IETF Logo Mail Archive

Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode

"Gould, James" <jgould@verisign.com> Wed, 26 December 2018 14:33 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 015F0130DED for <regext@ietfa.amsl.com>; Wed, 26 Dec 2018 06:33:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBooGgZCPdIA for <regext@ietfa.amsl.com>; Wed, 26 Dec 2018 06:32:59 -0800 (PST)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E616130FE6 for <regext@ietf.org>; Wed, 26 Dec 2018 06:32:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=5158; q=dns/txt; s=VRSN; t=1545834779; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=HXd2AA7TUqJMonSsu2zaBE2FQnEKdTPnMEjr8v3YF84=; b=HUeTYKdMelzi/dFX3QIkRSAVnV42z9HHcwcsUrnVsU5i9PV/PwpuJmh5 wtxRIytwWlrjYOOELZGkxnUi0kfiZ6Im4+X0VZtAdk3fnACWHBxHHC7Qc 7R+QBpdBHP93ZQN/J7sWbYTgf3v/btgxuV02WMlGYp+1nt+EYNw0IPxm5 nkdMYuUOcaXuoU+y8st5PL/GQgwAnaiKGuylAybYPY6kHbIUkxmVaaq+p nUCeM+M+ht1rSVOkf4YVg+RRIGxmxbWy+YMmBlsat0BXfZIx3vmUVAAKG SBH1jSLDDLhkoP1oNHKybp6NZbyoB6lj1DTiTtllBwgbaeOrsfOlFLCiY w==;
X-IronPort-AV: E=Sophos;i="5.56,401,1539662400"; d="scan'208";a="6665782"
IronPort-PHdr: 9a23:JfRc+hRi3J6UXXq84NzEAL/pH9psv+yvbD5Q0YIujvd0So/mwa6zbBeN2/xhgRfzUJnB7Loc0qyK6/CmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHJhMJtkKJVrhGvpxJ9zIHaYYGaKPVwcazGcNMGXmVBW9pdWzBbD46+aYYEEuoPPfxfr4n4v1YCoxqwBQ6xBOPr1zBEnmL906kg3OQkDw7GxwIsFM8JvXTWo9X1M7oSUeSow6TT0zXMcelW2Tbm6IjJfRAhp+uAUq53ccrU0EQiER7OgFuXqYzgJTyV1+INvnCF7+V+T+KvinUnqwB+ojipx8csjJXGipgJxVDD8CV0xps+K96gSENjfNKoDIFcuzyYOoZ4WM8uXmFltSggxrAJvZO3ZDUGxIg9yxLCafGLb5KE7g/sWeuSOzt0mXFodKqxhxms8kWs1ujxW8yu31tJqidKidzBu34T2xPO68WKT+By80Og1DuN0g3e5O9JLEIpmqfdNpUv2KQ/loAJvkTGBiL2nUL2g7KIeUg84eio7vjnYq3hpp+BK494kgH+Pboqmsy4Gek1LxQAUXCG9eu8zLPt8kz2TKlUgvEsjKnWrJfaJd4DpqKjGQBaz5wv6wilDze91tQUh2UILFVAeB6fjojpPU/BIOzgAPuin1igiipnyvLIM7H7H5nALnbOnK3ucLt580JczRA8zdFb55JaELEBJ/fzV1fztNzXCR85Lgi0zPv8BdVjyIweQ2OPArSYMKPdt1+E/P4gI+6JZIMNojbyN+Al5+LyjX8+gVIdcrSp3YEMaHC4BPtpOF+Wbmf3j9gdEGcKpRMyTO3siFKfUD5cfWy+X6Um5jE0EIimF5vMRpixgLyd2ye2BodWaX5JCl+SHnboa56JW/YSZyKOLM9tiDsEVaKuS9xp6Rb7/gDn0aFnJ+Dd9gUTtImm1d555uSVkgs9v3QgANmHyGGERWh4tmgJXHo32qx+qAp60FjVleAymfFXGMxPz/JETgl8MoTThaQuEd39VxLdVtaEVFjgRc+pV2IfVNU0lpUhZFt5F5HqrBnG0jHgS+sXmLuWAJAc7K/G3mPwKMA7wHHDgvpyx2I6S9dCYDX1zpV08BLeUtbE
X-IPAS-Result: A2EUAAD5jyNc/zGZrQpgAxwBAQEEAQEHBAEBgVEHAQELAYFVBYEPgSkKg3SIGY1ZJZJlhH+BPzwMAR8PhD4CF4JLNAkNAQMBAQEBAQECAQECgQUMgjoiHE0vCQEyAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBCAIIB0cBARkBBSMRPhcCAQgYAgImAgICMBUQAgQBEoJwMgGoIoEvih2BC4tLgUE+gTgME4JMhGsWFwomgkExgiYCoUsDBgKHEIppBoItjzmJWYUBiygCBAIEBQIUgUaCD3AVZQGCQQmCHhcSgziKU3INJIxtgR8BAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Wed, 26 Dec 2018 09:32:57 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Wed, 26 Dec 2018 09:32:57 -0500
From: "Gould, James" <jgould@verisign.com>
To: "gurshabad@cis-india.org" <gurshabad@cis-india.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
Thread-Index: AQHUlxVqlYBPqhgCwUiJL3hXFpv+MKWGLv8AgABFogCAAtzsAIAHz/yA
Date: Wed, 26 Dec 2018 14:32:57 +0000
Message-ID: <E8B4732B-CF66-4257-A418-6EB3FB8487E3@verisign.com>
References: <5f7d0b3e-c844-1700-c369-90bb41e8241e@cis-india.org> <CAAQiQReVnuwFBCA2vOwnwaUw8k+1TCK-5DO+KLsd=CWF3Lh8Cg@mail.gmail.com> <90404577-8405-c48f-351b-2c157a24de6d@cis-india.org> <CD20307A-3E10-414E-8463-E2233F3F9E99@verisign.com> <fbfe240c-7aed-a987-9cb5-3209ac56202b@cis-india.org>
In-Reply-To: <fbfe240c-7aed-a987-9cb5-3209ac56202b@cis-india.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.3.181015
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <6B18796A7D65AA40923B8FE6578D18F3@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/W00mzihcHkcbSPFwgFjTvx5KO_A>
Subject: Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Dec 2018 14:33:02 -0000

