[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: "Jordyn A. Buchanan" <jordyn@register.com>
cc: Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>, shollenbeck@verisign.com, Andre.Cormier@viagenie.qc.ca, ietf-provreg@cafax.se, brunner@nic-naa.net
From: Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>
Date: Wed, 14 Feb 2001 14:05:39 -0500
In-Reply-To: Your message of "Wed, 14 Feb 2001 12:33:13 EST." <5.0.2.1.0.20010214120909.0454aff8@mail.register.com>
Sender: owner-ietf-provreg@cafax.se
Subject: Re: grrp-reqs-06, 3.2 Identification and Authentication [3] 

> My guess is that many elements of data policy that you are describing will 
> be implemented by the registry or registrar outside of the context of this 
> protocol.

Jordyn,

Assume that R-* entity [i] has data collection policy A.
Assume that R-* entity [j] has data collection policy B.

Assume also that R-* entity [i] and R-* entity [j] identify and authenticate
each other.

May they exchange Registrant technical data?
May they exchange Registrant social data?

To clairify (I hope), assume that R-* entity [i]'s data collection policy is:

purpose is "current"	data may be used by the service provider to complete
			the activity for which it was provided (registration),
recipient is "ours"	ourselves and/or our entities acting as our agents or
			entities for whom we are acting as an agent,
retention is "stated-purpose"
			data is retained to meet the stated purpose for which
			it was provided (registration), discard earliest
			possible,
and
access is "all"		all data may be subsequently modified by the originator
			(registrant modification, mentioned by paf)

and assume that R-* entity [j]'s data collection policy is:

purpose is "current" (above) and "telemarketing"
			data may be used to contact the individual via a
			voice telephone call for promotion of a product or
			service,
recipient is "ours" (above) and "unrelated" or "public"
			legal entities whose data usage practices are not
			known by the original service provider, or
			bulletin boards, public directories, or commercial
			CD-ROM directories
retention is "stated-purpose" (above) and "indefinitely" (obvious)
and
access is "none" (obvious)

Assuming that [i] is "downstream" of [j] (in the no-reseller case, [i] is the
RegistRAR and [j] is the RegisTRY:

This effects "repurposing", "redistribution" or "publication", a term I can't
think of (though I know of a registry operator which claimed it had a right
to indefinite registry data retention, independent of any operational status),
and introduces inconsistent cache semantics (Registrant's write-access through
a series of R-* "caches" to a Registry). This example is worse than using the
(current) data collection statutory regime in the US for data originating in
the EC, but non-negligible differences exist, and most of the root delegations
follow the principle of political geography and delegated jurisdiction.

Note these data collection policies are not specific to any particular datum
(or object) within a flow between R-* entities, any more than are the A & I
policies.

How the data policies are implemented is (implementation specific). How they
are announced, let alone "negociated" is a protocol requirement, assuming that
policy differences do in fact exist. I think they do.

Eric
Home | Date list | Subject list