To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>, "'Edward Lewis'" <edlewis@arin.net>, "Eric Brunner-Williams in Portland Maine" <brunner@nic-naa.net>
Cc:
<ietf-provreg@cafax.se>
From:
"Ram Mohan" <rmohan@afilias.info>
Date:
Sat, 22 Feb 2003 14:19:52 -0500
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] FYI: EPP implementation by the Polish registry
>If you're not publishing a data >collection policy, is there any specific issue that's driving that decision? >I haven't decided what makes sense for the .com and .net registry yet, but >other people who are using EPP in domain registry operations must have been >through a decision process. Come on, people, please let us know what you're >doing with respect to privacy and data collection and why you're doing it! >We need some real data points to help close the discussion with the IESG. We're looking into a <dcp> required policy for the .info registry; For the .org registry, we're also trying to determine the appropriate technical measures that would make PIR's proposed "OrgCloak" data-protection service viable. A session-specific <dcp> mandatory approach is appealing. -ram ----- Original Message ----- From: "Hollenbeck, Scott" <shollenbeck@verisign.com> To: "'Edward Lewis'" <edlewis@arin.net>; "Eric Brunner-Williams in Portland Maine" <brunner@nic-naa.net> Cc: <ietf-provreg@cafax.se> Sent: Thursday, February 13, 2003 9:56 AM Subject: RE: [ietf-provreg] FYI: EPP implementation by the Polish registry > > This is a good request. This is one of the missing pieces of the > > converstation. > > > > At 11:02 -0500 2/11/03, Eric Brunner-Williams in Portland Maine wrote: > > >> The WG should note that implementers of real-world > > privacy policies are > > >> finding it necessary to add a "do not disclose" element. > > > > > >Could someone, possibly an implementor, comment on the > > design choice that > > >did not utilize the <dcp> element, and disclose its > > deficiencies? I can > > >guess, but it would be nice to hear from someone else who > > considered it > > >and found it failed to meet a requirement. > > Is Eric's request behind a thought that we are considering either the > current DCP functionality, or the "do not disclose"-proposed functionality, > but not both? I can easily see a need for both: > > - in some environments, it might be OK for the server operator to say "this > is what I will/might do with data, and if you as data originator give me > data you are agreeing to my policy". We have this in the protocol right now > with the <dcp> element. > > - in other environments, it might be OK for the data owner to say "this is > what I will allow you as server operator to do with the data I share with > you". I thought some of the European contributors have said this sort of > functionality is required under recent European privacy laws. This is > something we don't currently have in the protocol. > > I'm not sure that this is a "pick one or the other" situation, but I'm also > interested in implementer perspectives. If you're not publishing a data > collection policy, is there any specific issue that's driving that decision? > > I haven't decided what makes sense for the .com and .net registry yet, but > other people who are using EPP in domain registry operations must have been > through a decision process. Come on, people, please let us know what you're > doing with respect to privacy and data collection and why you're doing it! > We need some real data points to help close the discussion with the IESG. > > -Scott- > >