To:
<ross@tucows.com>, "'Michael Young'" <myoung@libertyrms.info>, "'Vittorio Bertola'" <vb@bertola.eu.org>, <ietf-provreg@cafax.se>
From:
"Ross Wm. Rader" <ross@tucows.com>
Date:
Fri, 17 Jan 2003 12:01:31 -0500
Importance:
Normal
In-Reply-To:
<000801c2be37$1c9d8840$f80b000a@rraderxp>
Reply-To:
<ross@tucows.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: An user's point of view on the privacy issue
> Agreed - *but* I don't expect that we'll see many as long as > you're up there. Oops...just re-read that - there was a ":)" that should have ended that sentence - no ill intended. -rwr "There's a fine line between fishing and standing on the shore like an idiot." - Steven Wright Get Blog... http://www.byte.org/blog > -----Original Message----- > From: owner-ietf-provreg@cafax.se > [mailto:owner-ietf-provreg@cafax.se] On Behalf Of Ross Wm. Rader > Sent: Friday, January 17, 2003 9:46 AM > To: 'Michael Young'; 'Vittorio Bertola'; ietf-provreg@cafax.se > Subject: RE: An user's point of view on the privacy issue > > > > would like to see less soap-box speechs and more work towards > > Agreed - *but* I don't expect that we'll see many as long as > you're up there. I don't know about the rest of you, but I do > appreciate Vittorio taking the time out to specify what his > requirements for the mechanism might be. Once the smart guys > figure out where that should happen, specifications such as > his will most undoubtedly help you figure out how to make > "what it looks like" work. > > I've dropped out of even lurking for the past few days, but > suffice to say that this is all moot if the question is still > "who" as per Joe's question of the 8th... And, at the risk of > getting ahead of myself, I'm also not sure that I've seen an > answer to Andrew's question of the 9th regarding what basic > "privacy" actually is. From my standpoint, the entire line of > conjecture is a bit of a red herring - it may simplify the > discussion to look at this as a data ownership/entity > relationship/data rights management issue as opposed to the > more charged (and elusive) question of "privacy" - unless > someone has a reasonable definition of "privacy" that they > haven't shared with us... > > > > -rwr > > > > > "There's a fine line between fishing and standing on the > shore like an idiot." > - Steven Wright > > Get Blog... http://www.byte.org/blog > > > > > > -----Original Message----- > > From: owner-ietf-provreg@cafax.se > > [mailto:owner-ietf-provreg@cafax.se] On Behalf Of Michael Young > > Sent: Friday, January 17, 2003 8:49 AM > > To: 'Vittorio Bertola'; ietf-provreg@cafax.se > > Subject: RE: An user's point of view on the privacy issue > > > > > > Thank you for providing your opinion on privacy issues > > Vittorio. I think you'll find by reviewing the list that the > > current debate in the provreg working group is not about > > whether or not a privacy mechanism is desirable, but really > > about the technical implementation and where that should > > happen. There are multiple approaches to how to solve for > > this problem, and all of them have their perceived advantages > > and disadvantages. Some approaches that are being heavily > > advocated from non-technical stakeholders have some serious > > implementation and performance impacts, and that's really > > whats at the heart of the debate right now. BTW in my > > opinion, this forum is not meant as a venue for the amount of > > policy based discussion that has occurred of late - it is > > meant to be a technical working group. Hence I honestly > > would like to see less soap-box speechs and more work towards > > a compromise, such as the one Janusz posted to the list. > > Although that idea got shot down, it > > was the right kind of effort we should be concentrating on. > > > > > > Michael Young > > > > -----Original Message----- > > From: owner-ietf-provreg@cafax.se > [mailto:owner-ietf-provreg@cafax.se] > > On Behalf Of Vittorio Bertola > > Sent: January 17, 2003 5:03 AM > > To: ietf-provreg@cafax.se > > Subject: An user's point of view on the privacy issue > > > > > > Hello, > > > > I am a newbie of this group and of the IETF WGs in general > > (please pardon me for anything inappropriate I might > > unvoluntarily do). However, I have been discussing DNS > > privacy issues extensively in the last years, so please allow > > me to give my point of view on the ongoing privacy discussion. > > > > Not addressing the privacy issue in the base protocol would > > likely imply that the service would often be deployed in real > > life without any means to achieve privacy protection. > > Unfortunately, the present lack of privacy protection in the > > WHOIS system is plainly illegal in many countries, and I > > don't think it's reasonable to think that this situation can > > go on for long without actual lawsuits starting to happen, > > both towards ccTLD and gTLD registries and registrars. > > > > In fact, as others have already pointed out, many registries > > (especially European ccTLDs) have already started to allow > > opting out from WHOIS under certain conditions or for certain > > types of data, or even, have already been sued on this. > > Personally, I think that the present situation where gTLD > > registrants are required to make all their data public won't > > last long. > > > > Thus, any new protocol being created in this field should be > > able to support the ability to mark data as private - > > otherwise in the end it might be useless or even damaging. If > > this protocol doesn't implement any simple and standard way > > to specify reasonable privacy directives together with data, > > it is likely that many registrars and registries will be soon > > forced, by law, lawsuits, or public opinion pressure, to add > > their own (non-standard and non-interoperable) ones. > > > > The protocol must allow customers to specify privacy > > conditions with the highest possible granularity, because it > > must be able to support policies that will be very different > > one from the other and will vary often (much more often than > > the protocol itself) according to non-technical decisions. No > > privacy policy should be hard-wired in the protocol (and this > > includes the policy of "no privacy is possible" that would > > result from the lack of privacy specification tools in the > > base protocol). > > > > I must also point out that, according for example to the > > European law, it is the customer, nor the registrar nor the > > registry nor any policy or standard making body, that decides > > what should be published and what should not. The registrar > > or registry are not allowed to alter the customer's > > indications on privacy. At most, the registrar/registry may > > refuse to supply the service if the customer does not accept > > to distribute data that are strictly necessary for the > > service to work. (It seems to me very doubtful that > > publishing my name and e-mail to the whole world is strictly > > necessary for my name servers to work. But this is a policy > > and legal discussion anyway, and is out of this list's > > scope.) > > > > So, the minimum level of granularity that the protocol should > > support to be applicable in real life is the ability to mark > > each field of each domain name registration form as private > > or public, singularly for each (domain, field) couple. > > > > The EU law also states that the owner of the data has the > > right to verify and update the data and retire the consensus > > to the distribution at any time. So the protocol should allow > > for updates not only of the data but of the privacy indications too. > > > > Theoretically, a registrar could ask separate approvals to > > the customer for different uses of the same data. In this > > case, a mechanism with more levels of privacy would be > > necessary. However, this is an option for the registrar, not > > a requirement, so this could be left to extensions. > > Similarly, a specific approval is required to export data > > outside of the European Union, so a mechanism to specify a > > list of countries to which data can(not) be exported could be > > of use, but this problem can be easily avoided by the > > registrar by asking for such consensus, so this could be left > > as a possible extension too. > > > > Thus, summarizing, I support the idea that a mechanism to > specify (at > > least) whether each single field of each single domain name > > is meant to be public or private should be added to the base > > protocol, and its implementation should be mandatory. > > -- > > vb. [Vittorio Bertola - vb [at] bertola.eu.org]<--- > > -------------------> http://bertola.eu.org/ <----------------------- > > > > >