IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration: policy_uri

Nat Sakimura <sakimura@gmail.com> Tue, 15 July 2014 00:02 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61C441B27BF for <oauth@ietfa.amsl.com>; Mon, 14 Jul 2014 17:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPQ2mBfTl9Tr for <oauth@ietfa.amsl.com>; Mon, 14 Jul 2014 17:02:45 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8212B1B27BE for <oauth@ietf.org>; Mon, 14 Jul 2014 17:02:44 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id hz20so3486748lab.28 for <oauth@ietf.org>; Mon, 14 Jul 2014 17:02:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4+MuQFELVEEfrw79MHQQhjtxdbwfmV+pRaId37qPkTM=; b=KCl12YogY8Ww3iFPogtzXAz6tuRmB949MIUh3zSBsccTOhU4Hs7CcwOO+n7PPvrWJW U8oQd9pAsyqy1Yt7Rtofz2M8+uNLAuqvkI7RX8z5V0rMjct+ouX6PU9p2VxYwi2TTbsn 6L824ug5uxfoIoQjRLlD5jeo10I9auEk1y2/vBJGEnaFijPlaUq989PlOQ4QxuJBvphA AbcWNbcw6m4jkqZqkFE7R8b8u6s3v2w1KxUsAjop+tTm0YRyq3vi5gfP0Jrg5RUFRXLL y1ejpqFllgtV3YUOGcrXjC/a41wnseKJhFHt5Leaz2MoWGMHMNeqcwiQGj+0pWBFWJgo ALKg==
MIME-Version: 1.0
X-Received: by 10.152.180.36 with SMTP id dl4mr12873938lac.26.1405382562750; Mon, 14 Jul 2014 17:02:42 -0700 (PDT)
Received: by 10.112.156.231 with HTTP; Mon, 14 Jul 2014 17:02:42 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439ADA8DBE@TK5EX14MBXC294.redmond.corp.microsoft.com>
References: <53BBDFA0.8010306@gmx.net> <CABzCy2DwGcbDzgr2b1XKLgLD4hWgRdv+ipSa6gePCKtohM50Rw@mail.gmail.com> <53BBE932.6000808@gmx.net> <CABzCy2C1mwNiKbLtEgmcmRijY10hwOVK74GkhAMnHt6sioESMw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439ADA07A1@TK5EX14MBXC294.redmond.corp.microsoft.com> <2681D9B8-FE2F-4182-BA27-6C06A427F0AD@ve7jtb.com> <53C3BE02.3040402@gmx.net> <4E1F6AAD24975D4BA5B16804296739439ADA8DBE@TK5EX14MBXC294.redmond.corp.microsoft.com>
Date: Tue, 15 Jul 2014 09:02:42 +0900
Message-ID: <CABzCy2CWMrJQS4GzEa1hmNmgZ0kkyJ28mixY-tHaqMkZHixxcQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11345aa26d288404fe30201a"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/o8y2z-5U5_tU8VwgVNSCBjuqBH8
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 00:02:48 -0000

Actually, it may be the API's privacy policy so that it can state more
specific purpose than the site's.
So, we should not constrain it to be "site's".

Also, I might prefer "personal data" instead of "personal information" but
that might be just me.

