[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: ietf-provreg@cafax.se
Cc: edlewis@arin.net, jaap@sidn.nl
From: Edward Lewis <edlewis@arin.net>
Date: Sun, 23 Mar 2003 15:23:13 -0500
Sender: owner-ietf-provreg@cafax.se
Subject: [ietf-provreg] Our "Privacy Issue"

During the face to face meeting in SF, we had a productive discussion 
of the privacy issue that has been holding up progress.  Minutes, 
et.al. of the meeting will be forthcoming, but the first action item 
to arise from the meeting is a presentation to the WG (list) a 
detailed description of the problem.

In a discussion that involved Ted Hardie, our new Area Advisor, and 
Randy Bush, the following comment was cast into the following 

The protocol must provide a mechanism to allow enforcement of privacy 
policy at either the registrar or registrant.  This must be done in a 
protocol feature that is "mandatory to implement, optional to use." 
Further, the privacy meta-data must be to individual elements of 
social data.

     First, before going further, what is stated above is the suggestion
     derived during the face-to-face meeting.  Being that this is a
     clarification of the IESG comment obtained with representatives
     present, this is what we need to solve. However, wording changes
     may be made.

As EPP stands now, privacy policy decisions are only possible at the 
registrar.  This is because the dcp element allows the registry to 
tell the registrar the "rules."  Whatever the registrar sends to the 
registry is considered to be in accordance with the rules.

What is desired is a mechanism that will let EPP support thick 
registries, in which social data is held by the registry.  In such 
situations, the registrar needs to inform the registry of 
restrictions on the redistribution of the data submitted to the 

There are limits to what the WG is being asked to do.  We are not 
being asked to provide a very rich syntax for the mechanism.  For 
example, we are not being asked to provide a means to say "you can 
publish the phone number in whois but not in any other way."  (We 
could, if we desired, but we are not asked to do.)

There's one protocol standards consideration I'd like to make.  The 
more detail and depth in the solution of a problem often leads to a 
tougher job in reaching consensus.  I.e., as a chair, I appreciate 
efforts to refine and divine the depths of privacy, but such threads 
are in danger of becoming distractions to the main job of this WG.

During the meeting, it was suggested that a mechanism to meet the 
requirement has already been sent to the mailing list and discussed. 
The next steps for the WG is to 1) consider and discuss the 
requirement in this message.  If the WG accepts this as the problem 
statement as discussion in the room did, the next step will be to 
open a thread on the modified proposal suggested.  For procedural 
reasons, I'm not going to mention that proposal until the problem 
statement is accepted by the WG (i.e., the mailing list).

Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

I've had it with world domination.  The maintenance fees are too high.

Home | Date list | Subject list