To:
<ietf-provreg@cafax.se>
From:
"Paul George" <pgeorge@saraf.com>
Date:
Wed, 10 Jan 2001 15:04:44 -0500
Importance:
Normal
In-Reply-To:
<DF737E620579D411A8E400D0B77E671D750475@regdom-ex01.prod.netsol.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: Security vs. Authorization
I believe we should ensure data integrity so far as technology is concerned. But, does "data integrity" address the concern I brought up in the first place? Which was: "what role the protocol should play in protecting the entities during each transaction." When I say "entities" I mean ALL entities, not just the Registrar and the Registry. For example: I am not associated in any way with example.com, yet I request to the Registrar to change the contact information of example.com. I MUST not be allowed to do so, right? Another example: I am registrar.com, I have registered example.com for person X. A disgruntled employee at registrar.com decides to remove all contact information from the Registry for example.com without X's knowledge. He/she MUST not be allowed to do so, right? So the question is, do we rely solely on policy to protect against these things? Or are there technological means to ensure that I cannot do this? I submit to the group that there are techological means to ensure this; and furthermore, it should be addressed in the protocol. Sections that address these concerns are (usually the last sentence) in: 3.6 [4] 3.7 [6] & [7] 3.8 [3] 3.10 [4] 3.11 [4] Is it implied or assumed that these sentences apply to all parties involved? Or do we need text acknowledging the "little guy", aka. the "registrant". Paul George SARAF Software Solutions (703)538-5666 x234 -----Original Message----- From: owner-ietf-provreg@cafax.se [mailto:owner-ietf-provreg@cafax.se]On Behalf Of Hollenbeck, Scott Sent: Wednesday, January 10, 2001 2:22 PM To: ietf-provreg@cafax.se Subject: RE: Security vs. Authorization Bill and I have exchanged some private messages about his thought. I have some concerns about how difficult it could be address the business and/or legal aspects involved, and Bill believes that the technical considerations on ensuring data integrity are fair game for provreg. Does anyone have any views of their own that they'd like to express? <Scott/> > -----Original Message----- > From: Bill Manning [mailto:bmanning@ISI.EDU] > Sent: Wednesday, January 10, 2001 11:44 AM > To: shollenbeck@verisign.com > Cc: Olivier.Guillard@nic.fr; ietf-provreg@cafax.se > Subject: Re: Security vs. Authorization > > > % > Are you sure that the registrar is the only one entitle do > % > performe any > % > change? > % > % There should be only one registrar authorized to change an > object, but they > % should do so either on behalf of a registrant or pursuant > to whatever legal > % arrangement exists between registrar and registrant. > % > % <Scott/> > > I think that this might be problematic. There should be a > method to allow "override" in the event the single authorized > registrar is unwilling/unable to make the change.