IETF Logo Mail Archive

Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode

Gurshabad Grover <gurshabad@cis-india.org> Fri, 28 December 2018 10:49 UTC

Return-Path: <gurshabad@cis-india.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D802130FEE for <regext@ietfa.amsl.com>; Fri, 28 Dec 2018 02:49:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l1rSy2jorUMF for <regext@ietfa.amsl.com>; Fri, 28 Dec 2018 02:49:54 -0800 (PST)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00276130FEB for <regext@ietf.org>; Fri, 28 Dec 2018 02:49:53 -0800 (PST)
Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <gurshabad@cis-india.org>) id 1gcpi9-0005Ia-KI; Fri, 28 Dec 2018 11:49:50 +0100
From: Gurshabad Grover <gurshabad@cis-india.org>
To: "Gould, James" <jgould@verisign.com>, "regext@ietf.org" <regext@ietf.org>
References: <5f7d0b3e-c844-1700-c369-90bb41e8241e@cis-india.org> <CAAQiQReVnuwFBCA2vOwnwaUw8k+1TCK-5DO+KLsd=CWF3Lh8Cg@mail.gmail.com> <90404577-8405-c48f-351b-2c157a24de6d@cis-india.org> <CD20307A-3E10-414E-8463-E2233F3F9E99@verisign.com> <fbfe240c-7aed-a987-9cb5-3209ac56202b@cis-india.org> <E8B4732B-CF66-4257-A418-6EB3FB8487E3@verisign.com>
Openpgp: preference=signencrypt
Autocrypt: addr=gurshabad@cis-india.org; keydata= mQINBFriroIBEADfyDpCD8eborMUMXKtZzjo4t2KzrAlUVYgE/TFtrwUP+4Xw4dzakDIzST8 sVYmlXIWhM5NBBTZSQ190vsxrkbi0xxLcXYM2olZEtqkJ8zONZeZLBeGvcfMymtHqD4jHwYb Zm7OXnS45fWDL+HOoMP/VCwEn098rYfnllIkYQD1Gc28Ig+ywjGg8y5p0qMmmmhm2ckgLjnG MJX8t273MSc8wsn/UYH922yif3MQXmrzqgnRl9hRzf90SKqAw38bw7wccb55pIItloKYsi0r zYBKJSOPXn91Z21TpOSTy21M0MZYEAlDn1zeea+q8TggfHNWxOXoKrIm1pqZFRz0k+8i2siJ AHf8bRm/fhukA6szZ6b2nNPxjkAmOv9zvGu6RZGbmeLvQYVBSSnZ67ayZrkKwn7KIyAV6hQM /bVnD8eEZ2tZ0S8lxoZFYSNeMGt2b6WelFZO97/LbjxaJUHd9K8g5H0MwqN1NXoBxRwllVRC 3sVHVoWTBqnKo8qplzvQEAto69PpvuxxKTOFEJeQqmn1b/fo3sLRb4YiIg8Ax+Np7Huzzjk6 vKKgpIwIN7yEUj/ReWi/UA/W4wSg3XkcqTf7h73crnN/1At0PdgozbDV2UbcApaldStP4DfG UiQl0/7MiYLKapDDuSahmoeH3xrNnrzS9BAfuGHezzDbMyPLXQARAQABtCpHdXJzaGFiYWQg R3JvdmVyIDxndXJzaGFiYWRAY2lzLWluZGlhLm9yZz6JAj0EEwEIACcFAlriroICGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQrbl/X+ubfC7/bQ//YQv7zqQE433xxsN/ 3GYKoOFccBy3WvV4DxrTskJ3n3k5lfcZolbc8TQksQOTzyerNt2ZA7fsGZa7eFSW+xR4Yq3/ C9o+5FOoHGhyZhb+x17MILhmyvyUNSj7SdKrRISgurMbV2Vv8LxmTcdrK6CdFF6JLH+opzU1 NlRKwZqROPgbYZEB2QFIUbGfgh2I5AXNyV2XbT7fagfkHk+v9AUV7POP2H1+AZ1xq6iFTm2o 9ufNZsp2bInsDohcVBKC3aH2cnFMjvIXpNoUOx8vb5A2xW0aBUTTJDB/uZw53WOg3kehrCNb