[apps-discuss] The authentication server id, was rfc5451bis

Alessandro Vesely <vesely@tana.it> Mon, 25 March 2013 12:19 UTC

Return-Path: <vesely@tana.it>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E39AD21F8BA4 for <apps-discuss@ietfa.amsl.com>; Mon, 25 Mar 2013 05:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.719
X-Spam-Status: No, score=-4.719 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id A+7i1XzsydZl for <apps-discuss@ietfa.amsl.com>; Mon, 25 Mar 2013 05:19:33 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it []) by ietfa.amsl.com (Postfix) with ESMTP id E551E21F8BD4 for <apps-discuss@ietf.org>; Mon, 25 Mar 2013 05:19:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1364213971; bh=AZxcoQkUcr29n7QBLG5xBOZnvXXyljAkRJYIOtubhRw=; l=2884; h=Date:From:To:References:In-Reply-To; b=WhltP9jQLUtzWnOFW8dv1OFKzsUSzOnY2b4dVKP6yvWH4Ik4g+v6TY+PvkZX5CNrB xUG2ArNi8XrviV+3k1KTIiLEjf0SUphWXJPGWLfCkEkTJNg9tPN2ymJyPCaEDqQMOv J0gi52Dl4cmHdwYQ9NHTs0DE32odjUQAEbwwx6Nc=
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Mon, 25 Mar 2013 13:19:30 +0100 id 00000000005DC039.00000000515040D2.0000552F
Message-ID: <515040D2.1080409@tana.it>
Date: Mon, 25 Mar 2013 13:19:30 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: apps-discuss@ietf.org
References: <CAL0qLwbgjnt8Msofok3ExKBmChtQPfMEFgrrZBimEzU5CYgSjA@mail.gmail.com> <CAKHUCzxfBtLTt3p3moGgEQx+p5kr=-e2Mn58xaqNvWFGiW=Lpw@mail.gmail.com> <514432BC.1010805@tana.it> <51443483.9030805@tana.it> <CAKHUCzwBrEPSVc4VtJMKZLm+5it3h7dLiW+YZ=_xO2OwP_rLoA@mail.gmail.com> <51458A59.8040206@tana.it> <CAL0qLwYEe9Wmvr-+eZL_yqChRf+a+11zRXCmW2Md9PGvH9PK-g@mail.gmail.com> <514DFAC8.7040406@tana.it> <CAL0qLwbqNUbPOYbXQEzM6X4=RLiqCQG2TbsO9A8PaE+a3Z3oNQ@mail.gmail.com> <514EEBB7.40205@tana.it> <CAL0qLwZZ3iB1BwtfK6TxooEzbTwSxm-KZYgcMMdPUp3OyMpMag@mail.gmail.com>
In-Reply-To: <CAL0qLwZZ3iB1BwtfK6TxooEzbTwSxm-KZYgcMMdPUp3OyMpMag@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: [apps-discuss] The authentication server id, was rfc5451bis
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 12:19:34 -0000

On Sun 24/Mar/2013 22:06:41 +0100 Murray S. Kucherawy wrote:
> I'm not in favour of changing to a grammar that matches current use to
> the exclusion of other uses without a good reason to do so.  Since in
> the prose we talk about authserv-id being a domain name in the typical
> case but basically also say it could be anything the operator wants to
> use, I think "value" is the right thing there.

Besides the parsability point (quotes), the intended use of this piece
of data is rather overloaded.  Let me recap some requirements:

1. Identification of the ADMD for assessing trust relationships
   (and possibly also for POP3 MUAs to send back complaints,
   per Section 5.3 of RFC 6650),
2. uniqueness of the identifier,
3. similar in syntax to a fully-qualified domain name,
4. transport tracing data such as the SMTP queue ID or a timestamp
   (semantic hints would also go here, e.g. "all signatures checked
   but failures not reported" vs "checking stops on first success"),
5. version identification,
6. examples of valid authentication identifiers are "example.com",
   "mail.example.org", "ms1.newyork.example.com", and "example-auth".

Bullets #3 and #6 are compatible with "domain-name".  By using domain
names in the traditional ways, even though they are not required to be
in the DNS, operators can easily implement #1 and #2.  Conversely,
we'd need production rules to parse a "domain-name" inside the rest of
the "value" if the grammar were relaxed that way.

Alternatively, we can meet #4 and #5 by relaxing or extending the
"version".  For example:

     authres-header = "Authentication-Results:" [CFWS] authserv-id
              [ [CFWS] separator [CFWS] ex-version ]
              ( [CFWS] ";" [CFWS] "none" / 1*resinfo ) [CFWS] CRLF

     authserv-id = domain-name

     artext  = ALPHA / DIGIT /  ; RFC 5322 atext without "="
               "-" / "_" /

     separator =  "!" / "#" /   ; dot-atom characters that cannot
                  "$" / "%" /   ; be part of a domain-name
                  "&" / "'" /
                  "*" / "+" /
                      / "/" /
                        "?" /
                  "^" /
                  "`" / "{" /
                  "|" / "}" /

     ar-dot-text = 1*artext *("." 1*artext)

     ex-version = [CFWS] ar-dot-text [CFWS]

That way, we can be compatible with the current dot-atom, still allow
free use, and define the id.  It is grammatically involved, as bug
fixes often are.

Semantically, allowing "anything the operator wants to use" conflicts
with the requirement that a parser explicitly knows it, in the new
Section 2.4.  IMHO, unrecognized ex-versions could just be ignored, as
the format is determined by the field name.

> We also shouldn't be making changes that aren't either improvements
> to the prose or bug fixes to the normative parts.
> Keyword is probably fine for the other three you mentioned.  I'll make
> that change.  This is obviously a bug fix since, as you pointed out,
> "dot-atom" permits ambiguous productions.