IETF Logo Mail Archive

Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode

"Gould, James" <jgould@verisign.com> Wed, 19 December 2018 22:28 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 201C4130EEA for <regext@ietfa.amsl.com>; Wed, 19 Dec 2018 14:28:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6dgLESo5xF1 for <regext@ietfa.amsl.com>; Wed, 19 Dec 2018 14:28:38 -0800 (PST)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1269F130EAE for <regext@ietf.org>; Wed, 19 Dec 2018 14:28:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7498; q=dns/txt; s=VRSN; t=1545258518; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=04Hbf91SsIBBDTloid9BLcDICIhUZFA0tXNfJzwslmc=; b=HaeQ2qWXJExrjQbTIuJ2MOK9H+wOEBgydmdJ+dhDJPiTURGROYdFHNda ETn59f8OkL9tCYLYMCaWa+HA3MXpHVtKQjfKEy42ViVxpWhSle8MpU47o 1JcpmNaZptPKDx0KUDbJIuH6MzXugEWwxy1/YbRufZOVt6PxlUYnMOA3k fpeJ8TfLKCT9m9G9BcPXoI5pafXkD0YE5mRrUjZO4HoA0w7M1NGcfjruF rR4KxtxUTuSsw39pz+6TYn1M7sdZrE5fnw3iJb7QgPE2B9rXrAzv5/Sbk Sd+zdgdtvsKaX/EpKebX8a749IgvfUXIZskGcm8xD295Cd+EQ5T9K5PME g==;
X-IronPort-AV: E=Sophos;i="5.56,374,1539662400"; d="scan'208";a="6604892"
IronPort-PHdr: 9a23:DLri9BJbupIoeaAH/9mcpTZWNBhigK39O0sv0rFitYgXKv38rarrMEGX3/hxlliBBdydt6oUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSkHKTA37X3XhMJzgqJVoh2uqR1/zJLbbo6aL/d+YrjSfdYGSWZdRMtcVSpMCZ68YYsVCOoBOP5Vo4f8qVsJsBu+ARSjCPvywTFMnHD22LM10/8vHQrb2wEgHd0OsHPJrNXxKagfSv61w7fSzTXCdPNW2Dj96I7Sfh89pvGMWKt9fMzMwkchEAPFi0+fqY3jPz6NyOQCrXKb7+t7VeKuhG4nrQBxoj6zycs2lobJgYcVxkjF9Spn3IY1K8e0SElhYd6rFpZbqiKUN5NuT88/X21kojs2x78ItJKhYSQHyJoqywTQZvGEa4SE/w7vWPyMLTp6mH5pYq+zihmx/ES61+HxVdG40FhUoSdGjtXBs3UA2AbQ58WDUfRw+0ms1SiS2A3S7+xLOkQ5mKvZJpMkzLM9mJgevlnFEyTrgkv5lrWWeV8h+uWw7uTnZajpqYGEOo9vjwH+LrwumsuiAeQkKgQOX3aU+eC71LD74ED3XK1EguA2nafBv57VJNgXqrOjDw9Lzokj7Ay/Dy+83NsCgHYLNkxFeAicj4jvIV3BPPf4DfKnj1Stljdk2ezGM6X8DpnRNHTPjbXscLhn50JByAc+w8pT6p1XB70ZJfL8QE7xtNjWDh8jNAy0xv7qCNdy1oMZRGKPBrKWPbjMsVCW/OIvIvKMZI4auDb7MfQq+/nujXohlV8HYaapxYcXaGy/Hvl+J0WZYGHsgssaEWoRowU+TePqiFyeUTFJY3a9QqM85iogCIKnEIjMWIatgKCa3CuhGZ1WfG9GAEiWEXj0b4WER+sMaCWKL897jDMEWqauSoA91Ry1tQ/11aZnLuTO9i0fr5Lj24s92+qG3xUz7iBvJ8ic3GCRRmV4n3gTRjM72rxk50tnxR3Lhax5mOBDPdBS6PJVWwM2NIXHzuB3DczpHAXbcYHNABy8T9qrES0ZT98tzZkJeUk3U4G4gx/OzzaCArIJmfqMHpNioYzG2H2kbel61nLKkOEDhlwrWYEHYW+pgbN7+yDNCpTIiESWkeChcqFKj32Fz3uK0Wfb5BIQawV3S6iQBX0=
X-IPAS-Result: A2EvAAC9xBpc/zCZrQphAxwBAQEEAQEHBAEBgVMFAQELAYFagQ+BKQqDc5YikmCEfoE/Fx0IDAEYCwuDeEYCF4J3NgcNAQMBAQEBAQECAQECgQUMgjYiEjEcLwkBBQEBAQEBAScBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEIAggHNRIBARkBAQEDAQEhETobAgEIGAICJgICAiUBChUQAgQBEoJwMgGCEKgbgS+KLoELi0uBQT6BEScfgU5+gx4BAYE6ERYMCwomgkExgiYCiUmXawMGAocOgQuFJoQ5gV5Njy6JSIRzBosaAgQCBAUCFIFNAYIHcBU7KgGCQQmCR20BB4JDhRSFP3INJItpgS6BHwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Wed, 19 Dec 2018 17:28:35 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Wed, 19 Dec 2018 17:28:35 -0500
From: "Gould, James" <jgould@verisign.com>
To: "lists@digitaldissidents.org" <lists@digitaldissidents.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
Thread-Index: AQHUlxVqlYBPqhgCwUiJL3hXFpv+MKWGLv8AgABFogCAAGz/gP//xJGA
Date: Wed, 19 Dec 2018 22:28:35 +0000
Message-ID: <CB9EDDD5-D58B-43F5-89AA-69924049BFA4@verisign.com>
References: <5f7d0b3e-c844-1700-c369-90bb41e8241e@cis-india.org> <CAAQiQReVnuwFBCA2vOwnwaUw8k+1TCK-5DO+KLsd=CWF3Lh8Cg@mail.gmail.com> <90404577-8405-c48f-351b-2c157a24de6d@cis-india.org> <CD20307A-3E10-414E-8463-E2233F3F9E99@verisign.com> <5ce769c3-b8bb-c591-1ccd-6582b86f9e9f@digitaldissidents.org>
In-Reply-To: <5ce769c3-b8bb-c591-1ccd-6582b86f9e9f@digitaldissidents.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.3.181015
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B08E85F63AFA994BA14E4DDE4C92B7D3@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/cyffyD9-ITuVpcMGrwBYyYiHD64>
Subject: Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 22:28:42 -0000

