[apps-discuss] The authentication server id, was rfc5451bis

[Alessandro Vesely <vesely@tana.it>]

On Sun 24/Mar/2013 22:06:41 +0100 Murray S. Kucherawy wrote:
> I'm not in favour of changing to a grammar that matches current use to
> the exclusion of other uses without a good reason to do so.  Since in
> the prose we talk about authserv-id being a domain name in the typical
> case but basically also say it could be anything the operator wants to
> use, I think "value" is the right thing there.

Besides the parsability point (quotes), the intended use of this piece
of data is rather overloaded.  Let me recap some requirements:

1. Identification of the ADMD for assessing trust relationships
   (and possibly also for POP3 MUAs to send back complaints,
   per Section 5.3 of RFC 6650),
2. uniqueness of the identifier,
3. similar in syntax to a fully-qualified domain name,
4. transport tracing data such as the SMTP queue ID or a timestamp
   (semantic hints would also go here, e.g. "all signatures checked
   but failures not reported" vs "checking stops on first success"),
5. version identification,
6. examples of valid authentication identifiers are "example.com",
   "mail.example.org", "ms1.newyork.example.com", and "example-auth".

Bullets #3 and #6 are compatible with "domain-name".  By using domain
names in the traditional ways, even though they are not required to be
in the DNS, operators can easily implement #1 and #2.  Conversely,
we'd need production rules to parse a "domain-name" inside the rest of
the "value" if the grammar were relaxed that way.

Alternatively, we can meet #4 and #5 by relaxing or extending the
"version".  For example:

     authres-header = "Authentication-Results:" [CFWS] authserv-id
              [ [CFWS] separator [CFWS] ex-version ]
              ( [CFWS] ";" [CFWS] "none" / 1*resinfo ) [CFWS] CRLF

     authserv-id = domain-name

     artext  = ALPHA / DIGIT /  ; RFC 5322 atext without "="
               "-" / "_" /
               separator

     separator =  "!" / "#" /   ; dot-atom characters that cannot
                  "$" / "%" /   ; be part of a domain-name
                  "&" / "'" /
                  "*" / "+" /
                      / "/" /
                        "?" /
                  "^" /
                  "`" / "{" /
                  "|" / "}" /
                  "~"

     ar-dot-text = 1*artext *("." 1*artext)

     ex-version = [CFWS] ar-dot-text [CFWS]

That way, we can be compatible with the current dot-atom, still allow
free use, and define the id.  It is grammatically involved, as bug
fixes often are.

Semantically, allowing "anything the operator wants to use" conflicts
with the requirement that a parser explicitly knows it, in the new
Section 2.4.  IMHO, unrecognized ex-versions could just be ignored, as
the format is determined by the field name.

> We also shouldn't be making changes that aren't either improvements
> to the prose or bug fixes to the normative parts.
> 
> Keyword is probably fine for the other three you mentioned.  I'll make
> that change.  This is obviously a bug fix since, as you pointed out,
> "dot-atom" permits ambiguous productions.

Thanks