ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt> (Registration Data Access Protocol Query Format) to Proposed Standard

2014-10-28 10:35:50
from [Andy Newton] [Permanent Link] 

On Oct 24, 2014, at 7:03 PM, Edward Lewis 
<edward(_dot_)lewis(_at_)icann(_dot_)org> wrote:


As far as HTML in email, I just don’t care anymore. ;)

If by “public information” you mean information that anyone can access,
then an anonymous user is explicitly permitted to be sent it.  If by
“anonymous” you mean a user without a proven identity, then any
information deemed consumable by the general public is explicitly
permitted to be sent.



It’s the word “explicitly” which is confusing me. How is it “explicit” that 
they are permitted access to the information? Are you assuming a specific 
authorization scheme or security service? Are you assuming/imposing some sort 
of public notification?


Just being pedantic.

Perhaps the second sentence is redundant, but I do see a difference (which
may be moot) in placing restrictions on what is sent vs. what can be
received.


I agree. There is a difference and that the sentence is redundant. As it stands 
I find it adds more confusion and does not really add a useful benefit.

-andy



From:  Andy Newton <andy(_at_)arin(_dot_)net>
Date:  Friday, October 24, 2014 at 14:00
To:  Edward Lewis <edward(_dot_)lewis(_at_)icann(_dot_)org>, "Hollenbeck, 
Scott"
<shollenbeck(_at_)verisign(_dot_)com>, "ietf(_at_)ietf(_dot_)org" 
<ietf(_at_)ietf(_dot_)org>,
"iesg(_at_)ietf(_dot_)org" <iesg(_at_)ietf(_dot_)org>
Cc:  "weirds(_at_)ietf(_dot_)org" <weirds(_at_)ietf(_dot_)org>
Subject:  Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt>
(Registration Data Access Protocol Query Format) to Proposed Standard



I missed this due to all the HTML in the email...



How about this?

OLD:
"Implementers need to consider the policy and privacy implications of
returning information that was not explicitly requested."

NEW:
"Implementers need to consider the policy and privacy implications of
returning information that was not explicitly requested. Clients should
only receive information that they are explicitly authorized to
receive."


AlmostŠ²Servers should only send information that clients are explicitly
authorized to receive.²

The way it is worded is impossible to "enforce."


How does this work with anonymous access to public information, which is
how this information is served today? How do I ³explicitly" authorize an
anonymous user? I think the old text above is good enough and find the
next text (both versions) to be confusing.

-andy
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt> (Registration Data Access Protocol Query Format) to Proposed Standard, Edward Lewis
Next by Date:  Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt> (Registration Data Access Protocol Query Format) to Proposed Standard, Andy Newton
Previous by Thread:  Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt> (Registration Data Access Protocol Query Format) to Proposed Standard, Edward Lewis
Next by Thread:  Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt> (Registration Data Access Protocol Query Format) to Proposed Standard, Edward Lewis
Indexes:  [Date] [Thread] [Top] [All Lists]