Re: Proposed IETF Privacy Policy for Review

Adam Roach <adam@nostrum.com> Thu, 17 March 2016 16:32 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1A012D9AC for <ietf@ietfa.amsl.com>; Thu, 17 Mar 2016 09:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIjjvLgkdnml for <ietf@ietfa.amsl.com>; Thu, 17 Mar 2016 09:32:04 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9EB812D978 for <ietf@ietf.org>; Thu, 17 Mar 2016 09:31:44 -0700 (PDT)
Received: from Orochi.local (99-152-145-110.lightspeed.dllstx.sbcglobal.net [99.152.145.110]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id u2HGVgOw094221 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <ietf@ietf.org>; Thu, 17 Mar 2016 11:31:43 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-145-110.lightspeed.dllstx.sbcglobal.net [99.152.145.110] claimed to be Orochi.local
From: Adam Roach <adam@nostrum.com>
Subject: Re: Proposed IETF Privacy Policy for Review
To: IETF list <ietf@ietf.org>
References: <20160316170239.30920.41218.idtracker@ietfa.amsl.com> <56E9A279.4090805@nostrum.com> <20160317103448.GA2505@sources.org>
Message-ID: <56EADBEE.2040204@nostrum.com>
Date: Thu, 17 Mar 2016 11:31:42 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <20160317103448.GA2505@sources.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/4yoa8u3ANkOfQX3gUZObWh3dxE0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 16:32:10 -0000

On 3/17/16 05:34, Stephane Bortzmeyer wrote:
> On Wed, Mar 16, 2016 at 01:14:17PM -0500,
>   Adam Roach <adam@nostrum.com> wrote
>   a message of 149 lines which said:
>
>> I certainly hope that this means to say "IETF will store hashed
>> versions of these passwords and does not make them available to the
>> public."
> I don't think it is a good idea, in a policy document, to be too
> specific about the technical measures we take (because they may change
> often).

Sure, the level of technical detail can probably be scaled back a bit, 
but I think it's relevant for a privacy policy to indicate that password 
information is stored in an obscured form according to industry best 
practices.

/a