IETF Logo Mail Archive

Re: [regext] Roman Danyliw's Discuss on draft-ietf-regext-rdap-openid-25: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Sun, 05 November 2023 16:15 UTC

Return-Path: <rdd@cert.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4920CC1C5F44; Sun, 5 Nov 2023 08:15:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0xkzNnc7dpzV; Sun, 5 Nov 2023 08:15:35 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0123.outbound.protection.office365.us [23.103.209.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69BA0C1D46FA; Sun, 5 Nov 2023 08:15:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=sLQsL73HMytLLKBIIGIihDrFZGSUiFQdcNlQiCe0fxRTQ+1OJOWSxnYimZTKQkpu1e6w1BDnQP8s58cvA5fCctxrno2W7EVKPGwgvwwMbFVAA3/xc+XCQmy9NJBW+yftVpVbY9VfXbNKbC2KIME7QLe7UExZQCwZlAfJfSF9HFcEyrO7+3lhBTrlXmc5kkGs8CYy8giVbr749/NJ1rjqANXjdXJqjDoL2sGZ3OMz9ui4MvUYYQQP6Jp1Kskr7v+KgKpAzjQcAUrgfbqLouA0eskMPEMU34DEKMh7/Gx5bJ4xj3iy3BcRKKsJQuLLIE5SCErD4nd3VEj8R5B1/y2jiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SX6q9A/lZ3HESdnVmSwR+dXHT9gzmnrZKNxB70w9EzY=; b=O8O4DKprMJf7gUWHKjtd9VVFKCMrOKfXMAyJ5g6LT9HVzHt5MoIGk7mVAp6+hLaj/8QM5rn48hK3JfFXQSpwc6IbewcDcm7ZNly1Ys2knB2Ek6kuZlj+bjurVuqGtnXu9vtkPhCkKeb6b7vn6u82r1aGGwlbY/b3RAwxtW2WZi6iXF9OQyT/oQ+6gPq0bfpV3VDhSNiQ2ZKbyFi/U0JW9db5QoQNd4oNpuQhRMBKLVTLIC5/q8Rk7IpvyP4sImM7Ud8Eyn/nZcXfnRod80mgavJhpyz487D0W5uzdICppJzgS7+9DX3+Xm8aieJlpBJy6CsBDXOvJDuhkBH9gQcmQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SX6q9A/lZ3HESdnVmSwR+dXHT9gzmnrZKNxB70w9EzY=; b=WSONa6YgAzix0YTMMj0yX2IYwVAVPsKk7569guAStsXC7GAhN84yV6+8MhdMdvfSGaUYk05PYpAlfT6Pm+r+n1YeSngtHhENhU9E4ai4smCM46cylRMfDNkVZW5PKkv8tFQlQe2MvkDE03Ej0BM8boQf6UFZveXv3OTKEznTgBY=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1076.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:169::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.27; Sun, 5 Nov 2023 16:15:28 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::8428:6d10:2463:aebc]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::8428:6d10:2463:aebc%5]) with mapi id 15.20.6954.027; Sun, 5 Nov 2023 16:15:28 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>, "iesg@ietf.org" <iesg@ietf.org>
CC: "draft-ietf-regext-rdap-openid@ietf.org" <draft-ietf-regext-rdap-openid@ietf.org>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>, "regext@ietf.org" <regext@ietf.org>, "AlBanna, Zaid" <zalbanna@verisign.com>
Thread-Topic: [regext] Roman Danyliw's Discuss on draft-ietf-regext-rdap-openid-25: (with DISCUSS and COMMENT)
Thread-Index: AQHZ9mdqrmTvI+c9FEiCYdWLqyRKMrA5wj4AgDJXhkA=
Date: Sun, 05 Nov 2023 16:15:27 +0000
Message-ID: <BN2P110MB1107EF7ACAFBBD779A72EA9DDCABA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <169638518876.14299.2024110110860521781@ietfa.amsl.com> <7b8e735a8f7446d3982f8da8c88af019@verisign.com>
In-Reply-To: <7b8e735a8f7446d3982f8da8c88af019@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1076:EE_
x-ms-office365-filtering-correlation-id: 2788e52e-ee91-45f0-6251-08dbde1a6cd2
