Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
Mike Jones <Michael.Jones@microsoft.com> Mon, 14 July 2014 16:18 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B501A0AC2 for <oauth@ietfa.amsl.com>; Mon, 14 Jul 2014 09:18:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dP7VqsESNa_r for <oauth@ietfa.amsl.com>; Mon, 14 Jul 2014 09:18:56 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F391B1A0AC8 for <oauth@ietf.org>; Mon, 14 Jul 2014 09:18:55 -0700 (PDT)
Received: from BN3PR0301CA0082.namprd03.prod.outlook.com (25.160.152.178) by BL2PR03MB340.namprd03.prod.outlook.com (10.141.68.24) with Microsoft SMTP Server (TLS) id 15.0.990.7; Mon, 14 Jul 2014 16:18:54 +0000
Received: from BN1AFFO11FD059.protection.gbl (2a01:111:f400:7c10::133) by BN3PR0301CA0082.outlook.office365.com (2a01:111:e400:401e::50) with Microsoft SMTP Server (TLS) id 15.0.985.8 via Frontend Transport; Mon, 14 Jul 2014 16:18:54 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD059.mail.protection.outlook.com (10.58.53.74) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Mon, 14 Jul 2014 16:18:54 +0000
Received: from TK5EX14MBXC294.redmond.corp.microsoft.com ([169.254.3.103]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0195.002; Mon, 14 Jul 2014 16:18:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration: policy_uri
Thread-Index: AQHPmqWY5AtEKQRGw0O3kUVR/CP4H5uWH0WAgAAB9gCAAAmsgIAAXNkAgAACIgCACO1GAIAAUcuw
Date: Mon, 14 Jul 2014 16:18:12 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439ADA8DBE@TK5EX14MBXC294.redmond.corp.microsoft.com>
References: <53BBDFA0.8010306@gmx.net> <CABzCy2DwGcbDzgr2b1XKLgLD4hWgRdv+ipSa6gePCKtohM50Rw@mail.gmail.com> <53BBE932.6000808@gmx.net> <CABzCy2C1mwNiKbLtEgmcmRijY10hwOVK74GkhAMnHt6sioESMw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439ADA07A1@TK5EX14MBXC294.redmond.corp.microsoft.com> <2681D9B8-FE2F-4182-BA27-6C06A427F0AD@ve7jtb.com> <53C3BE02.3040402@gmx.net>
In-Reply-To: <53C3BE02.3040402@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(438002)(377424004)(55885003)(199002)(24454002)(15454003)(51704005)(13464003)(189002)(53754006)(479174003)(377454003)(76176999)(31966008)(69596002)(85852003)(46406003)(50466002)(46102001)(15202345003)(15395725005)(97736001)(6806004)(77982001)(83322001)(80022001)(50986999)(19580405001)(74502001)(104016003)(81542001)(44976005)(81342001)(33656002)(83072002)(54356999)(307094003)(84676001)(74662001)(106116001)(55846006)(66066001)(97756001)(23726002)(68736004)(92566001)(87936001)(77096002)(20776003)(26826002)(93886003)(47776003)(92726001)(86362001)(107046002)(79102001)(2656002)(64706001)(106466001)(19580395003)(15975445006)(76482001)(99396002)(4396001)(81156004)(21056001)(86612001)(85306003)(95666004); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB340; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 02723F29C4
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/90AjIfWsJ8UiT0u10-LvFgIglSk
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jul 2014 16:18:59 -0000
Fine with me. (I might change "the privacy policy" to "the site's privacy policy".) -----Original Message----- From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] Sent: Monday, July 14, 2014 4:25 AM To: John Bradley; Mike Jones Cc: Nat Sakimura; oauth@ietf.org Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri Here is the text from the OpenID Connect spec (as provided by Nat): > policy_uri > OPTIONAL. URL that the Relying Party Client provides to the End-User > to read about the how the profile data will be used. The value of > this field MUST point to a valid web page. The OpenID Provider > SHOULD display this URL to the End-User if it is given. If desired, > representation of this Claim in different languages and scripts is > represented as described in Section 2.1 > <http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts>. Here is the draft -18 text: > policy_uri > URL that points to a human-readable Policy document for the > client. The authorization server SHOULD display this URL to the > end-user if it is given. The policy usually describes how an end- > user's data will be used by the client. The value of this field > MUST point to a valid web page. The value of this field MAY be > internationalized, as described in Section 2.2 <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>. Here is the suggested new text: " policy_uri OPTIONAL. URL that the Deployment Organization provides to the end user to read about the privacy policy. A privacy policy is a statement that describes how the Deployment Organization collects, uses, retains and discloses personal information. The value of this field MUST point to a valid web page. The Deployment Organization SHOULD display this URL to the end user. Information for displaying a privacy policy in different languages and scripts can be found in Section 2.2. " Ciao Hannes On 07/08/2014 09:05 PM, John Bradley wrote: > I am OK with clarifying the description as privacy/data protection > policy. I don't think it needs privacy in the parameter name. > On Jul 8, 2014, at 2:59 PM, Mike Jones <Michael.Jones@microsoft.com > <mailto:Michael.Jones@microsoft.com>> wrote: > >> I agree with Nat's assessment. I'm fine updating the textual >> description of the parameter, but we should not consider breaking >> changes to the parameter names at this point. >> >> Do you have specific wording in mind, Hannes? >> >> -- Mike >> >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat >> Sakimura >> *Sent:* Tuesday, July 08, 2014 6:26 AM >> *To:* Hannes Tschofenig >> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> >> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration: policy_uri >> >> I am not against using the term "Privacy Policy" in the description. >> Depending on the jurisdiction and language, direct translation of >> such can be "Data Protection Policy", "Personal Data Protection >> Policy", etc., instead so just dodging it by avoiding the label would >> be more politically neutral, but it could be fine after all. >> >> I am not fine with changing the parameter name though. >> Slight variation in the parameter between the specs generally do not >> help the developers. >> >> Nat >> >> >> >> 2014-07-08 21:50 GMT+09:00 Hannes Tschofenig >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>: >> For example, even Facebook calls this stuff "Privacy Policy URL". >> >> On 07/08/2014 02:43 PM, Nat Sakimura wrote: >> > policy_uri came down from OpenID Connect Dynamic Client >> > Registraiton 1.0 [1]. >> > >> > It goes: >> > >> > policy_uri >> > OPTIONAL. URL that the Relying Party Client provides to the End-User >> > to read about the how the profile data will be used. The value of >> > this field MUST point to a valid web page. The OpenID Provider >> > SHOULD display this URL to the End-User if it is given. If desired, >> > representation of this Claim in different languages and scripts is >> > represented as described in Section 2.1 >> > >> <http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts>. >> > >> > It is clearly privacy related. In fact, it used to be a part of >> > OpenID Connect Core in which the RP had to send it to obtain the >> > permission. It is optional only because in certain enterprise type >> > setting, it is unnecessary. In the consumer case, I regard it as >> > essential. In any case, this is something a trust framework should >> > set as its rule, and not the protocol itself. >> > >> > The draft -18 text goes: >> > >> > policy_uri >> > URL that points to a human-readable Policy document for the >> > client. The authorization server SHOULD display this URL to the >> > end-user if it is given. The policy usually describes how an end- >> > user's data will be used by the client. The value of this field >> > MUST point to a valid web page. The value of this field MAY be >> > internationalized, as described in Section 2.2 >> <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>. >> > >> > >> > It has been converted to be a bit vague. I would +1 to tighten it up. >> > Note that there is tos_uri to describe the Terms of Service by the >> > client and poicy_uri is not intended for this purpose but only for >> > the service/client's privacy policy. >> > >> > BTW, I just found that a lot of text are more or less the duplicate >> > or re-statement of [1]. IMHO, it should try to refer the original >> > document where possible as it is a referable standard, and put [1] >> > in the Reference section as well. >> > >> > Best, >> > >> > Nat >> > >> > [1] http://openid.net/specs/openid-connect-registration-1_0.html >> > >> > >> > 2014-07-08 21:10 GMT+09:00 Hannes Tschofenig >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> >> > <mailto:hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>>: >> > >> > Hi all, >> > >> > two earlier reviews I have noticed that the policy_uri meta-data >> > attribute is not correctly specified. I offered a suggestion >> > and >> in both >> > cases my request was ignored. >> > >> > Maybe there is a reason to reject my request but I am uncertain >> about >> > the relationship with another meta-data attribute, the >> terms-of-service >> > attribute. >> > >> > Here is what I said in my last review: >> > >> > http://www.ietf.org/mail-archive/web/oauth/current/msg12879.html >> > >> > " >> > policy_uri: In my previous review I argued that the right >> terminology >> > here is privacy notice and you can even re-use the IAPP terminology. >> > Unless the policy URI has nothing to do with privacy I would >> prefer this >> > terminology change. If you disagree I would prefer to have a >> > description about what policy means in this context. >> > " >> > >> > Could you guys explain? >> > >> > Ciao >> > Hannes >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >> <mailto:OAuth@ietf.org>> >> >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> > >> > >> > -- >> > Nat Sakimura (=nat) >> > Chairman, OpenID Foundation >> > http://nat.sakimura.org/ >> > @_nat_en >> >> >> >> >> -- >> Nat Sakimura (=nat) >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> @_nat_en >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Hannes Tschofenig
- [OAUTH-WG] Dynamic Client Registration: policy_uri Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Nat Sakimura
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Nat Sakimura
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Mike Jones
- Re: [OAUTH-WG] Dynamic Client Registration: polic… John Bradley
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Mike Jones
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Nat Sakimura