To:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Tue, 11 Feb 2003 08:30:20 -0500
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: [ietf-provreg] FYI: EPP implementation by the Polish registry
> At the DNR-forum at RIPE-44 last week, the polish registry presented > their implementation of EPP. They had to make extensions to implement > the somewhat draconian Polish privacy rules. One of the things they > mentioned was that they were more severe then the European ones, > so when they join the EC, they might change. Anyway, I don't have > the presentation on line yet, but they have piblished a document > about the things they did with the protocol. It can be found as > ascii (http://www.dns.pl/NASK-EPP%202.01.txt) or pdf > (http://www.dns.pl/NASK-EPP%202.01.pdf) on the web. While at the CENTR technical forum I listened intently to these and other presentations to see how they relate to our ongoing discussion of privacy specification and the unresolved comment from the IESG. The extensions described by the folks from NASK include an element that directly relates to the IESG comments: their <consentForPublishing> element is described as "it specifies whether a private person gives its permission to publish personal details in WHOIS database". We now have two ccTLD registry operators (.pl (above) and .nl (via Jaap)) who've noted that having a "do not disclose" flag is something that they need and can use. In the case of .pl, where they claim to have very strict privacy rules, implementers found that a single high-level element was sufficient to mark the content appropriately. If we had a "do not disclose" element in the contact mapping they probably wouldn't have had to add this extension. In the spirit of "rough consensus and running code", maybe this is a reasonable compromise. We have registries implementing privacy policies that need some sort of "do not disclose" marker, but maybe we don't really need to mark every element -- maybe having an optional <doNotDisclose> element in the various <create>, <info>, and <update> structures is all that's really needed in the real world. I'd like to ask the WG members and the IESG to consider this possibility. The WG should note that implementers of real-world privacy policies are finding it necessary to add a "do not disclose" element. The IESG should note that implementers of real-world privacy policies are finding it sufficient to flag a higher-level structure instead of flagging individual elements. Is this a possible way forward? -Scott-