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: q0N9f01lOR8CTmfwto/DcV1ZNDe2AYo990mgTWxwxdXRcymG0rS3YnfgjrIxkBXaaIweDvSFkrnyhP1sI/R67VeXUN8wyz4LmkTkTXtDnrcEkTtRe6GcuhGgu+a2EewN+bDZgNaiXo5Uxq5+ayT7x0GBGrG2BqB/4/isr5vQF7iUxvRCEWOgKw1cBw89xavnDk0lMQnrvxR3o9FdsQVvLF6/IBCoasQgQfoORcsmZfcO+hIKADFFtsgxrfnmiYKYjCGiYLTzaGHvI3MMnQ/xZOISlzMswZGo3YclciKka3nF7BHmXvUT99+7tlEuaBAj3w/ZIiDGp8Bua35EOfPIW9H54l8QYst0hM2Bfp67X0eNRF2cGwNiPfG7CM7/Zn/05n8G5vaqgO/LZKVay3rnfDOLCMcR2wLXwL6CNJaIOSQyRl0aK8fw8sahPslj/yWZtjs9e206/56Tiw9nKQYzG6XtCgyHgnDFXrH0NBYezrLlk5zNa6ABA3DMtkphehhWL1skEZX+aSR4FeE2zrnQUWuEYFgKgqgUXHuE3AYbd1f0Gy8iksqU/ZNiUNCLkpBLRVpZ5aXmUzAmH/HKS0gUCl/9yr8qTzEb64niToxsvKtmxRwQWe2kk2T2oqKLFJpslFd3a4GmPVYs6PiEKnEWn0BC//K+aEmGylSTpFlDazE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(396003)(136003)(366004)(230922051799003)(230173577357003)(230273577357003)(1800799009)(186009)(451199024)(64100799003)(82960400001)(122000001)(38070700009)(110136005)(66946007)(76116006)(83380400001)(66556008)(26005)(41320700001)(71200400001)(7696005)(6506007)(508600001)(53546011)(9686003)(66476007)(2906002)(8676002)(8936002)(4326008)(41300700001)(55016003)(5660300002)(38100700002)(52536014)(86362001)(64756008)(66446008)(54906003)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bhXRi0KPVHE5l/ohMGL0taRqku8ol4Y+ILx/FrDEmF2xDKoGCJdy61BffLB66AnPeVlTjPWZOlAhurtALq24MgZ+ekZD/UXjuIR2w2LTXbntLCJkC+1Pu5LUbYvo49cxvPk9hnCBNF+IbznnpH7siGGql486ogOVlb/97v2TzKDAtDwsmDGdeTl2ZjG0O1X62tmCugUJv5hTdSJM+ITLGOKfNLJWovqPoMZYzGOH2Er+iKVu1qhp6e6ju3x6MNrYu79c2LR6c7pQa6I2mFZH5vo+O5x9hjLUs4bWA+hdvAnFU6R1Kjzh4u4b9puAjsv9Lp93Pq8bZZXs40Ms107S4zonJgsdC39thD4IIB8UOVThNfLuXB7zpPO8a9B52ecMFGeKBFpj+/RzhQwylZ4Qaq/9OaflaSNEPn8AQb3yuHYEMMTqboM2QdeDEJehalkKlPGfIsIP44P21iHWJUh/Ur3s083FKqRSk3Lg4kBW4cKFTZp2uslwGTBt+exWBwL4aNDUdR2Bq+qAuOptSgZO/fGKqSTTainusRm9Sho2yBXncW+UscuDBdDykLWtxTpEHqnr2ritf3nJaRxsJnCafYGrmBEuG4mbtdZ1qJbVgn7Hc6PV8o3gdJg+31M3DeyV5zP5ZK6yuxHwA5juPxEEN4evNaSSg6hts4UNKkd+5MRucJC7YpsspA7/OaHlMdoLd9b4h66ufvIx3ivkUV6PhEryhAB1/0K/enaiZbnrjCnZU8jdw1RG+MJKt/z22SgOXsIGVORkrtZteuYtGSuPOsuEmUvQ/L90IIkPqNd9OMaghkeBlcdmbHiIS9sliV+4RGfpr8Ro/fLkeYq6eVy1MxBb2XhAKd7EDRul2WsBY7UnEFbGnIuKizqK/NujVT8wJSxQIQ7dMPy9l3yWa5osNoctXvD9CdFGUpwmUmnG71pgk0mdfrKDYTilq5UL0kO9NjrVIBbUwpTDDfkiYPs4gO5zCKbnp0sceHur7X6YrVVfP6KcM4s0Bz8F4/c5j0PHoadqvFSHCN1gJ0N7Y+z1WwGj73f/SwSrt5znsQxCjPkIKaB9wh4AT4rIz/GAc2YXrDy5pYZoHNjYz7C19rq44aX8jHHmoDetvuDMNHFM7yxKqtRwI9gWmFBlhBcu9DwAiBNy/6RHTksa7BtJGGSez/Ez96oyVtW6v3jy6sxZOdnBXHIhwtZ9UM0pLgu7Hel//IWdO+xgtF8oiu3BcxdsFHBgYvsDrdY131R0B7/cLYxIwkOIa+rY9O0/gNpaNsBAPRUrwJzDPS4foY5J7nBOwrlCBMa/eKN8IvVuCrR0ySMTPkluxNLRRkUEcWRXDCwAQH9i4KhyIsmHht08tMQaXP3QJkY7G0xWx1G8ffojJthpL12Rm5IReNYjXukZmVpkd5+Kpdm0I8UMp6HHcIJ4lpV/1dv+Bh8apf+0SyB5B0tCl33uW0Y+EEk4t/2d923sGBbyq0GMnKDWsGObEJV8MLEoLU9sjlk8GzvURInQAH0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2788e52e-ee91-45f0-6251-08dbde1a6cd2
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2023 16:15:27.9204 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1076
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/lTZEAyvBUaE3V2Ih2o8TgoNQ7Zk>
Subject: Re: [regext] Roman Danyliw's Discuss on draft-ietf-regext-rdap-openid-25: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2023 16:15:39 -0000

