and rely on guidance in RFC8280. Specifically, * "Can your protocol contribute to filtering in such a way that it could be implemented to censor data or services?" [5] * "What is the potential for discrimination against users of your protocol?" [6] Open to further discussing the rationale behind the proposed text. Would also like to hear what others think. Thank you. Gurshabad PS. > I recommend that inclusion of these sort of elements be brought up to > the IETF-level. Not sure what you mean here. I think there is enough clarity from the chairs and the IESG that it is entirely up to the WG about what to include in the WG draft. [0][1][2] [0] https://youtu.be/LYYehA0LNRc?t=8690 [1] https://www.ietf.org/mail-archive/web/regext/current/msg01991.html [2] https://www.ietf.org/mail-archive/web/regext/current/msg01993.html [3] https://tools.ietf.org/html/rfc6973#section-7.1 [4] https://tools.ietf.org/html/rfc6973#section-7.2 [5] https://tools.ietf.org/html/rfc8280#section-6.2.6 [6] https://tools.ietf.org/html/rfc8280#section-6.2.13 _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
