<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org]
<b>On Behalf Of </b>Volker Greimann<br>
<b>Sent:</b> Monday, December 12, 2016 9:13 AM<br>
<b>To:</b> gnso-rds-pdp-wg@icann.org<br>
<b>Subject:</b> [EXTERNAL] Re: [gnso-rds-pdp-wg] One Way Gated Access to Data Might Work<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Interesting, but I am not sure this is ultimately what we should be looking for for one simple reason. This proposed implementation apparently does not provide for any differentiation between access levels except for the three authentification levels.
<o:p></o:p></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">[SAH] No, not true. While this particular experiment includes three levels of access, the approach is designed to be tailored to make authorization and access control decisions based on a number
of different factors. What you currently see in my experiment is just one possibility. It already includes support for specification of query purpose (for example), and that information can be used to provide additional levels of access control based on the
policies implemented by the server operator.<o:p></o:p></span></p>
<p>So once one obtains and advanced authentification, one can access all data in the database, which I would consider insufficient differentiation. Access should be further scecialized on a "need to know" and "right to know" basis. For example, should a certified
and authentificated law enforcement agency have access to all registrant data or only to registrant data that applies to their jurisdiction (plus maybe an identifier that details which jurisdiction applies to a data set that agency cannot access).<o:p></o:p></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">[SAH] The actual protocol proposal* I’ve developed includes support for specification of a query purpose that can be used to make more specific access control decisions. If other factors are
needed, they, too, can be included.<o:p></o:p></span></p>
<p>Similarly, would a IP rights holder have access to all data or only to just enough data needed to achieve their goal, which would likely be to contact the registrant?<o:p></o:p></p>
<p>In other words, the access level scheme should differentiate between levels of access much more and restrict that access to those with a right to access or a legitimate need to access without overstepping legal or jurisdictional boundaries.
<o:p></o:p></p>
<p>This proposed implementation it too simplistic.<o:p></o:p></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">[SAH] In no way did I infer that the existing implementation is “final” or a complete solution. It is just an early proposal and an early experiment to demonstrate possibilities. I fully expect
to make revisions based on the outputs of this WG.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">Scott<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">* https://datatracker.ietf.org/doc/draft-hollenbeck-regext-rdap-openid/<o:p></o:p></span></p>
</div>
</body>
</html>