IETF Logo Mail Archive

Re: [apps-discuss] The authentication server id, was rfc5451bis

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 25 March 2013 18:54 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A6A721F92BA for <apps-discuss@ietfa.amsl.com>; Mon, 25 Mar 2013 11:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g87h36X-mdmB for <apps-discuss@ietfa.amsl.com>; Mon, 25 Mar 2013 11:54:27 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id ADCA121F9402 for <apps-discuss@ietf.org>; Mon, 25 Mar 2013 11:54:26 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id d46so3429483wer.2 for <apps-discuss@ietf.org>; Mon, 25 Mar 2013 11:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=rxnjwMqGkJ9oSx7g0nJ5V+387QLIUeq8/iohIaNuH7g=; b=AH1oEG2cfliV28g+Qqvf3ZSvLVYh2yj5ybZLpU+25e+mxts72bXTAGzcbRafPE0WBk FYflxd9HK6O+SqbPYoEQyvs4Pp3Nxb/ylHhmuRJY1rcKrArz3eqFtiB0zkOmlmHHVavl Auszyg4B1x6vIdX5TJFOhd4eTQKl2XEA0EwTIGMBA2XBrbKYCeXOL6IjrHU5UJoFkGRN rnXBD+WyTSnWBIaFYUJWN13FPqUPtPfHYzlmBuAG23IO5W8XcQ6MWAPVV+AUo46pZhKn mJ32MZAOJMIQGXr4v1Glj4IjU/MgA53fpmJoweK/6TGlDZBWuVw+4+g92BC31AkHU6uL W/lA==
MIME-Version: 1.0
X-Received: by 10.180.185.44 with SMTP id ez12mr27398096wic.33.1364237665662; Mon, 25 Mar 2013 11:54:25 -0700 (PDT)
Received: by 10.180.13.71 with HTTP; Mon, 25 Mar 2013 11:54:25 -0700 (PDT)
In-Reply-To: <515040D2.1080409@tana.it>
References: <CAL0qLwbgjnt8Msofok3ExKBmChtQPfMEFgrrZBimEzU5CYgSjA@mail.gmail.com> <CAKHUCzxfBtLTt3p3moGgEQx+p5kr=-e2Mn58xaqNvWFGiW=Lpw@mail.gmail.com> <514432BC.1010805@tana.it> <51443483.9030805@tana.it> <CAKHUCzwBrEPSVc4VtJMKZLm+5it3h7dLiW+YZ=_xO2OwP_rLoA@mail.gmail.com> <51458A59.8040206@tana.it> <CAL0qLwYEe9Wmvr-+eZL_yqChRf+a+11zRXCmW2Md9PGvH9PK-g@mail.gmail.com> <514DFAC8.7040406@tana.it> <CAL0qLwbqNUbPOYbXQEzM6X4=RLiqCQG2TbsO9A8PaE+a3Z3oNQ@mail.gmail.com> <514EEBB7.40205@tana.it> <CAL0qLwZZ3iB1BwtfK6TxooEzbTwSxm-KZYgcMMdPUp3OyMpMag@mail.gmail.com> <515040D2.1080409@tana.it>
Date: Mon, 25 Mar 2013 11:54:25 -0700
Message-ID: <CAL0qLwa4+na-bAauXN1cySyxLxrKWETONcVLc-Ncf5tdyhY+4w@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Content-Type: multipart/alternative; boundary="001a11c2257473803104d8c45546"
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] The authentication server id, was rfc5451bis
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 18:54:28 -0000

On Mon, Mar 25, 2013 at 5:19 AM, Alessandro Vesely <vesely@tana.it> wrote:

> On Sun 24/Mar/2013 22:06:41 +0100 Murray S. Kucherawy wrote:
> > I'm not in favour of changing to a grammar that matches current use to
> > the exclusion of other uses without a good reason to do so.  Since in
> > the prose we talk about authserv-id being a domain name in the typical
> > case but basically also say it could be anything the operator wants to
> > use, I think "value" is the right thing there.
>
> Besides the parsability point (quotes), the intended use of this piece
> of data is rather overloaded.  Let me recap some requirements:
>
> 1. Identification of the ADMD for assessing trust relationships
>    (and possibly also for POP3 MUAs to send back complaints,
>    per Section 5.3 of RFC 6650),
>

I don't see a reference to this work there.


