On Tue, Aug 22, 2023 at 4:54 AM Mario Loffredo <mario.loffredo@xxxxxxxxxx> wrote: > > [ML] Firstly, would say at the outset that the authors and the WG have never thought of this feature as uncontrolled whereas it is based on the use of sensitive information. > > But, if on one side there are the privacy concerns to consider, on the other side there are some legitimate interests to pursue. > > The reasonable compromise is to make the RDAP reverse search based on PII accessible only to authorized users who are supported by lawful basis. > > For example, allowing the reverse search based on domain-entity relationship to registrars users but solely on their own domains and contacts. > > Such a concept is summarized in the following sentence of Section 13: > > In general, given the sensitivity of this functionality, it SHOULD be > accessible to authorized users only, and for specific use cases only. > > > SHOULD has been used instead of MUST for two main reasons: > > 1) The document describes a generic reverse search query model. Therefore, there might be reverse searches that are based on public information. > > 2) Provided that I don't have a legal background but, either when PII is used, think we can't exclude implementations of this feature that are publicly accessible and are still compliant with laws or regulations that restrict the use of PII. The email addresses and full names are not necessarily PII. They can be, but they can also be related to role accounts and organizations as a whole. -andy -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