Gurshabad,
 
I first need to be clear that I oppose adding both sections that you've provided to draft-ietf-regext-verificationcode.  The sections that you've provided are non-technical and are associated with policy elements.  The REGEXT working group has dealt with technical aspects of drafts.  I don't believe the REGEXT working group is qualified to effectively discuss and come to consensus on policy elements.  I recommend that inclusion of these sort of elements be brought up to the IETF-level.
 
The thread with Andrew Newton did not clarify the applicability of the Privacy Considerations, but addressed two technical issues related to fixing the described relationship of the client with the server, and fixing the inappropriate inclusion of a normative policy statement.  The clearly out of scope elements of the HR Considerations section include the following bulleted items that are only associated with the VSP, and have nothing to do with draft-ietf-regext-verificationcode.      
 
    * Depending on the information shared with the VSP and data sources
    already available to it, the extension may also allow the VSP to
    discriminate against registrants based on registrants' personal
    characteristics, beliefs, or opinions. Even when such restrictions are
    not applied, knowledge of the information being shared with the VSP
    could create chilling effects on registrants' freedom of expression, and
    freedom of association and assembly.
   
    * The VSP may be a third party entrusted to carry out sensitive legal
    decisions. Due to the lack of mechanisms in this extension that can
    facilitate appeal and redressal of a rejection, the registrants' right
    to legal transparency and remedy will also be impacted in such a situation.   
 
The scope of draft-ietf-regext-verificationcode does not include the verification process of the VSP by design.   Any considerations section, including the HR or the Privacy Considerations, need to be within the defined scope of the draft.
 
Do others in the working group believe that either the verification process of the VSP is in scope based on the current wording of the draft or that a consideration section can cover something that is outside the defined scope of the draft?
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 12/21/18, 5:14 AM, "Gurshabad Grover" <gurshabad@cis-india.org> wrote:

    On 20/12/18 1:01 AM, Gould, James wrote:
    > 
    > Your proposed Privacy Considerations section and much of your proposed Human Rights Considerations section focuses on the interface of the VSP, which is out-of-scope for draft-ietf-regext-verificationcode.  The scope of draft-ietf-regext-verificationcode is on the structure of the digitally signed verification code, that represents proof of verification, and the interface between the client (registrar) and the server (registry) to pass the verification code.  The role of the VSP is defined, but the VSP interface and the concrete verifications is by design left out of draft-ietf-regext-verificationcode, and therefore is out-of-scope.  
    >  
    
    I think the previous thread with Andrew Newton clarifies why the Privacy
    Considerations are applicable. Could you be specific as to which HR
    consideration is out of scope?
    
    As you have already noted, the role of the VSP is defined and (therefore
    presumably) in the scope of the document. Since most HR considerations
    relate to the VSP's role, they are also in the scope of
    draft-ietf-regext-verificationcode.
    
    Thank you.
    Gurshabad

v2.23.0 | Report a Bug | By Email