To:
ietf-provreg@cafax.se
From:
Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>
Date:
Mon, 09 Apr 2001 13:41:19 -0400
Sender:
owner-ietf-provreg@cafax.se
Subject:
Registrant Access (Data Protection/Privacy)
In a note sent to both the provreg and whois lists earlier this year,
Patrik Faltstrom mentioned registrant access in the context of data
protection. More recently, Sheer noted that while specific requirements
are "local", e.g., specific "data-access" functional requirements, the
abstract form is of general interest.
Here is a fragment (draft forthcomming, RSN!!!) on access policy and its
expression in ABNF (grammer representation of XML syntax) and in XSD.
Modified from http://www.w3.org/TR/P3P/#ACCESS [1]
The <ACCESS> element is defined as the ability of registrant to view
registrant originated data and address questions or concerns to the
registration service provider. Registration service providers MUST
disclose one value for the access attribute. The method of access is
not specified. (Note this has _nothing_ to do with whois:43 or whois:xx
"access", which is outside the scope of a provisioning protocol.)
The ACCESS element must contain one of the following elements:
<social/> access is provided to all social data only
<technical/> access is provided to all technical data only
<all/> access is provided to all technical and social data
<noaccess/> registrant data exists but access is not provided
<null/> registrant data is not persistent
The (P3P-consistent) ABNF for this is:
access = "<ACCESS>"
access_disclosure
*extension
"<ACCESS>"
access_disclosure = "<social/>" | ; socal data only
"<technical/>" | ; technical data only
"<all/>" | ; all data
"<noaccess/>" | ; access not provided
"<null/>" | ; data not persistent
This ends the modification of Section 3.2.5 of the current (CR'ed) P3P Spec
for a Registrar-Registry provisioning protocol, using XML element-attribute
formalism to deliver a provreg (work-in-progress) vocabulary.
At this point there are three issues to resolve:
1. Does the set of access_disclosure attributes cover the R* problem
space discussed in the provreg WG list?
and
2. Is the XML consistent with our current usage cases for XML encoding
of R* entity policy and registrANT data?
and
3. Is "The method of access is not specified" adequate for this WG?
The first and third items are up to the R* implementors and observing protocol
and policy wonks to discuss.
The second item is partially addressed by the following xml schema fragment,
which does not (yet) have a general "POLICY" element within which to hang an
"ACCESS" element, or other elements, e.g., "PURPOSE" (also previously discussed
in this working group mailing list), "RECIPIENT", etc. I've used "abc" below,
it could just as well be "epp" or "xrp" or "abc".
<!--
Access element, modification of www.w3.org/TR/P3P/#ACCESS
-->
<element name='ACCESS'>
<complexType name="access-value">
<sequence>
<choice>
<element name='social' type='abc:access-value'/>
<element name='technical' type='abc:access-value'/>
<element name='all' type='abc:access-value'/>
<element name='noaccess' type='abc:access-value'/>
<element name='null' type='abc:access-value'/>
</choice>
<element ref='abc:EXTENSION' minOccurs='0' maxOccurs='unbounded'/>
</sequence>
</complexType>
</element>
Comments and corrections please.
Eric
References:
[1] The Platform for Privacy Preferences 1.0 (P3P1.0) Specification
W3C Candidate Recommendation 15 December 2000, Section 3.2.5
http://www.w3.org/TR/2000/CR-P3P-20001215