Re: [ietf-provreg] FYI: EPP implementation by the Polish registry

["Ram Mohan" <rmohan@afilias.info>]

>If you're not publishing a data
>collection policy, is there any specific issue that's driving that
decision?

>I haven't decided what makes sense for the .com and .net registry yet, but
>other people who are using EPP in domain registry operations must have been
>through a decision process.  Come on, people, please let us know what
you're
>doing with respect to privacy and data collection and why you're doing it!
>We need some real data points to help close the discussion with the IESG.

We're looking into a <dcp> required policy for the .info registry; For the
.org registry, we're also trying to determine the appropriate technical
measures that would make PIR's proposed "OrgCloak" data-protection service
viable.

A session-specific <dcp> mandatory approach is appealing.

-ram
----- Original Message -----
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "'Edward Lewis'" <edlewis@arin.net>; "Eric Brunner-Williams in Portland
Maine" <brunner@nic-naa.net>
Cc: <ietf-provreg@cafax.se>
Sent: Thursday, February 13, 2003 9:56 AM
Subject: RE: [ietf-provreg] FYI: EPP implementation by the Polish registry


> > This is a good request.  This is one of the missing pieces of the
> > converstation.
> >
> > At 11:02 -0500 2/11/03, Eric Brunner-Williams in Portland Maine wrote:
> > >>  The WG should note that implementers of real-world
> > privacy policies are
> > >>  finding it necessary to add a "do not disclose" element.
> > >
> > >Could someone, possibly an implementor, comment on the
> > design choice that
> > >did not utilize the <dcp> element, and disclose its
> > deficiencies? I can
> > >guess, but it would be nice to hear from someone else who
> > considered it
> > >and found it failed to meet a requirement.
>
> Is Eric's request behind a thought that we are considering either the
> current DCP functionality, or the "do not disclose"-proposed
functionality,
> but not both?  I can easily see a need for both:
>
> - in some environments, it might be OK for the server operator to say
"this
> is what I will/might do with data, and if you as data originator give me
> data you are agreeing to my policy".  We have this in the protocol right
now
> with the <dcp> element.
>
> - in other environments, it might be OK for the data owner to say "this is
> what I will allow you as server operator to do with the data I share with
> you".  I thought some of the European contributors have said this sort of
> functionality is required under recent European privacy laws.  This is
> something we don't currently have in the protocol.
>
> I'm not sure that this is a "pick one or the other" situation, but I'm
also
> interested in implementer perspectives.  If you're not publishing a data
> collection policy, is there any specific issue that's driving that
decision?
>
> I haven't decided what makes sense for the .com and .net registry yet, but
> other people who are using EPP in domain registry operations must have
been
> through a decision process.  Come on, people, please let us know what
you're
> doing with respect to privacy and data collection and why you're doing it!
> We need some real data points to help close the discussion with the IESG.
>
> -Scott-
>
>