Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting

Comments (19)

1. 

   Nat Sakimura reporter

   • edited description

   • 2019-03-14T15:37:04+00:00
2. 

   Nat Sakimura reporter

   • changed title to Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting

   • 2019-03-14T15:37:44+00:00
3. 

   Michael Jones

   • assigned issue to
     
     Torsten Lodderstedt

   Nat will review the document in this regard in the future.

   • 2019-04-11T14:41:44+00:00
4. 

   Nat Sakimura reporter

   • assigned issue to
     
     Nat Sakimura

   • 2019-09-12T14:38:10+00:00
5. 

   Torsten Lodderstedt

   • changed milestone to Amendment

   • 2020-01-15T15:26:05+00:00
6. 

   Torsten Lodderstedt

   • changed status to open

   • 2020-01-26T03:17:06+00:00
7. 

   Torsten Lodderstedt

   • changed milestone to Implementers Draft 2

   • 2020-02-18T09:42:10+00:00
8. 

   Torsten Lodderstedt

   • changed milestone to Implementer's Draft 2

   • 2020-02-18T09:42:15+00:00
9. 

   Torsten Lodderstedt

   • removed milestone

   • 2020-02-26T15:54:13+00:00
10. 

    Torsten Lodderstedt

    Nat will start in April

    • 2020-03-04T15:32:20+00:00
11. 

    Nat Sakimura reporter

    Just reviewed it. Mostly OK.

    One sentence may be viewed as problematic.

    OP and RP MUST establish a legal basis before exchanging any personally identifiable information.

    It is basically saying that you MUST obey the law, which is obvious and should not be stated especially like this, because “you must obey the law” is always true. The following rewording may work:

    OP and RP MUST communicate the established lawful basis to the Data Subject before transferring any PII.

    In the following sentence, the phrase “in the course of OpenID process” appears.

    It can be established upfront or in the course of the OpenID process.

    Since the words are used to refer to the IPR regime in OpenID Foundation, I would avoid it and say “dynamically during the OpenID authorization request and response.”

    ‌

    ‌

    • 2020-04-21T09:57:17+00:00
12. 

    Stephane Mouy

    I think the language used is derived from GDPR, meaning in practice that OP and RP must establish the legal basis for the data request (most likely data subject consent, but other causes are possible).

    • 2020-04-22T12:13:02+00:00
13. 

    Nat Sakimura reporter

    So what about this?

    OP and RP MUST record the established lawful basis

    If there is any prospect of making it accessible to the PII principal by some kind of protocol, e.g., machine-readable form of ISO/IEC 29184 Privacy notice, then, having “MUST” here makes sense.

    • 2020-04-29T15:26:09+00:00
14. 

    Marcos Sanz

    Please don’t use RFC2119 language, this is not a protocol issue.

    • 2020-04-29T15:28:39+00:00
15. 

    Torsten Lodderstedt

    I‘m in favor of removing both sentences in the next revision.

    • 2020-05-01T09:01:46+00:00
16. 

    Torsten Lodderstedt

    • changed milestone to Implementer's Draft 3

    • 2020-05-05T06:20:55+00:00
17. 

    Torsten Lodderstedt

    • assigned issue to
      
      Torsten Lodderstedt

    remove the paragraph in Section 9 as discussed in the call today

    • 2020-05-06T15:58:25+00:00
18. 

    Torsten Lodderstedt

    see PR #30

    • 2020-05-13T13:44:30+00:00
19. 

    Mark Haine

    • changed status to resolved

    resolved by PR 30

    • 2020-06-24T15:53:06+00:00
20. Log in to comment