To:
"Jordyn A. Buchanan" <jordyn@register.com>
cc:
Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>, shollenbeck@verisign.com, Andre.Cormier@viagenie.qc.ca, ietf-provreg@cafax.se, brunner@nic-naa.net
From:
Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>
Date:
Wed, 14 Feb 2001 14:05:39 -0500
In-Reply-To:
Your message of "Wed, 14 Feb 2001 12:33:13 EST." <5.0.2.1.0.20010214120909.0454aff8@mail.register.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: grrp-reqs-06, 3.2 Identification and Authentication [3]
> My guess is that many elements of data policy that you are describing will > be implemented by the registry or registrar outside of the context of this > protocol. Jordyn, Assume that R-* entity [i] has data collection policy A. Assume that R-* entity [j] has data collection policy B. Assume also that R-* entity [i] and R-* entity [j] identify and authenticate each other. May they exchange Registrant technical data? May they exchange Registrant social data? To clairify (I hope), assume that R-* entity [i]'s data collection policy is: purpose is "current" data may be used by the service provider to complete the activity for which it was provided (registration), recipient is "ours" ourselves and/or our entities acting as our agents or entities for whom we are acting as an agent, retention is "stated-purpose" data is retained to meet the stated purpose for which it was provided (registration), discard earliest possible, and access is "all" all data may be subsequently modified by the originator (registrant modification, mentioned by paf) and assume that R-* entity [j]'s data collection policy is: purpose is "current" (above) and "telemarketing" data may be used to contact the individual via a voice telephone call for promotion of a product or service, recipient is "ours" (above) and "unrelated" or "public" legal entities whose data usage practices are not known by the original service provider, or bulletin boards, public directories, or commercial CD-ROM directories retention is "stated-purpose" (above) and "indefinitely" (obvious) and access is "none" (obvious) Assuming that [i] is "downstream" of [j] (in the no-reseller case, [i] is the RegistRAR and [j] is the RegisTRY: This effects "repurposing", "redistribution" or "publication", a term I can't think of (though I know of a registry operator which claimed it had a right to indefinite registry data retention, independent of any operational status), and introduces inconsistent cache semantics (Registrant's write-access through a series of R-* "caches" to a Registry). This example is worse than using the (current) data collection statutory regime in the US for data originating in the EC, but non-negligible differences exist, and most of the root delegations follow the principle of political geography and delegated jurisdiction. Note these data collection policies are not specific to any particular datum (or object) within a flow between R-* entities, any more than are the A & I policies. How the data policies are implemented is (implementation specific). How they are announced, let alone "negociated" is a protocol requirement, assuming that policy differences do in fact exist. I think they do. Eric