To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Cc:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date:
Tue, 17 Dec 2002 10:02:34 +0100
Content-Disposition:
inline
In-Reply-To:
<3CD14E451751BD42BA48AAA50B07BAD603370414@vsvapostal3.prod.netsol.com>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mutt/1.3.28i
Subject:
Re: Another Privacy Proposal
On Mon, Dec 16, 2002 at 02:44:04PM -0500, Hollenbeck, Scott <shollenbeck@verisign.com> wrote a message of 79 lines which said: > discussion we received a critical clarification: what they're looking to > have added is a means to identify data elements for which the data owner > would like to note that the data should not be disclosed to third > parties. Like every other proposal I've seen on this list about privacy, this suggestion solves only a very small part of the problem. For instance, it does not distinguish between individual access and bulk access by third parties (while many registries, such as AFNIC for the .fr ccTLD or the RIPE-NCC for their IP addresses database, allow unrestricted individual access but completely prohibit bulk access). Also, it does not distinguish between the uses of the data (research, marketing, IPR harassment, etc). I do not think it is possible to come with a reasonable "one-paragraph" solution to this difficult problem. I suggest to defer it to extensions, possibly using the P3P namespace and elements. If a proposal like the last one is retained, I suggest to add the following warning: Some registries may use extensions or other registry-specific mechanism (possibly out-band, such as local laws) to gather privacy requirments. The lack of a <doNotDisclose> element MUST NOT be interpreted as the complete absence of privacy requirments.