To:
ietf-provreg@cafax.se
Cc:
edlewis@arin.net, jaap@sidn.nl
From:
Edward Lewis <edlewis@arin.net>
Date:
Sun, 23 Mar 2003 15:23:13 -0500
Sender:
owner-ietf-provreg@cafax.se
Subject:
[ietf-provreg] Our "Privacy Issue"
During the face to face meeting in SF, we had a productive discussion of the privacy issue that has been holding up progress. Minutes, et.al. of the meeting will be forthcoming, but the first action item to arise from the meeting is a presentation to the WG (list) a detailed description of the problem. In a discussion that involved Ted Hardie, our new Area Advisor, and Randy Bush, the following comment was cast into the following requirement: The protocol must provide a mechanism to allow enforcement of privacy policy at either the registrar or registrant. This must be done in a protocol feature that is "mandatory to implement, optional to use." Further, the privacy meta-data must be to individual elements of social data. First, before going further, what is stated above is the suggestion derived during the face-to-face meeting. Being that this is a clarification of the IESG comment obtained with representatives present, this is what we need to solve. However, wording changes may be made. As EPP stands now, privacy policy decisions are only possible at the registrar. This is because the dcp element allows the registry to tell the registrar the "rules." Whatever the registrar sends to the registry is considered to be in accordance with the rules. What is desired is a mechanism that will let EPP support thick registries, in which social data is held by the registry. In such situations, the registrar needs to inform the registry of restrictions on the redistribution of the data submitted to the registry. There are limits to what the WG is being asked to do. We are not being asked to provide a very rich syntax for the mechanism. For example, we are not being asked to provide a means to say "you can publish the phone number in whois but not in any other way." (We could, if we desired, but we are not asked to do.) There's one protocol standards consideration I'd like to make. The more detail and depth in the solution of a problem often leads to a tougher job in reaching consensus. I.e., as a chair, I appreciate efforts to refine and divine the depths of privacy, but such threads are in danger of becoming distractions to the main job of this WG. During the meeting, it was suggested that a mechanism to meet the requirement has already been sent to the mailing list and discussed. The next steps for the WG is to 1) consider and discuss the requirement in this message. If the WG accepts this as the problem statement as discussion in the room did, the next step will be to open a thread on the modified proposal suggested. For procedural reasons, I'm not going to mention that proposal until the problem statement is accepted by the WG (i.e., the mailing list). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer I've had it with world domination. The maintenance fees are too high.