To:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Thu, 5 Jul 2001 08:42:22 -0400
Sender:
owner-ietf-provreg@cafax.se
Subject:
Data Collection Requirements
While we're back in the requirements document to address the comments received from the IESG, I'd like to address another requirements topic: data collection requirements as described in section 8.4, specifically the last sentence of 8.4-[1]: "A generic protocol MUST provide services to identify data collection policies." I've been struggling with the protocol design aspects of this requirement, and have spent a considerable amount of time reviewing the W3C's P3P work to see how it might be useful as originally suggested by Eric Brunner-Williams. Here's my dilemma: As I read this requirement, it refers to a registry's data collection policies. This is consistent with the way P3P is described by the W3C ("The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents." [1]). I'm not convinced that this is the problem we should be trying to solve. Substitute "registries" for "Web sites" and "registrars" or "clients" for "user agents", and what we have is a requirement for a registry to describe the data it collects and what it might do with that data. I know we've touched on this before, but I'm convinced that this policy information will be documented in agreements or contracts between registry and client. The legal ties between the communicating parties may not exist in the web world, so I can understand how it makes sense for a web server to describe it's data collection policies to web surfers. However, the web user model isn't the user model for GRRP, so I think we have this requirement somewhat backwards. We don't currently have a requirement to provide features to express how social data may be used. As I've struggled with the current requirement, I've continually come back to two questions: is our need to provide a way for a contact to express how their data (such as address, telephone, etc.) may be used, or is our need to provide a way for a registry to describe the data it collects and what it does with the data. I really think the problem we need to solve is the former, and not the latter. Anyway, that long-winded explanation leads to a suggestion that we reword the last sentence of 8.4-[1] to something like this: "A generic protocol MUST provide services to identify social data use preferences." <Scott/> [1] http://www.w3.org/TR/P3P/#Introduction