To:
<axelm@nic.at>, <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Mon, 18 Jan 2010 22:42:51 -0500
Content-class:
urn:content-classes:message
In-Reply-To:
<4B5478A3.5010904@nic.at>
Sender:
owner-ietf-provreg@cafax.se
Thread-Index:
AcqYUxi1uCpFNegCS42RaWWeEoeSNgAZUcQg
Thread-Topic:
[ietf-provreg] Default contact element disclosure problem - RFC bug?
Subject:
RE: [ietf-provreg] Default contact element disclosure problem - RFC bug?
> -----Original Message----- > From: owner-ietf-provreg@cafax.se > [mailto:owner-ietf-provreg@cafax.se] On Behalf Of axelm@nic.at > Sent: Monday, January 18, 2010 10:05 AM > To: ietf-provreg@cafax.se > Subject: [ietf-provreg] Default contact element disclosure > problem - RFC bug? > > All, > > We're planning to change our contact disclosure default from > "disclose everything" to "don't disclose anything" because of > data privacy considerations. EPP already provides the > "contact:disclose" element to override the server default. > > Because of the structure of the "contact:disclose" element, > it is required on the client side to be aware of the default > setting, so that the proper "overriding" elements can be put > into the "contact:disclose" > element. If the client is not aware of the default setting on > the server, it couldn't identify whether "disclosed" or "undisclosed" > elements are to be put into the "disclose" element. > > However, it seems that there is no way to announce the > default disclosure policy to the client, even though it is > mentioned in the RFC: > > RFC5733 says: > > A server operator announces a default disclosure policy when > establishing a session with a client. When an object is created or > updated, the client can specify contact attributes that require > exceptional disclosure handling using an OPTIONAL > <contact:disclose> > element. Once set, disclosure preferences can be reviewed using a > > (most important piece of that snippet is the first sentence) > > However, looking at the schema definition of the greeting, as > well as the examples, there's no way to actually perform that > "announcement" > during session establishment. > > The closest match is probably the "dcp" element - however, > there's no element within that element that relates to > announcing the "contact:disclose" policy. The "dcp" element > as far as i understood does also relate to the global data > collection policy, while the disclose policy of the contact > would be specific to a certain object type, since there could > be other defaults for different object types.. > > So, is this a bug in the RFCs, or are we missing something? > Any advice on how clients should detect the disclose policy > of the server? Alex, Thye <dcp> element *is* the mechanism used to announce the server operator's default data collection policy. It may help to read up on the W3C Platform for Privacy Preferences (P3P) work. That's the framework we adopted and modified slightly for use in EPP at Eric Brunner-Williams' request. Eric is much more familiar with that work than I am, so I hope he can provide more info as needed. Scott -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se