As far as HTML in email, I just don’t care anymore. ;)
If by “public information” you mean information that anyone can access,
then an anonymous user is explicitly permitted to be sent it. If by
“anonymous” you mean a user without a proven identity, then any
information deemed consumable by the general public is explicitly
permitted to be sent.
Just being pedantic.
Perhaps the second sentence is redundant, but I do see a difference (which
may be moot) in placing restrictions on what is sent vs. what can be
received.
From: Andy Newton <andy(_at_)arin(_dot_)net>
Date: Friday, October 24, 2014 at 14:00
To: Edward Lewis <edward(_dot_)lewis(_at_)icann(_dot_)org>, "Hollenbeck, Scott"
<shollenbeck(_at_)verisign(_dot_)com>, "ietf(_at_)ietf(_dot_)org"
<ietf(_at_)ietf(_dot_)org>,
"iesg(_at_)ietf(_dot_)org" <iesg(_at_)ietf(_dot_)org>
Cc: "weirds(_at_)ietf(_dot_)org" <weirds(_at_)ietf(_dot_)org>
Subject: Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt>
(Registration Data Access Protocol Query Format) to Proposed Standard
I missed this due to all the HTML in the email...
How about this?
OLD:
"Implementers need to consider the policy and privacy implications of
returning information that was not explicitly requested."
NEW:
"Implementers need to consider the policy and privacy implications of
returning information that was not explicitly requested. Clients should
only receive information that they are explicitly authorized to
receive."
AlmostŠ²Servers should only send information that clients are explicitly
authorized to receive.²
The way it is worded is impossible to "enforce."
How does this work with anonymous access to public information, which is
how this information is served today? How do I ³explicitly" authorize an
anonymous user? I think the old text above is good enough and find the
next text (both versions) to be confusing.
-andy
smime.p7s
Description: S/MIME cryptographic signature