Brian, > Major Issues: > ------------- > > There is no explicit discussion of privacy in the draft, which seems to > me to carry evident privacy risks. For example, imagine an ISP that > kindly decides to support webfinger for all customers by default, > and preloads personally identifiable information without consent.
Barry commented on this indicating it is there. Per Dave's advice, I think we should make it clearer with subsections in the security section. > There is some relevant text in the Security Considerations: > > Further, WebFinger MUST NOT be used to provide any personal > information to any party unless explicitly or implicitly authorized > by the person whose information is being shared. > > However, the weakness there is the words "or implicitly". IANAL, but it > seems highly likely that would be illegal in the European Union, at least. I have no strong preference on this, but "implicit" was asked by some, since (as an example), your information might be shared via WebFinger inside a company for company use. > Has the draft been validated against the guidelines in > draft-iab-privacy-considerations? I have not, but Alissa was asked to weigh in (and she did). I trust she provided recommendations. (I've not gotten that far down the stack, yet.) Paul _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
