[Ietf-not43] -02 requirements draft

Ted Hardie Ted.Hardie@nominum.com
Fri, 8 Nov 2002 11:36:17 -0800 (PST) 

Paul,
	I think you might find that the rules actually vary quite a
bit from jurisdiction to jurisdiction.  Without presuming to explain
this law, I note in particular that the EU privacy restrictions might
limit giving bulk information containing personal details to whomever
requests it.
	I think we've wandered off track here, though, into the
policy question.  The protocol requirements question is: does
CRISP need to support a query referral or other distributed
query mechanism in order to meet the service needs of the
concerned actors?
	The requirements document lists a number of communities with
an interest in this service.  In the past, some of those communities
(law enforcement, IPR, occasionally end customers) have expresssed a
need that could be met by CRISP if it does support query referral
or other forms of query distribution.  I believe that those needs
are actually best met by that mechanism rather than by aggregation
of all data in a single common source.  As stated now, the CRISP
requirements specify that CRISP shall not require that kind of
data aggregation.  This means we would have to rule those
requirements entirely out of scope for CRISP.
	I understand why registrars are reluctant to take on this task
without knowing the extent of the costs involved.  I support altering
3.2.3 to include language which constrains the mechanism to be
lightweight and which explicitly notes that this should require
priviledged access.  These should limit the incremental cost and limit
the numbers of accesses.  Between those two, I believe we can mitigate
this risk without having to architect the system around this single
requirement.
				regards,
					Ted Hardie
	


> 
> Ted,
> I see what you are saying, but I'd also like to point
> out that we (registrars) are already required to give the information
> (which I might add is completely and already public information)
> in bulk to whoever requests it.  What I suggested
> is nothing different, except instead of charging the "law enforcment" 
> $10K we charge $0K and make it easy for them to parse the info.
> I am also no a lawyer, but the concerns you site 
> don't seem to apply in this case IMO.
> 
> Paul
> 
> -----Original Message-----
> From: Ted Hardie [mailto:Ted.Hardie@nominum.com] 
> Sent: Thursday, November 07, 2002 2:22 PM
> To: stahura@enom.com
> Cc: ietf-not43@lists.verisignlabs.com
> Subject: Re: [Ietf-not43] -02 requirements draft
> 
> 
> > It would probably be cheaper (not just dollars but cpu cycles)
> >  for registrars/registries to just give
> > their information to a single "law enforcement", 
> > say daily via an FTPed XML file, than to implement 
> > and maintain a complex distributed query scheme.
> > IPR community would then just ask law enforcement to run their queries.
> > 
> > 
> > Paul
> 
> Paul,
> 	I am not a lawyer, and I do not play one on the net.  I would
> suggest, however, that you might want to ask one about the wisdom of
> the approach you suggest.  Over the course of years, different
> jurisdictions have built up quite a bit of case law which relates to
> privacy and the limitations to discovery (in civil cases) and
> investigative search (in criminal cases).  These might well
> have an effect on the workability of your suggestion.
> 	To repeat, I am not a lawyer; I am merely suggesting you
> might want to consult one.
> 			regards,
> 				Ted Hardie		
>