My webmail client made a mistake and sent this message just to you. Thank you for telling me. If you hadn't told me, I wouldn't notice that my message wasn't sent to the whole Acme IETF group. So, without further hesitation I am copying the contents of my second message here:
---Start of Message--- Since you speak as a WG chair, I clearly cannot anything, which is why I said in my email "if my opinion matters at all". Also, note that the EU right-to-be-forgotten partially contravenes US CALEA laws. Therefore, it's not clear which of those two shall apply. However, maybe it is out of scope. In my point of view, deleting data, except certificates and relevant authorizations, which, as Jacob said, may need to be retained for a longer period of time, protects the user's privacy. Finally, what I meant (wrong phrasing in my original response) is that the CA ecosystem as a whole follows the best interests of the user and the CAs are required to comply with laws, which in this case isn't that clear. But this is another discussion, of course. ---End of Message--- And now my comments: Since it is out of scope, and possibly it is, I recommend that the wording isn't completely changed to "deactivation" but instead to "deactivation and/or deletion". That would allow for more possibilities to be taken into consideration. Best wishes, Jason From: [email protected] To: [email protected] Subject: RE: [Acme] Account deactivation Date: Tue, 24 May 2016 12:47:59 +0000 Did you mean to send this just to me? You can say anything. If you think a WG chair is wrong, you can talk to the other chair, and you can talk to the Area Director. I think, pretty clearly, that local law enforcement and embedding it in the protocol, is out of scope of the WG as is data retention. But please feel free to disagree publically!!! -- Senior Architect, Akamai Technologies IM: [email protected] Twitter: RichSalz From: Jason - [mailto:[email protected]] Sent: Monday, May 23, 2016 8:32 PM To: Salz, Rich Subject: RE: [Acme] Account deactivation Since you speak as a WG chair, I clearly cannot anything, which is why I said in my email "if my opinion matters at all". Also, note that the EU right-to-be-forgotten partially contravenes US CALEA laws. Therefore, it's not clear which of those two shall apply. However, maybe it is out of scope. In my point of view, deleting data, except certificates and relevant authorizations, which, as Jacob said, may need to be retained for a longer period of time, protects the user's privacy. Finally, what I meant (wrong phrasing in my original response) is that the CA ecosystem as a whole follows the best interests of the user and the CAs are required to comply with laws, which in this case isn't that clear. But this is another discussion, of course. Best regards, Jason > From: [email protected] > To: [email protected]; [email protected]; [email protected] > Subject: RE: [Acme] Account deactivation > Date: Mon, 23 May 2016 23:07:16 +0000 > > > Let me explain a bit more: Shall a CA receive a valid and trustworthy > > request for deletion of an account/authorization, the CA must totally erase > > any trace of data regarding that account > > Speaking as a WG chair, I disagree. EU data retention, like US Calea laws, > are outside the scope of the protocol. > > > CAs follow the best interests of the users, don't they? > > As commercial vendors, their shareholders should come first. > > Speaking as an individual, I support the MR.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
