Gurshabad,
I first need to be clear that I oppose adding both sections that you've
provided to draft-ietf-regext-verificationcode. The sections that you've
provided are non-technical and are associated with policy elements. The REGEXT
working group has dealt with technical aspects of drafts. I don't believe the
REGEXT working group is qualified to effectively discuss and come to consensus
on policy elements. I recommend that inclusion of these sort of elements be
brought up to the IETF-level.
The thread with Andrew Newton did not clarify the applicability of the Privacy
Considerations, but addressed two technical issues related to fixing the
described relationship of the client with the server, and fixing the
inappropriate inclusion of a normative policy statement. The clearly out of
scope elements of the HR Considerations section include the following bulleted
items that are only associated with the VSP, and have nothing to do with
draft-ietf-regext-verificationcode.
* Depending on the information shared with the VSP and data sources
already available to it, the extension may also allow the VSP to
discriminate against registrants based on registrants' personal
characteristics, beliefs, or opinions. Even when such restrictions are
not applied, knowledge of the information being shared with the VSP
could create chilling effects on registrants' freedom of expression, and
freedom of association and assembly.
* The VSP may be a third party entrusted to carry out sensitive legal
decisions. Due to the lack of mechanisms in this extension that can
facilitate appeal and redressal of a rejection, the registrants' right
to legal transparency and remedy will also be impacted in such a situation.
The scope of draft-ietf-regext-verificationcode does not include the
verification process of the VSP by design. Any considerations section,
including the HR or the Privacy Considerations, need to be within the defined
scope of the draft.
Do others in the working group believe that either the verification process of
the VSP is in scope based on the current wording of the draft or that a
consideration section can cover something that is outside the defined scope of
the draft?
—
JG
James Gould
Distinguished Engineer
[email protected]
703-948-3271
12061 Bluemont Way
Reston, VA 20190
Verisign.com <http://verisigninc.com/>
On 12/21/18, 5:14 AM, "Gurshabad Grover" <[email protected]> wrote:
On 20/12/18 1:01 AM, Gould, James wrote:
>
> Your proposed Privacy Considerations section and much of your proposed
Human Rights Considerations section focuses on the interface of the VSP, which
is out-of-scope for draft-ietf-regext-verificationcode. The scope of
draft-ietf-regext-verificationcode is on the structure of the digitally signed
verification code, that represents proof of verification, and the interface
between the client (registrar) and the server (registry) to pass the
verification code. The role of the VSP is defined, but the VSP interface and
the concrete verifications is by design left out of
draft-ietf-regext-verificationcode, and therefore is out-of-scope.
>
I think the previous thread with Andrew Newton clarifies why the Privacy
Considerations are applicable. Could you be specific as to which HR
consideration is out of scope?
As you have already noted, the role of the VSP is defined and (therefore
presumably) in the scope of the document. Since most HR considerations
relate to the VSP's role, they are also in the scope of
draft-ietf-regext-verificationcode.
Thank you.
Gurshabad
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
