Robert Wilton has entered the following ballot position for draft-ietf-oauth-jwt-introspection-response-10: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Hi, Thank you for this document. I have a couple of process related questions regarding the legal aspects considered in chapter 9 on privacy that I would like to discuss with the other ADs on the telechat (hence raising it as a Discuss). My two questions are: (1) Is it appropriate for an RFC to specifying requirements relating to legal issues and laws? Note, I think that the guidance that is provides is really helpful and should be included in the document, but I'm a bit concerned as to whether a standards track RFC should be stating formal requirements/constraints related to enforcing legal requirements rather that providing non-normative guidance. (2) Related to the first question, if the IESG believes believes that providing such requirements is okay, a further question is whether using RFC 2119 language is appropriate, or whether this should use regular English? An example from section 9: The AS MUST ensure a legal basis exists for the data transfer before any data is released to a particular RS. The way the legal basis is established might vary among jurisdictions and MUST consider the legal entities involved. Regards, Rob _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