ZkML3FnDZLRuu1e8DSWmwk5YIoDzt5bMCgfUwb0C6Q+JuM8lC+8CEEa9qamLc+fhvFAzcrWp VWuSaVeLdhe5NxmtlRYNZdGuKy6sRHjwsEWlwzRylhm74fiDR3aA1eIFsfmYLd4z+i1Fp23Y dHJf7/Gor2CmOxphog9DEA9WCuORXfx4De7hoMKwW4gWKw1A8B12Cv4EOkXmCsWsOnfDEarr 2Yl6elxkhQRfKjAesXb0cezRzZgwsWIsbeYsuWFF7Xi6IzUJ27lxU3p5PcyY8O8aDYOn+pu0 YFJ7s3u2VRRgptVZJmkcN3WTApXSHY8fGl5xAakM/bqFJj9uj5zlMnFN2EplC6/mQkfYfy2f siaGTP/GQV4OSuOeuMK5Ag0EWuKuggEQAJ4lAzB72gHw4+rbyxmQNNVmvgYVZPjFtO/MQdYi x1QwRP/gxxqPqTd/ZwQvmPGzXRKw10B7uKSRk6YP12+IG0mXJwHGp9q5CWJE0XNGqX3UWbAc KIzxqPNpsf8e6Bv7jdW0YwLBxJ+RW0NNL6uAxz0sr2frbnS+EZB3cU+zOZzp/9YfTUZO2lxF NzgJoErKe/HLp7aBeJXBBcwO0LQlIT80rTZx2KihBa/Ww/y9E9gV/HacJu/Ncb6E/G3e4xGj 9w9L+UW43q01wy+FSUKy9FLc7D40WqQsj8SXZEpl84SyLcJRoX3mtj59bX2SAN2VB2BAksTu qCh00IcIUGfyHziu5PwUWYM96gOhDSocP4wSeiQ8TwLzaffllz2qhdI296a9lCIYIeWVytEd NU9jJ3RbzXAgE0pnDauNXDaQv1FS5jYi8rlslJUxKnrS69BFNjM5RqQ16Cm0C4rKL7/a8wHC r4VjcjSCM8Lzv8YOOitJ9Yt4Y8SVfO5s3YvxcdSr56nX0W3B1kGbG1GpqWTzOgXzGF5bIsbV 7SPecwUs9ShvmLmZzDUxIQ68n4zj3lMZn5I+pP+Ew6nAAiuSmKdr5cygnCH/NVJzil07t+X4 uR6oKHBhuMFYF1c6Wxk36m+EZz5ZHFaT4rN0WDIJdAEqRzD0Z56V6ansDF8y+ksh0SHlABEB AAGJAiUEGAEIAA8FAlriroICGwwFCQlmAYAACgkQrbl/X+ubfC50rhAAloTaq/fZC1gtiVtU wOB+00gEkjgmzt+rLkW+l2EySTST7tje57W83UZwzCX746B2O//Bqardxz9R1Vr0VFiwHA8g 3qeBqPqiv1WoQch/iZ5d/1MxK4A9xDag1uyqLR8RuGlZ8lATmcP3IabKiuiBV4MlFZ7V2Ib6 5ToPf28xxSyjMzTjQObIG0e009uHlu2z+iQVshLyoyVVAOWWa88D6iuBDC/EtBRjlpjLAjuR YhWVYX6KHdVUijKMHN2RqjpX5O2wPL7NcMY/wsTq7EteUeI75hxFvargRXkEt1XR8t52LC0u IE2OjpzY5re/ROUbfsqL8trjAOrSJ+Fx5H8AYl9JaoVxohhxDZgNtgNtPbh/8Nnlf9daj/bh lZcTBO98XLQwMnyHGPdyhIodpWPq2C09Ys3TkQsbcdMMB1pqnEK5Vz1zIKkEEX7QVsLdrz7C 2CFsauc/9PHj+4njCHslXtzBOiVu5FXTnbCwPrLJs5iEUkUCb6qtE/2mSCTrAanzOTTOmqiM cnNTI1Tj0ht462S9VypppQnKCv8shGxXG7BadZTv+pNCA/WfB2kk1sS3ZwB0wBWX4p41fxs+ ArM9ew2SzQ/vBrEfO7ljPfZZmBqH4t/vgAZBnOtTxCGlPEIJqiMqtGHRqIqpiR20QfxEUuXI MfMfa9QJpisdNmqoUyc=
Message-ID: <41f72627-faf2-1fd4-b356-065b3cb98e2b@cis-india.org>
Date: Fri, 28 Dec 2018 16:19:47 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <E8B4732B-CF66-4257-A418-6EB3FB8487E3@verisign.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="jO2L1lVAqw3jdGnXsA5VHJ76YoaQCoWhP"
X-Virus-Scanned: by clamav at smarthost1.samage.net
X-Scan-Signature: 50d93031f3c5812f4fafdc9644ec945e
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/jRVKesNuqAwGiozuwqm_QJO4etw>
Subject: Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2018 10:49:57 -0000

