As far as HTML in email, I just don’t care anymore. ;) If by “public information” you mean information that anyone can access, then an anonymous user is explicitly permitted to be sent it. If by “anonymous” you mean a user without a proven identity, then any information deemed consumable by the general public is explicitly permitted to be sent. Just being pedantic. Perhaps the second sentence is redundant, but I do see a difference (which may be moot) in placing restrictions on what is sent vs. what can be received. From: Andy Newton <andy@xxxxxxxx> Date: Friday, October 24, 2014 at 14:00 To: Edward Lewis <edward.lewis@xxxxxxxxx>, "Hollenbeck, Scott" <shollenbeck@xxxxxxxxxxxx>, "ietf@xxxxxxxx" <ietf@xxxxxxxx>, "iesg@xxxxxxxx" <iesg@xxxxxxxx> Cc: "weirds@xxxxxxxx" <weirds@xxxxxxxx> Subject: Re: Last Call: <draft-ietf-weirds-rdap-query-15.txt> (Registration Data Access Protocol Query Format) to Proposed Standard >I missed this due to all the HTML in the email... > >>> >>>How about this? >>> >>>OLD: >>>"Implementers need to consider the policy and privacy implications of >>>returning information that was not explicitly requested." >>> >>>NEW: >>>"Implementers need to consider the policy and privacy implications of >>>returning information that was not explicitly requested. Clients should >>>only receive information that they are explicitly authorized to >>>receive." >> >>AlmostŠ²Servers should only send information that clients are explicitly >>authorized to receive.² >> >>The way it is worded is impossible to "enforce." > >How does this work with anonymous access to public information, which is >how this information is served today? How do I ³explicitly" authorize an >anonymous user? I think the old text above is good enough and find the >next text (both versions) to be confusing. > >-andy
<<attachment: smime.p7s>>