Re: grrp-reqs-06, 3.2 Identification and Authentication [3]

[Kent Crispin <kent@songbird.com>]

On Wed, Feb 14, 2001 at 02:05:39PM -0500, Eric Brunner-Williams in Portland Maine wrote:
>> My guess is that many elements of data policy that you are describing will 
>> be implemented by the registry or registrar outside of the context of this 
>> protocol.
> 
> Jordyn,
> 
> Assume that R-* entity [i] has data collection policy A.
> Assume that R-* entity [j] has data collection policy B.
> 
> Assume also that R-* entity [i] and R-* entity [j] identify and authenticate
> each other.
> 
> May they exchange Registrant technical data?
> May they exchange Registrant social data?

[...]

>How the data policies are implemented is (implementation specific). How they
>are announced, let alone "negociated" is a protocol requirement, assuming that
>policy differences do in fact exist. I think they do.

In virtually all cases we can expect that policies will largely be
expressed in legal documents drawn between the R-* parties.  It is hard
for me to imagine that we can design a protocol with sufficient power to
convey any significant policy, other than identification of the
particular policy.  Identification of the policy in force for a
particular record could be a text string identifying a contract, or some
other repository of policy information. 

I believe that I am agreeing with both of the above posters :-)

In a multiple registry environment, a single registrar could deal with
multiple registries, and thus have to deal with multiple policies
simultaneoulsy.  This seems to indicate that registrars would in the
long run tend to a least common denominator of access, because keeping
track of multiple policies would be too complex.  As is commonly the
case in such a situation, we might expect standardization of policy
terms. 

-- 
Kent Crispin                               "Be good, and you will be
kent@songbird.com                           lonesome." -- Mark Twain