Good Morning,
Thanks George, I like this thought process. One additional thing I would like to add is the discussions of privacy at a higher level. For those that did not attend the Plenary Wednesday, there were some good privacy presentations and shows that privacy is an issue that needs to addressed across many protocol/standards development. Maybe George's suggested "Privacy in RDAP" is a good first step to take and might even be helpful outside the RDAP concept. Does anyone know of current work at IETF specifically addressing privacy that could be leveraged by REGEXT? Additionally, is there a larger privacy effort going on within the IETF that the suggested "Privacy in RDAP" should be aware of and possibly get direction from? Thanks Roger -----Original Message----- From: regext <[email protected]> On Behalf Of George Michaelson Sent: Friday, July 26, 2019 8:26 AM To: [email protected] Subject: Re: [regext] on RDAP milestones Notice: This email is from an external sender. I believe a proper response to Stephane and Peters stated concerns in privacy, is for a "Privacy in RDAP" document to be written which becomes a reference back into the patterns like reverse search. I do not believe we can expect to go forward without reverse-index lookup: it is a fundamental tool in LEA, but is (in that context) circumscribed by GDPR, probably to be authenticated user only: It depends on OpenID or Oauth or some other wide ranging model of access control we can agree to (given that registries do 302 redirect, you would expect a client to need to present a federated auth token) Or, when invoked, it has limits. Or some combination. The issues are not something which should just be an addendum or appendix in another document. They should be addressed first-class. Unlike EPP, this is about privacy of data in public view, not about the maintenance of records inside registry, its about the access to that data from the public globally-connected space. I fundamentally believe that there is a huge role for "what are related records from this person" queries. I do this from personal experience, dealing with a hacked WHOIS account and seeking to find the related resource records which showed signs of having been tampered with from the maintainers rights. I am sure there are other use cases. I also think we need to distinguish between individual, organisational, and corporate-entity rights here. I am happy to see individual rights to privacy defended. I am concerned we are walking into a world where we routinely extend personal rights to corporate rights and I do not take it as axiomatic the GDPR rules mean that registered and incorporated entities have some assumed right to privacy. If we do that, If we separate things out, we can progress partial-response and sorting/paging in one strand, and reverse-index query in another, with the latter the only one affected by new work on privacy in narrow sense. In wide, all work in RDAP has to consider the privacy issue. I would invite Stephane (and Peter) to write. They have the most direct statements of concern, I think they are able to document the concerns. -G _______________________________________________ regext mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/regext
_______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