Nat


2014-07-15 1:18 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

> Fine with me.  (I might change "the privacy policy" to "the site's privacy
> policy".)
>
> -----Original Message-----
> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> Sent: Monday, July 14, 2014 4:25 AM
> To: John Bradley; Mike Jones
> Cc: Nat Sakimura; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
>
> Here is the text from the OpenID Connect spec (as provided by Nat):
>
> > policy_uri
> >   OPTIONAL. URL that the Relying Party Client provides to the End-User
> >    to read about the how the profile data will be used. The value of
> >    this field MUST point to a valid web page. The OpenID Provider
> >    SHOULD display this URL to the End-User if it is given. If desired,
> >    representation of this Claim in different languages and scripts is
> >    represented as described in Section 2.1
> >
> <
> http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts
> >.
>
>
> Here is the draft -18 text:
>
> > policy_uri
> >    URL that points to a human-readable Policy document for the
> >    client.  The authorization server SHOULD display this URL to the
> >    end-user if it is given.  The policy usually describes how an end-
> >    user's data will be used by the client.  The value of this field
> >    MUST point to a valid web page.  The value of this field MAY be
> >    internationalized, as described in Section 2.2
> <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>.
>
>
> Here is the suggested new text:
>
> "
> policy_uri
>    OPTIONAL. URL that the Deployment Organization provides to the end
>    user to read about the privacy policy. A privacy policy is a
>    statement that describes how the Deployment Organization collects,
>    uses, retains and discloses personal information.
>
>    The value of this field MUST point to a valid web page. The
>    Deployment Organization SHOULD display this URL to the end user.
>    Information for displaying a privacy policy in different languages
>    and scripts can be found in Section 2.2.
> "
>
> Ciao
> Hannes
>
>
> On 07/08/2014 09:05 PM, John Bradley wrote:
> > I am OK with clarifying the description as privacy/data protection
> > policy.   I don't think it needs privacy in the parameter name.
> > On Jul 8, 2014, at 2:59 PM, Mike Jones <Michael.Jones@microsoft.com
> > <mailto:Michael.Jones@microsoft.com>> wrote:
> >
> >> I agree with Nat's assessment.  I'm fine updating the textual
> >> description of the parameter, but we should not consider breaking
> >> changes to the parameter names at this point.
> >>
> >> Do you have specific wording in mind, Hannes?
> >>
> >>                                                             -- Mike
> >>
> >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat
> >> Sakimura
> >> *Sent:* Tuesday, July 08, 2014 6:26 AM
> >> *To:* Hannes Tschofenig
> >> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org>
> >> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration: policy_uri
> >>
> >> I am not against using the term "Privacy Policy" in the description.
> >> Depending on the jurisdiction and language, direct translation of
> >> such can be "Data Protection Policy", "Personal Data Protection
> >> Policy", etc., instead so just dodging it by avoiding the label would
> >> be more politically neutral, but it could be fine after all.
> >>
> >> I am not fine with changing the parameter name though.
> >> Slight variation in the parameter between the specs generally do not
> >> help the developers.
> >>
> >> Nat
> >>
> >>
> >>
> >> 2014-07-08 21:50 GMT+09:00 Hannes Tschofenig
> >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>:
> >> For example, even Facebook calls this stuff "Privacy Policy URL".
> >>
> >> On 07/08/2014 02:43 PM, Nat Sakimura wrote:
> >> > policy_uri came down from OpenID Connect Dynamic Client
> >> > Registraiton 1.0 [1].
> >> >
> >> > It goes:
> >> >
> >> > policy_uri
> >> >     OPTIONAL. URL that the Relying Party Client provides to the
> End-User
> >> >     to read about the how the profile data will be used. The value of
> >> >     this field MUST point to a valid web page. The OpenID Provider
> >> >     SHOULD display this URL to the End-User if it is given. If
> desired,
> >> >     representation of this Claim in different languages and scripts is
> >> >     represented as described in Section 2.1
> >> >
> >> <
> http://openid.bitbucket.org/openid-connect-registration-1_0.html#LanguagesAndScripts
> >.
> >> >
> >> > It is clearly privacy related. In fact, it used to be a part of
> >> > OpenID Connect Core in which the RP had to send it to obtain the
> >> > permission. It is optional only because in certain enterprise type
> >> > setting, it is unnecessary. In the consumer case, I regard it as
> >> > essential. In any case, this is something a trust framework should
> >> > set as its rule, and not the protocol itself.
> >> >
> >> > The draft -18 text goes:
> >> >
> >> > policy_uri
> >> >       URL that points to a human-readable Policy document for the
> >> >       client.  The authorization server SHOULD display this URL to the
> >> >       end-user if it is given.  The policy usually describes how an
> end-
> >> >       user's data will be used by the client.  The value of this field
> >> >       MUST point to a valid web page.  The value of this field MAY be
> >> >       internationalized, as described in Section 2.2
> >> <http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-18#section-2.2>.
> >> >
> >> >
> >> > It has been converted to be a bit vague. I would +1 to tighten it up.
> >> > Note that there is tos_uri to describe the Terms of Service by the
> >> > client and poicy_uri is not intended for this purpose but only for
> >> > the service/client's privacy policy.
> >> >
> >> > BTW, I just found that a lot of text are more or less the duplicate
> >> > or re-statement of [1]. IMHO, it should try to refer the original
> >> > document where possible as it is a referable standard, and put [1]
> >> > in the Reference section as well.
> >> >
> >> > Best,
> >> >
> >> > Nat
> >> >
> >> > [1] http://openid.net/specs/openid-connect-registration-1_0.html
> >> >
> >> >
> >> > 2014-07-08 21:10 GMT+09:00 Hannes Tschofenig
> >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
> >> > <mailto:hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net
> >>>:
> >> >
> >> >     Hi all,
> >> >
> >> >     two earlier reviews I have noticed that the policy_uri meta-data
> >> >     attribute is not correctly specified. I offered a suggestion
> >> > and
> >> in both
> >> >     cases my request was ignored.
> >> >
> >> >     Maybe there is a reason to reject my request but I am uncertain
> >> about
> >> >     the relationship with another meta-data attribute, the
> >> terms-of-service
> >> >     attribute.
> >> >
> >> >     Here is what I said in my last review:
> >> >
> >> > http://www.ietf.org/mail-archive/web/oauth/current/msg12879.html
> >> >
> >> >     "
> >> >     policy_uri: In my previous review I argued that the right
> >> terminology
> >> >     here is privacy notice and you can even re-use the IAPP
> terminology.
> >> >     Unless the policy URI has nothing to do with privacy I would
> >> prefer this
> >> >     terminology change. If you disagree I would prefer to have a
> >> >     description about what policy means in this context.
> >> >     "
> >> >
> >> >     Could you guys explain?
> >> >
> >> >     Ciao
> >> >     Hannes
> >> >
> >> >
> >> >     _______________________________________________
> >> >     OAuth mailing list
> >> >     OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
> >> <mailto:OAuth@ietf.org>>
> >>
> >> >     https://www.ietf.org/mailman/listinfo/oauth
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Nat Sakimura (=nat)
> >> > Chairman, OpenID Foundation
> >> > http://nat.sakimura.org/
> >> > @_nat_en
> >>
> >>
> >>
> >>
> >> --
> >> Nat Sakimura (=nat)
> >> Chairman, OpenID Foundation
> >> http://nat.sakimura.org/
> >> @_nat_en
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org <mailto:OAuth@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email