On Tuesday, November 1, 2016, Stephen Farrell <[email protected]> wrote:
> > I am quite interested in discussing privacy issues if they > exist here. (I don't however accept that corporate secrecy > is a privacy issue.) I don't see how, within a certificate, you can draw that line. We know people are deploying DNS names with PII (the U.K. tax offices naming scheme, for example, uses tax identifiers as subdomains). We know CAs are deploying subject naming information in certificates, and these are issued to natural persons. givenName and Surname are an example, but as Peter points out, CAs are issuing certificates for individuals (IV), and these are permitted to put the PII in the O field. I appreciate the "data needed" viewpoint, but I don't agree with using the extant logs to justify that viewpoint, especially when you consider what the extant logs are presently logging, and what's desired to be logged. I can appreciate you see a difference between corporate secrecy vs personal privacy - but perhaps you could articulate how that codifies into certificates being issued, or its technical relevance. I can understand that playing into discussions about which to punt on, but I don't feel you've done a good job articulating why you feel this distinction is relevant, or what end it serves, given the context of certificates. I'm entirely fine with discussion of privacy as it relates > to CT, and would be glad to see that. My main point is that > privacy is entirely different from corporate secrecy, and > conflating the two would be an error. Can you suggest a meaningful distinction between these two, as expressed in certificates? So going beyond the well understood use-cases has a number > of risks. Can you expand on what you see as well-understood? I thought both IV certs and QCP certs were well understood, at least within the context of the Web PKI. > To reiterate: I'm very happy if we discuss privacy so long > as we do not conflate that with corporate secrecy. There are > requirements for both, but they are far from the same. > Can we infer that you're happy to discuss corporate secrecy as well? Could you expand on why you see these requirements as different?
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