Niels,
 
By design, draft-ietf-regext-verificationcode does not define the verification process or data, which maximizes its usefulness to a wide variety of situations.  In this manner, it is in keeping with other REGEXT-originated RFCs (e.g. EPP, RDAP, etc).
 
The scope of draft-ietf-regext-verificationcode is very clear and relatively limited -- the structure of the verification code and the passing of the verification code -- and Considerations sections are not where the scope of the draft would be broadened.
 
I am not making a declaration, but I'm expressing my position that the Considerations should focus strictly on the scope of the draft.  It's up to the working group to decide, but if we start considering the verification process, we are (inappropriately, I’d offer) focusing on elements not defined within draft-ietf-regext-verificationcode.    
 
Thanks,
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 12/19/18, 4:01 PM, "regext on behalf of Niels ten Oever" <regext-bounces@ietf.org on behalf of lists@digitaldissidents.org> wrote:

    On 12/19/18 8:31 PM, Gould, James wrote:
    > Gurshabad,
    > 
    > Your proposed Privacy Considerations section and much of your proposed Human Rights Considerations section focuses on the interface of the VSP, which is out-of-scope for draft-ietf-regext-verificationcode.  The scope of draft-ietf-regext-verificationcode is on the structure of the digitally signed verification code, that represents proof of verification, and the interface between the client (registrar) and the server (registry) to pass the verification code.  The role of the VSP is defined, but the VSP interface and the concrete verifications is by design left out of draft-ietf-regext-verificationcode, and therefore is out-of-scope.  Niels support for inclusion based on “causation, and more specifically the priority events” is beyond the scope of draft-ietf-regext-verificationcode and is not applicable.  We need to ensure to keep the technical and considerations text strictly focused on the defined scope of the draft.
    >   
    So if the verification code is a verification that X happened, your argument is that the verification code technically has nothing to do with X ? 
    
    I am sorry but that is pretty far fetched imho. I am not sure whether the author can declare this out-of-scope.
    
    Best,
    
    Niels
    
    > —
    >  
    > JG
    > 
    > James Gould
    > Distinguished Engineer
    > jgould@Verisign.com
    > 
    > 703-948-3271
    > 12061 Bluemont Way
    > Reston, VA 20190
    > 
    > Verisign.com <http://verisigninc.com/> 
    > 
    > On 12/19/18, 5:22 AM, "regext on behalf of Gurshabad Grover" <regext-bounces@ietf.org on behalf of gurshabad@cis-india.org> wrote:
    > 
    >     On 19/12/18 2:34 AM, Andrew Newton wrote:
    >     > 
    >     > I thought the token was passed by the EPP client (registrar) to the
    >     > EPP server (registry), the purpose of which is to show that the
    >     > verification occurred before the transaction.
    >     > 
    >     
    >     Thanks for pointing that out. A better way to phrase my concern would
    >     have been that the extension's functioning is dependent on data being
    >     shared with the VSP. The draft does describe some (not all of the
    >     necessary) aspects of that data sharing.
    >     
    >     Agree that the text could have been more accurate in reflecting that.
    >     Changes are incorporated below (will review the HRC section again in
    >     this light as well); for now, hope this reads better:
    >     
    >     Privacy Considerations
    >     ----------------------
    >     The working of the described extension depends on the sharing of data of
    >     (or generated by) registrants with the Verification Service Provider
    >     (VSP), which is a third party. The specification leaves the scope of
    >     information shared with and stored by the VSP up to the policies of the
    >     locality. There may be no mechanisms for registrants to express
    >     preference for what information should shared with the VSP, in which
    >     case, registrants' sensitive personal information directly linked to the
    >     identities of the individual, such as contained in the contact mapping
    >     object, may be exposed to the VSP without user control. This personal
    >     information may be further correlated with other data sources available
    >     to the VSP.
    >     
    >     If a client seeks to implement or offer this extension, it MUST inform
    >     the registrant about about the exact information to be shared with the VSP.
    >     
    >     
    > 
    > _______________________________________________
    > regext mailing list
    > regext@ietf.org
    > https://www.ietf.org/mailman/listinfo/regext
    > 
    
    -- 
    Niels ten Oever
    Researcher and PhD Candidate
    Datactive Research Group
    University of Amsterdam
    
    PGP fingerprint	   2458 0B70 5C4A FD8A 9488  
                       643A 0ED8 3F3A 468A C8B3
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email