Andrew & all, [ Sorry I have been disconnected from this WG for a while, but am trying to catch up and re-engage. Apologies if I am revisiting old ground. ] At 2016-12-09 10:03:28 -0500 Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
A logical conclusion should we decide to pursue this line of thinking is that there will be a need for identity providers who are able to issue user credentials to people who belong to specific communities of interest. Policies will need to be developed to determine which communities of interest get access to which data elements.
The nice thing, however, is that the demonstration shows how easily new policies of that sort could work. It's probably true that thousands of policies would be onerous, but I find it hard to imagine the scenario where we come up even with hundreds, so the approach ought to scale appropriately.
This is pretty much the kind of capability that I envisioned the whole time that we have been discussing RDS. It's nice to have a running example to help us all understand the possibilities. :) ---- I still think we're missing a big piece of the picture, which is how data about queries is handled by the operator of the RDAP service. Even though the "terms & conditions" scroll off my high-resolution monitor with a wall of legalese, the Verisign Labs terms & conditions do not seem to say anything about what happens to information about the queries I make. Presumably Verisign is logging these, but I don't know what they are logging or how long they keep this information. I don't know who has access to these logs. I really think there should be a very few standard models for this, so that they can be explored in depth. This is in direct contradiction to the idea of every registry and/or registrar making their own walls of subtly-different legalese - which we should avoid at all cost. Such a set of standard "usage agreements" would also mean that a server can present these as data about the service. ---- Further, do people who have their domain information queried know about this? Personally I think this is a desirable goal; it would be nice to know how many spammers and/or LEA have been granted access to my data. ;) Again, a small set of standard practices for this seems highly desirable. Cheers, -- Shane