Re: [regext] Ben Campbell's No Objection on draft-ietf-regext-org-11: (with COMMENT)

"Linlin Zhou" <zhoulinlin@cnnic.cn> Mon, 29 October 2018 02:00 UTC

Return-Path: <zhoulinlin@cnnic.cn>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 416A4126CB6; Sun, 28 Oct 2018 19:00:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WzC1mTYL1k7U; Sun, 28 Oct 2018 19:00:44 -0700 (PDT)
Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 4CD74128B14; Sun, 28 Oct 2018 19:00:41 -0700 (PDT)
Received: from zll (unknown [218.241.111.73]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0AZIPzDadZbnusEAA--.4167S2; Mon, 29 Oct 2018 10:00:35 +0800 (CST)
Date: Mon, 29 Oct 2018 10:01:47 +0800
From: "Linlin Zhou" <zhoulinlin@cnnic.cn>
To: ben <ben@nostrum.com>
Cc: iesg <iesg@ietf.org>, regext-chairs <regext-chairs@ietf.org>, "Pieter Vandepitte" <pieter.vandepitte@dnsbelgium.be>, draft-ietf-regext-org <draft-ietf-regext-org@ietf.org>, regext <regext@ietf.org>
References: <154033116074.31409.10404721139795648969.idtracker@ietfa.amsl.com>, <20181024180525369910221@cnnic.cn>, <B77EF5B6-00F9-4CC4-9E10-B48595658748@nostrum.com>, <2018102509501609880949@cnnic.cn>, <F5474CB9-96A6-449F-A989-950CF11860E6@nostrum.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7, 2, 5, 136[cn]
Mime-Version: 1.0
Message-ID: <2018102910014733302448@cnnic.cn>
Content-Type: multipart/alternative; boundary="----=_001_NextPart370336573287_=----"
X-CM-TRANSID: AQAAf0AZIPzDadZbnusEAA--.4167S2
X-Coremail-Antispam: 1UD129KBjvJXoWxZw45Cr4fXrW5Wr48Kw15Jwb_yoW5AFW7pa n3Jwn7tas5GryUCwnru3yxW34YgrZa9rsrA3ZxGr1DC3Z8W3WIk3WavFnxAFy0934UXw1q vryjqr90gF18CrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUHIb7Iv0xC_Zr1lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Cr0_Gr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I 8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAaz4v2 6cxKscIFY7kG0wAqx4xG6xAIxVCFxsxG0wAqx4xG6I80eVA0xI0YY7vIx2IE14AGzxvEb7 x7McIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Y z7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAYjxAxZF0Ew4CEw7xC0wACY4xI67k042 43AVC20s07Mx8GjcxK6IxK0xIIj40E5I8CrwCY02Avz4vE14v_Gr1l42xK82IYc2Ij64vI r41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUGVWUWwC20s026x8Gjc xK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0 cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8V AvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF 7I0E14v26r4j6r4UJwCE64xvF2IEb7IF0Fy7YxBIdaVFxhVjvjDU0xZFpf9x07jY_M-UUU UU=
X-CM-SenderInfo: p2kr3zplqox0w6fq0xffof0/
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/bnj0XtpBhQSqHv_vbCbGnHFJfc0>
Subject: Re: [regext] Ben Campbell's No Objection on draft-ietf-regext-org-11: (with COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 02:00:47 -0000

Dear Ben,
Thanks for your suggestions. I think I can add this paragraph in the section of security consideration.

The organization object may have personally identifiable information, such as <org:contact>. This information is not a required element in this document which can be provided on a voluntary basis. If it is provided, both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption mechanisms to provide privacy services, which is specified in RFC5733. The security considerations described in[RFC5730] or those caused by the protocol layers used by EPP will apply to this specification as well.

Regards,
Linlin


Linlin Zhou
 
From: Ben Campbell
Date: 2018-10-25 10:08
To: Linlin Zhou
CC: iesg; regext-chairs; Pieter Vandepitte; draft-ietf-regext-org; regext
Subject: Re: [regext] Ben Campbell's No Objection on draft-ietf-regext-org-11: (with COMMENT)


On Oct 24, 2018, at 8:50 PM, Linlin Zhou <zhoulinlin@cnnic.cn>; wrote:

Dear Ben,
Maybe I did not make this item clarified. I'd like to have some more explanations. You are right that the EPP organization object may have a <contact> element, but this is not a required information. There may be some possibilities as follows,
1. If the organizations do not want to provide this information to protect the privacy, the <contact> could be empty.
2. If the organizations have no issues on the privacy, they can input the contact identifier created according to RFC5733.
    a. In RFC5733, required info including contact id, contact name, city, country code, email and authentication info.
    b. Optional info including contact organization, street, state or province, postal code, voice, fax and disclose elements choices.
"Authorization information is REQUIRED to create a contact object. ......Both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption 
mechanisms to provide privacy services." was specified in RFC5733.

The organization object may have personally identifiable information, such as <org:contact>. This information is not a required element in this document which can be provided on a voluntary basis. If it is provided, both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption mechanisms to provide privacy services, whichi is specified in RFC5733.

Hi,

Your last paragraph above is the sort of thing I had in mind. It would be helpful to include it in the draft. I

Thanks!

Ben.


Regards,
Linlin


Linlin Zhou
 
From: Ben Campbell
Date: 2018-10-25 01:32
To: Linlin Zhou
CC: iesg; regext-chairs; Pieter Vandepitte; draft-ietf-regext-org; regext
Subject: Re: [regext] Ben Campbell's No Objection on draft-ietf-regext-org-11: (with COMMENT)
Thanks for your response. It all looks good, except for one item below:

Thanks!

Ben.

On Oct 24, 2018, at 5:05 AM, Linlin Zhou <zhoulinlin@cnnic.cn>; wrote:


[...]

 
§9: The org element can contain contact information, possibly including
personally identifiable information of individuals. Doesn’t this have privacy
implications that should be discussed here or in a privacy considerations
section?
[Linlin] This document is an object extension of EPP that follows all the security requirements for EPP. We do not hope to add any more secure considerations in this document. So this element can be "zero" if you do not like to provide.
 

I don’t understand how your answer addresses my question. As far as I can tell, this document creates a new object that can contain personally identifiable information (PII). Is that incorrect?

Is there text in EPP that already talks about PII that can be cited?


[...]