Re: [regext] Privacy and HR considerations for draft-ietf-regext-verificationcode

["Gould, James" <jgould@verisign.com>]

Gurshabad,

Can you provide your latest proposed section(s) on the list for consideration by the WG?  

Thanks,
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 1/2/19, 11:44 AM, "Gould, James" <jgould@verisign.com> wrote:

    Gurshabad,
    
    For the defined purpose of draft-ietf-regext-verificationcode, the VSP needs to be defined as an entity, but the VSP's verification process is not defined and is out-of-scope.  The use of examples in an IETF draft does not classify as guidance.  The only obligation of the VSP within draft-ietf-regext-verificationcode is to generate a technically compliant verification code and to store the proof of verification and the generated verification code.  There is no concrete definition defined within draft-ietf-regext-verificationcode of: 
    - the forms of verifications performed by a VSP, 
    - the data that must be passed for verification, 
    - how the verification data is processed,
    - the data sources that are used to perform the verification,
    - the interface(s) or protocol(s) used by a VSP, and 
    - other policies and technical details of a VSP.  
    
    The majority of your considerations (Privacy and identified paragraphs from the HR) is focused on the policies and interfaces / protocols of the VSP that is by design out-of-scope from draft-ietf-regext-verificationcode.  
    
    My recommendation is to strictly focus your proposed considerations text on the scope of draft-ietf-regext-verificationcode, that includes the definition of the verification code (e.g., digitally signed, typed identifier that provides proof of verification) and the passing of the verification code between the client (registrar) and the server (registry) over EPP. 
    
        > I recommend that inclusion of these sort of elements be brought up to
        > the IETF-level.
        
        Not sure what you mean here. I think there is enough clarity from
        the chairs and the IESG that it is entirely up to the WG about what to
        include in the WG draft. [0][1][2]
      
    Yes, it is my position that the proposed text included in your proposed sections as non-technical and focused on policy elements that the WG is not qualified to discuss and come to consensus on.  If you desire to have these sort of sections in WG drafts, it is best for it to be handled at the IETF-level and not at the WG-level.
    
    Can you provide your latest proposed section(s) on the list for consideration by the WG?  
    
    We also need to continue to hear from others in the working group.
    
    Thanks,
    
    —
     
    JG
    
    
    
    James Gould
    Distinguished Engineer
    jgould@Verisign.com
    
    703-948-3271
    12061 Bluemont Way
    Reston, VA 20190
    
    Verisign.com <http://verisigninc.com/> 
    
    On 12/28/18, 5:49 AM, "Gurshabad Grover" <gurshabad@cis-india.org> wrote:
    
        On 26/12/18 8:02 PM, Gould, James wrote:
        > [...] The thread with Andrew Newton did not clarify the applicability of the Privacy Considerations, but addressed two technical issues related to fixing the described relationship of the client with the server, and fixing the inappropriate inclusion of a normative policy statement.  The clearly out of scope elements of the HR Considerations section include the following bulleted items that are only associated with the VSP, and have nothing to do with draft-ietf-regext-verificationcode. [...]     
        >  
        
        For the context of the considerations, let's look at some text from the
        draft:
        
        "The VSP has access to the local data sources and is authorized to
        verify the data. Examples include verifying that the domain name is not
        prohibited and verifying that the domain name registrant is a valid
        individual, organization, or business in the locality."
        
        "It is up to the VSP and the server to define the valid values for the
        "type" attribute. Examples of possible "type" attribute values include
        "domain" for verification of the domain name, "registrant" for
        verification of the registrant contact, or "domain-registrant" for
        verification of both the domain name and the registrant. The typed
        signed code is used to indicate the verifications that are done by the VSP."
        
        "The VSP MUST store the proof of verification and the generated
        verification code; and MAY store the verified data."
        
        So, the draft
        (1) describes the role of the VSP;
        (2) has guidance on what types of verification the VSP can perform; and
        (3) places certain obligations on the VSP.
        
        So, I think it's unfair to say that considerations that touch upon the
        VSP's role "have nothing to do with draft-ietf-regext-verificationcode."
        
        Re: text of the considerations...
        
        The proposed privacy considerations rely entirely on the draft and the
        guidance in RFC6973 (very commonly used across working groups to write
        privacy considerations). Specifically, the excerpts above and the
        following items in RFC6973:
        
        * "Are there expected ways that information exposed by the protocol will
        be combined or correlated with information obtained outside the
        protocol?" [3]
        
        * "Does the protocol provide ways for initiators to express individuals'
        preferences to recipients or intermediaries with regard to the
        collection, use, or disclosure of their personal data?" [4]
        
        The proposed text addresses these, and in fact, uses terminology from
        only the draft and RFC6973.
        
        Similarly, most HR considerations directly follow from the privacy
        considerations and rely on guidance in RFC8280. Specifically,
        
        * "Can your protocol contribute to filtering in such a way that it could
        be implemented to censor data or services?" [5]
        
        * "What is the potential for discrimination against users of your
        protocol?" [6]
        
        Open to further discussing the rationale behind the proposed text. Would
        also like to hear what others think.
        
        Thank you.
        Gurshabad
        
        PS.
        
        > I recommend that inclusion of these sort of elements be brought up to
        > the IETF-level.
        
        Not sure what you mean here. I think there is enough clarity from
        the chairs and the IESG that it is entirely up to the WG about what to
        include in the WG draft. [0][1][2]
        
        [0] https://youtu.be/LYYehA0LNRc?t=8690
        [1] https://www.ietf.org/mail-archive/web/regext/current/msg01991.html
        [2] https://www.ietf.org/mail-archive/web/regext/current/msg01993.html
        [3] https://tools.ietf.org/html/rfc6973#section-7.1
        [4] https://tools.ietf.org/html/rfc6973#section-7.2
        [5] https://tools.ietf.org/html/rfc8280#section-6.2.6
        [6] https://tools.ietf.org/html/rfc8280#section-6.2.13