Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
"John R Levine" <johnl@taugh.com> Wed, 02 January 2019 20:55 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73FB0130F08 for <regext@ietfa.amsl.com>; Wed, 2 Jan 2019 12:55:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=D/2c5hRn; dkim=pass (1536-bit key) header.d=taugh.com header.b=Sv6b9Dr6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FISG0B8o5fgN for <regext@ietfa.amsl.com>; Wed, 2 Jan 2019 12:55:52 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D791130F53 for <regext@ietf.org>; Wed, 2 Jan 2019 12:55:52 -0800 (PST)
Received: (qmail 75328 invoked from network); 2 Jan 2019 20:55:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1263e.5c2d2556.k1901; bh=dLYiq2SCMzcUMYEgjxXwCA2bsNRNrvj2+0h7pixlqV4=; b=D/2c5hRnmNAQ363LrOOnDAVHslewjiozSZ9/TVgVGIjM6IUqVpHEAu0PhNIknpy6cr1WQRjaK7cFUWdt2V071SVwfOa8Fa5AW3vgJg3SdUdhjNlNlyac23MyFk3k/wjYzL8Aff3PB7EkQka9cn2wPl8oI6GQ7bSTXLec3yY5HHS63uh1TGkqNM8qsq6bu+eTeRO3UvKqAuWSOlAQycTg8DmFmyNYUQ+YHJNTvB58nbIwfigf1eEcKc/gnVpdKmQV
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1263e.5c2d2556.k1901; bh=dLYiq2SCMzcUMYEgjxXwCA2bsNRNrvj2+0h7pixlqV4=; b=Sv6b9Dr63nj/za5M2300K+S5lCxmsp3GoBswfMqccxyzuHefdIjgm7m8PRGHrUqueSdVVQQNwH1nXZRmv2iOoxCQ8uGLUOvjasn4kGdBhJlfchrVoHFfBXXtVhDMPsUKvQ29NN9jsoW+pB6+pYdDimzKGVKHe3/rLEgUOnOE8JDJ47UADIIYuF2E/XKXAFGg4viKyhSO237eqzfpP9RTbDUyd8KVMZ2L29vVP/fxFI5vRxCWQdqNps00uzCvv1eb
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 02 Jan 2019 20:55:49 -0000
Date: Wed, 02 Jan 2019 15:55:49 -0500
Message-ID: <alpine.OSX.2.21.1901021548390.85512@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Adam Roach <adam@nostrum.com>
Cc: "regext@ietf.org" <regext@ietf.org>
In-Reply-To: <b5e53ff4-b975-9380-d689-b3bb922cf253@nostrum.com>
References: <41f72627-faf2-1fd4-b356-065b3cb98e2b@cis-india.org> <20181228194511.1ACBC200C07CD3@ary.qy> <01E9282A-0F48-4A39-837A-52CBB362571F@verisign.com> <alpine.OSX.2.21.1901021246440.84554@ary.qy> <b5e53ff4-b975-9380-d689-b3bb922cf253@nostrum.com>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1525206802-1546462549=:85512"
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/mfL8hCb8FFHPhaV9NWQRqyPzfiQ>
Subject: Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 20:55:54 -0000
On Wed, 2 Jan 2019, Adam Roach wrote: >> I don't understand why. The code is a signed token. Imagine the registry >> goes back to the signer asks about token 123-foo666 and the answer is >> "We're the Ministry, we signed it, of course it's valid. The details are >> secret." >> >> While that would not be my favorite way to work, and I can easily imagine >> other scenarios with auditing and transparency business requirements, why >> wouldn't that interoperate? > > If we're concerned merely with interoperation, the same is true of most -- > if not all -- normative keywords used in "Security Considerations" sections. > Your position might (or might not) be correct, but the logic of "2119 > language is only used for interoperabilty reasons" simply isn't true. I think there's a difference -- in security sections the goal is usually to prevent leakage or spoofing or something else that would allow a malicious party to interoperate with a victim. One part of good interop is not to interoperate with attackers. But that's not what's going on here. The signature shows that the token is valid, and unless I'm missing something, whatever you might learn from the thing the token represents is outside the scope of EPP. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [regext] Privacy and HR considerations for draft-… Gurshabad Grover
- Re: [regext] Privacy and HR considerations for dr… John Levine
- Re: [regext] Privacy and HR considerations for dr… Adam Roach
- Re: [regext] Privacy and HR considerations for dr… Andrew Newton
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… Andrew Newton
- Re: [regext] Privacy and HR considerations for dr… Gurshabad Grover
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Andrew Newton
- Re: [regext] Privacy and HR considerations for dr… Andrew Newton
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Andrew Newton
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Andrew Newton
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Adam Roach
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… Gurshabad Grover
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… John Levine
- Re: [regext] Privacy and HR considerations for dr… Gurshabad Grover
- Re: [regext] Privacy and HR considerations for dr… John Levine
- Re: [regext] Privacy and HR considerations for dr… Thomas Corte
- Re: [regext] Privacy and HR considerations for dr… Niels ten Oever
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… John R Levine
- Re: [regext] Privacy and HR considerations for dr… Adam Roach
- Re: [regext] Privacy and HR considerations for dr… John R Levine
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… John R Levine
- Re: [regext] Privacy and HR considerations for dr… Gould, James
- Re: [regext] Privacy and HR considerations for dr… Gurshabad Grover