Hi Scott!

Thanks for -26 is addresses all but the following feedback.  Please see below ...

> -----Original Message-----
> From: Hollenbeck, Scott <shollenbeck@verisign.com>
> Sent: Wednesday, October 4, 2023 11:29 AM
> To: rdd@cert.org; iesg@ietf.org
> Cc: draft-ietf-regext-rdap-openid@ietf.org; regext-chairs@ietf.org;
> regext@ietf.org; AlBanna, Zaid <zalbanna@verisign.com>
> Subject: Re: [regext] Roman Danyliw's Discuss on draft-ietf-regext-rdap-openid-
> 25: (with DISCUSS and COMMENT)
> 
> Thanks for the review, Roman. I'll reply below.
> 
> > -----Original Message-----
> > From: Roman Danyliw via Datatracker <noreply@ietf.org>
> > Sent: Tuesday, October 3, 2023 10:06 PM
> > To: The IESG <iesg@ietf.org>
> > Cc: draft-ietf-regext-rdap-openid@ietf.org; regext-chairs@ietf.org;
> > regext@ietf.org; AlBanna, Zaid <zalbanna@verisign.com>; AlBanna, Zaid
> > <zalbanna@verisign.com>
> > Subject: [EXTERNAL] Roman Danyliw's Discuss on draft-ietf-regext-rdap-
> > openid-25: (with DISCUSS and COMMENT)
> >
> > Caution: This email originated from outside the organization. Do not
> > click links or open attachments unless you recognize the sender and
> > know the content is safe.
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-regext-rdap-openid-25: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> 
> [SAH] [snip]
> 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------

[snip]

> > ** Section 11.
> >    An RDAP server
> >    operator SHOULD develop policies for information disclosure to ensure
> >    that personally identifiable information is disclosed only to clients
> >    that are authorized to process that information.
> >
> > Why is this not a MUST?  What are the circumstances where PII should
> > be disclosed without authorization?
> 
> [SAH] The SHOULD is about policy development, not information disclosure. I
> don't think a protocol specification like this can mandate development of an
> operational policy.

I read this text as the policy being the key thing that ensures there isn't disclosure of PII since the sentence construction is that the "RDAP server operator SHOULD ... <something> to ensure <disclosure doesn't happen>".  Is that not the intent?

Stepping back, is the thinking that RDAP operators could be operating without a policy around handling who gets PII in their data?

Per your comment of "I don't think a protocol specification like this can mandate development of an operational policy", why can a protocol spec say SHOULD but not MUST?  Policy or not, shouldn't RDAP operators ensure that whatever they do the "PII is disclosed only to clients that are authorized ..."?  Would using lower case words work for the guidance you want to provide, say "An RDAP server operator must develop and enforce policies for information disclosure ..."?

Roman

v2.23.0 | Report a Bug | By Email