Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
Nat Sakimura <sakimura@gmail.com> Tue, 15 July 2014 00:02 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61C441B27BF for <oauth@ietfa.amsl.com>; Mon, 14 Jul 2014 17:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPQ2mBfTl9Tr for <oauth@ietfa.amsl.com>; Mon, 14 Jul 2014 17:02:45 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8212B1B27BE for <oauth@ietf.org>; Mon, 14 Jul 2014 17:02:44 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id hz20so3486748lab.28 for <oauth@ietf.org>; Mon, 14 Jul 2014 17:02:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4+MuQFELVEEfrw79MHQQhjtxdbwfmV+pRaId37qPkTM=; b=KCl12YogY8Ww3iFPogtzXAz6tuRmB949MIUh3zSBsccTOhU4Hs7CcwOO+n7PPvrWJW U8oQd9pAsyqy1Yt7Rtofz2M8+uNLAuqvkI7RX8z5V0rMjct+ouX6PU9p2VxYwi2TTbsn 6L824ug5uxfoIoQjRLlD5jeo10I9auEk1y2/vBJGEnaFijPlaUq989PlOQ4QxuJBvphA AbcWNbcw6m4jkqZqkFE7R8b8u6s3v2w1KxUsAjop+tTm0YRyq3vi5gfP0Jrg5RUFRXLL y1ejpqFllgtV3YUOGcrXjC/a41wnseKJhFHt5Leaz2MoWGMHMNeqcwiQGj+0pWBFWJgo ALKg==
MIME-Version: 1.0
X-Received: by 10.152.180.36 with SMTP id dl4mr12873938lac.26.1405382562750; Mon, 14 Jul 2014 17:02:42 -0700 (PDT)
Received: by 10.112.156.231 with HTTP; Mon, 14 Jul 2014 17:02:42 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439ADA8DBE@TK5EX14MBXC294.redmond.corp.microsoft.com>
References: <53BBDFA0.8010306@gmx.net> <CABzCy2DwGcbDzgr2b1XKLgLD4hWgRdv+ipSa6gePCKtohM50Rw@mail.gmail.com> <53BBE932.6000808@gmx.net> <CABzCy2C1mwNiKbLtEgmcmRijY10hwOVK74GkhAMnHt6sioESMw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439ADA07A1@TK5EX14MBXC294.redmond.corp.microsoft.com> <2681D9B8-FE2F-4182-BA27-6C06A427F0AD@ve7jtb.com> <53C3BE02.3040402@gmx.net> <4E1F6AAD24975D4BA5B16804296739439ADA8DBE@TK5EX14MBXC294.redmond.corp.microsoft.com>
Date: Tue, 15 Jul 2014 09:02:42 +0900
Message-ID: <CABzCy2CWMrJQS4GzEa1hmNmgZ0kkyJ28mixY-tHaqMkZHixxcQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11345aa26d288404fe30201a"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/o8y2z-5U5_tU8VwgVNSCBjuqBH8
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 00:02:48 -0000
Actually, it may be the API's privacy policy so that it can state more specific purpose than the site's. So, we should not constrain it to be "site's". Also, I might prefer "personal data" instead of "personal information" but that might be just me. Nat 2014-07-15 1:18 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>: > Fine with me. (I might change "the privacy policy" to "the site's privacy > policy".) > > -----Original Message----- > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] > Sent: Monday, July 14, 2014 4:25 AM > To: John Bradley; Mike Jones > Cc: Nat Sakimura; oauth@ietf.org > Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri > > Here is the text from the OpenID Connect spec (as provided by Nat): > > > policy_uri > > OPTIONAL. URL that the Relying Party Client provides to the End-User > > to read about the how the profile data will be used. The value of > > this field MUST point to a valid web page. The OpenID Provider > > SHOULD display this URL to the End-User if it is given. If desired, > > representation of this Claim in different languages and scripts is > > represented as described in Section 2.1 > > > < > http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts > >. > > > Here is the draft -18 text: > > > policy_uri > > URL that points to a human-readable Policy document for the > > client. The authorization server SHOULD display this URL to the > > end-user if it is given. The policy usually describes how an end- > > user's data will be used by the client. The value of this field > > MUST point to a valid web page. The value of this field MAY be > > internationalized, as described in Section 2.2 > <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>. > > > Here is the suggested new text: > > " > policy_uri > OPTIONAL. URL that the Deployment Organization provides to the end > user to read about the privacy policy. A privacy policy is a > statement that describes how the Deployment Organization collects, > uses, retains and discloses personal information. > > The value of this field MUST point to a valid web page. The > Deployment Organization SHOULD display this URL to the end user. > Information for displaying a privacy policy in different languages > and scripts can be found in Section 2.2. > " > > Ciao > Hannes > > > On 07/08/2014 09:05 PM, John Bradley wrote: > > I am OK with clarifying the description as privacy/data protection > > policy. I don't think it needs privacy in the parameter name. > > On Jul 8, 2014, at 2:59 PM, Mike Jones <Michael.Jones@microsoft.com > > <mailto:Michael.Jones@microsoft.com>> wrote: > > > >> I agree with Nat's assessment. I'm fine updating the textual > >> description of the parameter, but we should not consider breaking > >> changes to the parameter names at this point. > >> > >> Do you have specific wording in mind, Hannes? > >> > >> -- Mike > >> > >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat > >> Sakimura > >> *Sent:* Tuesday, July 08, 2014 6:26 AM > >> *To:* Hannes Tschofenig > >> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> > >> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration: policy_uri > >> > >> I am not against using the term "Privacy Policy" in the description. > >> Depending on the jurisdiction and language, direct translation of > >> such can be "Data Protection Policy", "Personal Data Protection > >> Policy", etc., instead so just dodging it by avoiding the label would > >> be more politically neutral, but it could be fine after all. > >> > >> I am not fine with changing the parameter name though. > >> Slight variation in the parameter between the specs generally do not > >> help the developers. > >> > >> Nat > >> > >> > >> > >> 2014-07-08 21:50 GMT+09:00 Hannes Tschofenig > >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>: > >> For example, even Facebook calls this stuff "Privacy Policy URL". > >> > >> On 07/08/2014 02:43 PM, Nat Sakimura wrote: > >> > policy_uri came down from OpenID Connect Dynamic Client > >> > Registraiton 1.0 [1]. > >> > > >> > It goes: > >> > > >> > policy_uri > >> > OPTIONAL. URL that the Relying Party Client provides to the > End-User > >> > to read about the how the profile data will be used. The value of > >> > this field MUST point to a valid web page. The OpenID Provider > >> > SHOULD display this URL to the End-User if it is given. If > desired, > >> > representation of this Claim in different languages and scripts is > >> > represented as described in Section 2.1 > >> > > >> < > http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts > >. > >> > > >> > It is clearly privacy related. In fact, it used to be a part of > >> > OpenID Connect Core in which the RP had to send it to obtain the > >> > permission. It is optional only because in certain enterprise type > >> > setting, it is unnecessary. In the consumer case, I regard it as > >> > essential. In any case, this is something a trust framework should > >> > set as its rule, and not the protocol itself. > >> > > >> > The draft -18 text goes: > >> > > >> > policy_uri > >> > URL that points to a human-readable Policy document for the > >> > client. The authorization server SHOULD display this URL to the > >> > end-user if it is given. The policy usually describes how an > end- > >> > user's data will be used by the client. The value of this field > >> > MUST point to a valid web page. The value of this field MAY be > >> > internationalized, as described in Section 2.2 > >> <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>. > >> > > >> > > >> > It has been converted to be a bit vague. I would +1 to tighten it up. > >> > Note that there is tos_uri to describe the Terms of Service by the > >> > client and poicy_uri is not intended for this purpose but only for > >> > the service/client's privacy policy. > >> > > >> > BTW, I just found that a lot of text are more or less the duplicate > >> > or re-statement of [1]. IMHO, it should try to refer the original > >> > document where possible as it is a referable standard, and put [1] > >> > in the Reference section as well. > >> > > >> > Best, > >> > > >> > Nat > >> > > >> > [1] http://openid.net/specs/openid-connect-registration-1_0.html > >> > > >> > > >> > 2014-07-08 21:10 GMT+09:00 Hannes Tschofenig > >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> > >> > <mailto:hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net > >>>: > >> > > >> > Hi all, > >> > > >> > two earlier reviews I have noticed that the policy_uri meta-data > >> > attribute is not correctly specified. I offered a suggestion > >> > and > >> in both > >> > cases my request was ignored. > >> > > >> > Maybe there is a reason to reject my request but I am uncertain > >> about > >> > the relationship with another meta-data attribute, the > >> terms-of-service > >> > attribute. > >> > > >> > Here is what I said in my last review: > >> > > >> > http://www.ietf.org/mail-archive/web/oauth/current/msg12879.html > >> > > >> > " > >> > policy_uri: In my previous review I argued that the right > >> terminology > >> > here is privacy notice and you can even re-use the IAPP > terminology. > >> > Unless the policy URI has nothing to do with privacy I would > >> prefer this > >> > terminology change. If you disagree I would prefer to have a > >> > description about what policy means in this context. > >> > " > >> > > >> > Could you guys explain? > >> > > >> > Ciao > >> > Hannes > >> > > >> > > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org > >> <mailto:OAuth@ietf.org>> > >> > >> > https://www.ietf.org/mailman/listinfo/oauth > >> > > >> > > >> > > >> > > >> > -- > >> > Nat Sakimura (=nat) > >> > Chairman, OpenID Foundation > >> > http://nat.sakimura.org/ > >> > @_nat_en > >> > >> > >> > >> > >> -- > >> Nat Sakimura (=nat) > >> Chairman, OpenID Foundation > >> http://nat.sakimura.org/ > >> @_nat_en > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org <mailto:OAuth@ietf.org> > >> https://www.ietf.org/mailman/listinfo/oauth > > > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Hannes Tschofenig
- [OAUTH-WG] Dynamic Client Registration: policy_uri Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Nat Sakimura
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Nat Sakimura
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Mike Jones
- Re: [OAUTH-WG] Dynamic Client Registration: polic… John Bradley
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Mike Jones
- Re: [OAUTH-WG] Dynamic Client Registration: polic… Nat Sakimura