To:
"'Edward Lewis'" <edlewis@arin.net>, Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>
Cc:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Thu, 13 Feb 2003 09:56:54 -0500
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: [ietf-provreg] FYI: EPP implementation by the Polish registry
> This is a good request. This is one of the missing pieces of the > converstation. > > At 11:02 -0500 2/11/03, Eric Brunner-Williams in Portland Maine wrote: > >> The WG should note that implementers of real-world > privacy policies are > >> finding it necessary to add a "do not disclose" element. > > > >Could someone, possibly an implementor, comment on the > design choice that > >did not utilize the <dcp> element, and disclose its > deficiencies? I can > >guess, but it would be nice to hear from someone else who > considered it > >and found it failed to meet a requirement. Is Eric's request behind a thought that we are considering either the current DCP functionality, or the "do not disclose"-proposed functionality, but not both? I can easily see a need for both: - in some environments, it might be OK for the server operator to say "this is what I will/might do with data, and if you as data originator give me data you are agreeing to my policy". We have this in the protocol right now with the <dcp> element. - in other environments, it might be OK for the data owner to say "this is what I will allow you as server operator to do with the data I share with you". I thought some of the European contributors have said this sort of functionality is required under recent European privacy laws. This is something we don't currently have in the protocol. I'm not sure that this is a "pick one or the other" situation, but I'm also interested in implementer perspectives. If you're not publishing a data collection policy, is there any specific issue that's driving that decision? I haven't decided what makes sense for the .com and .net registry yet, but other people who are using EPP in domain registry operations must have been through a decision process. Come on, people, please let us know what you're doing with respect to privacy and data collection and why you're doing it! We need some real data points to help close the discussion with the IESG. -Scott-