[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: "'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
Date: Thu, 5 Jul 2001 08:42:22 -0400
Sender: owner-ietf-provreg@cafax.se
Subject: Data Collection Requirements

While we're back in the requirements document to address the comments
received from the IESG, I'd like to address another requirements topic: data
collection requirements as described in section 8.4, specifically the last
sentence of 8.4-[1]:

"A generic protocol MUST provide services to identify data collection
policies."

I've been struggling with the protocol design aspects of this requirement,
and have spent a considerable amount of time reviewing the W3C's P3P work to
see how it might be useful as originally suggested by Eric Brunner-Williams.
Here's my dilemma:

As I read this requirement, it refers to a registry's data collection
policies.  This is consistent with the way P3P is described by the W3C ("The
Platform for Privacy Preferences Project (P3P) enables Web sites to express
their privacy practices in a standard format that can be retrieved
automatically and interpreted easily by user agents." [1]).

I'm not convinced that this is the problem we should be trying to solve.
Substitute "registries" for "Web sites" and "registrars" or "clients" for
"user agents", and what we have is a requirement for a registry to describe
the data it collects and what it might do with that data.  I know we've
touched on this before, but I'm convinced that this policy information will
be documented in agreements or contracts between registry and client.  The
legal ties between the communicating parties may not exist in the web world,
so I can understand how it makes sense for a web server to describe it's
data collection policies to web surfers.  However, the web user model isn't
the user model for GRRP, so I think we have this requirement somewhat
backwards.

We don't currently have a requirement to provide features to express how
social data may be used.  As I've struggled with the current requirement,
I've continually come back to two questions: is our need to provide a way
for a contact to express how their data (such as address, telephone, etc.)
may be used, or is our need to provide a way for a registry to describe the
data it collects and what it does with the data.  I really think the problem
we need to solve is the former, and not the latter.

Anyway, that long-winded explanation leads to a suggestion that we reword
the last sentence of 8.4-[1] to something like this:

"A generic protocol MUST provide services to identify social data use
preferences."

<Scott/>

[1] http://www.w3.org/TR/P3P/#Introduction

Home | Date list | Subject list