I believe a proper response to Stephane and Peters stated concerns in privacy, is for a "Privacy in RDAP" document to be written which becomes a reference back into the patterns like reverse search. I do not believe we can expect to go forward without reverse-index lookup: it is a fundamental tool in LEA, but is (in that context) circumscribed by GDPR, probably to be authenticated user only: It depends on OpenID or Oauth or some other wide ranging model of access control we can agree to (given that registries do 302 redirect, you would expect a client to need to present a federated auth token) Or, when invoked, it has limits. Or some combination. The issues are not something which should just be an addendum or appendix in another document. They should be addressed first-class. Unlike EPP, this is about privacy of data in public view, not about the maintenance of records inside registry, its about the access to that data from the public globally-connected space.
I fundamentally believe that there is a huge role for "what are related records from this person" queries. I do this from personal experience, dealing with a hacked WHOIS account and seeking to find the related resource records which showed signs of having been tampered with from the maintainers rights. I am sure there are other use cases. I also think we need to distinguish between individual, organisational, and corporate-entity rights here. I am happy to see individual rights to privacy defended. I am concerned we are walking into a world where we routinely extend personal rights to corporate rights and I do not take it as axiomatic the GDPR rules mean that registered and incorporated entities have some assumed right to privacy. If we do that, If we separate things out, we can progress partial-response and sorting/paging in one strand, and reverse-index query in another, with the latter the only one affected by new work on privacy in narrow sense. In wide, all work in RDAP has to consider the privacy issue. I would invite Stephane (and Peter) to write. They have the most direct statements of concern, I think they are able to document the concerns. -G _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