> 2. uniqueness of the identifier,
>

This is key for identifying your own, but it doesn't speak to a necessary
syntax.


> 3. similar in syntax to a fully-qualified domain name,
>

There's nothing saying an ADMD can't use a simple word or even a single
punctuation here (so long as it fits the grammar).  Ideally it's most
useful when it's in this form, but an ADMD could use "---" as an
authserv-id and still get results useful to it.  A complete sentence would
also be valid.

I can't think of a good reason to restrict this to look like a domain name
if it doesn't actually represent a single DNS domain entity.  One ADMD
could be doing authentication service for lots of domains, but it's still
one ADMD.  If I run a service that does email authentication for tons of
domains, why could I not use "Murray's Authentication Service" for an
authserv-id?  Or even the empty string?  As long as the producer and
consumer are consistent in their uses of it, all of your stated
requirements are met.


> 4. transport tracing data such as the SMTP queue ID or a timestamp
>    (semantic hints would also go here, e.g. "all signatures checked
>    but failures not reported" vs "checking stops on first success"),
>

This also doesn't appear to me to demand a specific format (as above).


> 5. version identification,
>

That's not part of the authserv-id itself.


> 6. examples of valid authentication identifiers are "example.com",
>    "mail.example.org", "ms1.newyork.example.com", and "example-auth".
>

The last string in that list is not what most people think of as a
fully-qualified domain name, but as you point out, it's perfectly
acceptable.


>
> Bullets #3 and #6 are compatible with "domain-name".  By using domain
> names in the traditional ways, even though they are not required to be
> in the DNS, operators can easily implement #1 and #2.  Conversely,
> we'd need production rules to parse a "domain-name" inside the rest of
> the "value" if the grammar were relaxed that way.
>
> Alternatively, we can meet #4 and #5 by relaxing or extending the
> "version".  For example:
>
>      authres-header = "Authentication-Results:" [CFWS] authserv-id
>               [ [CFWS] separator [CFWS] ex-version ]
>               ( [CFWS] ";" [CFWS] "none" / 1*resinfo ) [CFWS] CRLF
>
>      authserv-id = domain-name
>
>      artext  = ALPHA / DIGIT /  ; RFC 5322 atext without "="
>                "-" / "_" /
>                separator
>
>      separator =  "!" / "#" /   ; dot-atom characters that cannot
>                   "$" / "%" /   ; be part of a domain-name
>                   "&" / "'" /
>                   "*" / "+" /
>                       / "/" /
>                         "?" /
>                   "^" /
>                   "`" / "{" /
>                   "|" / "}" /
>                   "~"
>
>      ar-dot-text = 1*artext *("." 1*artext)
>
>      ex-version = [CFWS] ar-dot-text [CFWS]
>

I think we're wandering off into some bikeshedding here.  I'm curious to
know if anyone else supports this more complicated notion.  I certainly
don't agree with making the "separator" be anything other than "/".

The overall grammar is pretty clean right now: break on unescaped
semicolons and you get paragraphs of useful information; the first
paragraph is the authserv-id stuff, and everything else is "method=result"
followed by relevant method parameters; any unescaped "/" followed by a
number is a version.  Is there a reason to complicate that?

Semantically, allowing "anything the operator wants to use" conflicts
> with the requirement that a parser explicitly knows it, in the new
> Section 2.4.  IMHO, unrecognized ex-versions could just be ignored, as
> the format is determined by the field name.
>

How does it conflict?

-MSK

v2.23.0 | Report a Bug | By Email