Hi Scott and Pavel,
please find my comments below.
Il 2022-10-24 16:57 Pawel Kowalik ha scritto:
Hi Scott,
Am 19.10.22 um 14:13 schrieb Hollenbeck, Scott:
1. How do we address web service clients?
[PK] I think the elements we need for web service clients were
already
elaborated in the discussion over the version 17.
I'm happy to support with text proposal if needed.
[SAH] Text would be appreciated. Something like this perhaps?
4.2.5 Web Service Clients
<Paragraph that describes what a web service client is>
4.2.5.1 Web Service Client Login
<Query parameters and/or path segment descriptions>
4.2.5.2 Web Service Client Session Management
<Query parameters and/or path segment descriptions>
[PK] Please find attached my draft on Web Service Clients. Most of it
is based on the concepts of the version 9. Scope "feature" is also
included in the proposal.
Open point would be to add an optional possibility for
confidential/registered clients and some security considerations.
Kind Regards,
Pawel
[ML] Before going into detail with technical aspects, think we should
address some privacy implications connected with the following sentence:
RDAP server SHOULD merge the scopes requested by the client with the
scopes needed for authorization purposes when building an
authorization request to OP.
Since the authorization requests would come from the RDAP server (acting
as a registered OpendID client), the request for consent would be for
processing claims by the RDAP server. Hence, only the RDAP server should
be authorized to process the requested claims. Correct?
In addition, IMO the following aspects related to GDPR should be considered:
- The RDAP server would be entitled to process PII under the consent
lawful basis but the RDAP client wouldn't be allowed to leverage such a
basis for its own PII processing.
- Usually, domain registries have a web page showing their own Data
Protection Policy. In the case where the RDAP server could process PII,
the DPP should state (more or less) that the RDAP server processes PII
only for making access control decision and removes it at the end of an
authenticated session. The DPP should also ensure that PII is not
revealed unintentionally to other parties.
For that said, can't see how such a DPP could cover PII processing by
other application than the RDAP server.
What's your opinion?
Best,
Mario
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
