To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
cc:
"'Edward Lewis'" <edlewis@arin.net>, "'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>, brunner@nic-naa.net
From:
Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>
Date:
Mon, 03 Mar 2003 10:47:52 -0500
In-Reply-To:
Your message of "Mon, 03 Mar 2003 09:01:53 EST." <3CD14E451751BD42BA48AAA50B07BAD60337076C@vsvapostal3.prod.netsol.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] FYI: EPP implementation by the Polish registry
> why do domain/contact/.. not have granular information about privacy?
Asked and answered.
1. Because operationally, policing at the session level is sufficient to
support persistent policing across multiple distinct objects, or support
single-object-session policing.
2. Because syntactically, if epp is to remain extensible, and xml-based,
adding attributes to elements is either pervasive, or specific. As this
WG lost the technical/social distinction with the expiry of Ross' draft,
we don't have a handy hook for being "specific", and "pervasive" makes
conditionally "private" even the data the registrants who have standing
to "privacy" under EU framework UNCONDITIONALLY SEEK TO PUBLISH.
3. Because semantically, it isn't simply contemporanious publication via
954 that is of issue, particularly in the EU, but also in the OEDC, and
potentially even the US. Also required is some mechanism to identify the
repurposing of registrant (and registrar) data, as bulk-access is a real
practice, with abuses. Also required is some mechanism to identify the
availability of collected registrant (and registrar) data for correction.
Also required is some mechanism to identify the duration that data is
held by the collector.
Adding these semantics to complexType elements would be complex, and has
no benefit over attaching the same semantics to aggregations of elements
that are NEVER DISAGGREGATED, aka "objects". There is little observed or
hypothetical inter-object disaggregation of policy that cannot be reasonably,
and scalably met, by bounding sessions by policy discontinuity.
See #1, above.
Ops, syn, sem, all covered.
> In a later discussion with Patrik, I was told that the EPP proposal
> did not meet the requirement in Section 8.4 of RFC 3375. ("See the
> MUST part of [1].")
I wrote the requirement. The mechanism is the <dcp>, and it is provided by
the protocol.
The requirement does not state:
The protocol MUST NOT provide services if data collection policies
are not identified.
If it had, then we'd have had <dcp> (or some other mechanism(s)) as
MANDITORY-TO-IMPLEMENT, rather than OPTIONAL. There was WG consensus that
the <dcp> is in the core schema (epp-1.0.xsd), optional to implement, and
not an optional extension.
> There are three other inputs.
> One from Jaap - a look at how privacy concerns with .nl impact the issue.
I sent a public message about the .nl requirement to Jaap not long after
his note on the subject, that the EU residency requirement for registrars
provided a contractual equivalent to a <dcp> element, and a simpler form
(for a hypothetical deployment of epp, as .nl wasn't yet epp-operational)
of whois-token, while sufficient for endpoints within the EU, would not be
capable of allowing non-EU endpoints to register .nl domains.
He hasn't responded.
> The second is a report and discussion on the .pl work in this area.
I send a public message about the decision of this particular implementor
not to use the <dcp>.
I seem to have missed the response.
> The third is a message describing the EU perspective on why this must
> be solved.
Oh thank heavens! A live EU national who is a self-described "newbie" and
neither an implementor, nor an operator, nor an author, nor apparently a
specification reader. Now I can stop thinking.
Note Bene Chair:
1. IESG (Randy or Allison) asked and answered
2. IESG (Patrick) asked and answered
3. .NL asked and not responsive
4. .PL asked and not responsive
5. Newbie noises
What part of IETF process did I miss in IETF grade school back in the
mid-80s?
I don't actually mind if folks creatively craft into "privacy" some form
of market protection, Europe for the Europeans, Africa for the Africans,
Circumpolar Regions for the Very-Well-Dressed. I simply find it amusing
that on the one hand we've people in the IAB/IESG kicking Chinese Butt
big time for attempting to fix Unicode [1], arguing "minimum astonishment"
as if it were an end-to-end principle, and people with the same, or very
similar drinking buddies, arguing that the semanitcs of "{0,1} are context
dependent.
Does ((dnp==1 at .nl) == (dnp==1 at .com)) semantically evaluate to 1, or 0?
I'm always astonished that packets even make it anywhere.
Eric
[1] Yes Virginia, the new IRTF activity specifically BARS the work by the
Joint Engineering Team (.tw/.cn/.kr/.jp) registries and the Chinese Domain
Name Consortium (.tw/.hk/.ma/.cn) on intermediate mappings in particular,
and constructive mechanism in general. I've asked. Twice. Not for IPR reasons
either.