On 26/12/18 8:02 PM, Gould, James wrote:
> [...] The thread with Andrew Newton did not clarify the applicability of the Privacy Considerations, but addressed two technical issues related to fixing the described relationship of the client with the server, and fixing the inappropriate inclusion of a normative policy statement.  The clearly out of scope elements of the HR Considerations section include the following bulleted items that are only associated with the VSP, and have nothing to do with draft-ietf-regext-verificationcode. [...]     
>  

For the context of the considerations, let's look at some text from the
draft:

"The VSP has access to the local data sources and is authorized to
verify the data. Examples include verifying that the domain name is not
prohibited and verifying that the domain name registrant is a valid
individual, organization, or business in the locality."

"It is up to the VSP and the server to define the valid values for the
"type" attribute. Examples of possible "type" attribute values include
"domain" for verification of the domain name, "registrant" for
verification of the registrant contact, or "domain-registrant" for
verification of both the domain name and the registrant. The typed
signed code is used to indicate the verifications that are done by the VSP."

"The VSP MUST store the proof of verification and the generated
verification code; and MAY store the verified data."

So, the draft
(1) describes the role of the VSP;
(2) has guidance on what types of verification the VSP can perform; and
(3) places certain obligations on the VSP.

So, I think it's unfair to say that considerations that touch upon the
VSP's role "have nothing to do with draft-ietf-regext-verificationcode."

Re: text of the considerations...

The proposed privacy considerations rely entirely on the draft and the
guidance in RFC6973 (very commonly used across working groups to write
privacy considerations). Specifically, the excerpts above and the
following items in RFC6973:

* "Are there expected ways that information exposed by the protocol will
be combined or correlated with information obtained outside the
protocol?" [3]

* "Does the protocol provide ways for initiators to express individuals'
preferences to recipients or intermediaries with regard to the
collection, use, or disclosure of their personal data?" [4]

The proposed text addresses these, and in fact, uses terminology from
only the draft and RFC6973.

Similarly, most HR considerations directly follow from the privacy
considerations and rely on guidance in RFC8280. Specifically,

* "Can your protocol contribute to filtering in such a way that it could
be implemented to censor data or services?" [5]

* "What is the potential for discrimination against users of your
protocol?" [6]

Open to further discussing the rationale behind the proposed text. Would
also like to hear what others think.

Thank you.
Gurshabad

PS.

> I recommend that inclusion of these sort of elements be brought up to
> the IETF-level.

Not sure what you mean here. I think there is enough clarity from
the chairs and the IESG that it is entirely up to the WG about what to
include in the WG draft. [0][1][2]

[0] https://youtu.be/LYYehA0LNRc?t=8690
[1] https://www.ietf.org/mail-archive/web/regext/current/msg01991.html
[2] https://www.ietf.org/mail-archive/web/regext/current/msg01993.html
[3] https://tools.ietf.org/html/rfc6973#section-7.1
[4] https://tools.ietf.org/html/rfc6973#section-7.2
[5] https://tools.ietf.org/html/rfc8280#section-6.2.6
[6] https://tools.ietf.org/html/rfc8280#section-6.2.13

v2.23.0 | Report a Bug | By Email