To:
"'Stephane Bortzmeyer'" <bortzmeyer@nic.fr>
Cc:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Tue, 17 Dec 2002 07:35:43 -0500
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: Another Privacy Proposal
> -----Original Message----- > From: Stephane Bortzmeyer [mailto:bortzmeyer@nic.fr] > Sent: Tuesday, December 17, 2002 4:03 AM > To: Hollenbeck, Scott > Cc: 'ietf-provreg@cafax.se' > Subject: Re: Another Privacy Proposal > > > On Mon, Dec 16, 2002 at 02:44:04PM -0500, > Hollenbeck, Scott <shollenbeck@verisign.com> wrote > a message of 79 lines which said: > > > discussion we received a critical clarification: what > they're looking to > > have added is a means to identify data elements for which > the data owner > > would like to note that the data should not be disclosed to third > > parties. > > Like every other proposal I've seen on this list about privacy, this > suggestion solves only a very small part of the problem. For instance, > it does not distinguish between individual access and bulk access by > third parties (while many registries, such as AFNIC for the .fr ccTLD > or the RIPE-NCC for their IP addresses database, allow unrestricted > individual access but completely prohibit bulk access). Also, it does > not distinguish between the uses of the data (research, marketing, IPR > harassment, etc). It doesn't do those things because that's not what the IESG is saying is needed. If you think such things are needed, please prepare a proposal to address those requirements. > I do not think it is possible to come with a reasonable > "one-paragraph" solution to this difficult problem. I suggest to defer > it to extensions, possibly using the P3P namespace and elements. The IESG has already balked at the idea of doing this all in extensions. > If a proposal like the last one is retained, I suggest to add the > following warning: > > Some registries may use extensions or other registry-specific > mechanism (possibly out-band, such as local laws) to gather privacy > requirments. The lack of a <doNotDisclose> element MUST NOT be > interpreted as the complete absence of privacy requirments. I would disagree with this wording. The absence of a privacy specification, either in a <doNotDisclose> element or an extension, can only be interpreted as agreement with the stated data collection policy. -Scott-