Re: [apps-discuss] The authentication server id, was rfc5451bis
"Murray S. Kucherawy" <superuser@gmail.com> Mon, 25 March 2013 18:54 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A6A721F92BA for <apps-discuss@ietfa.amsl.com>; Mon, 25 Mar 2013 11:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g87h36X-mdmB for <apps-discuss@ietfa.amsl.com>; Mon, 25 Mar 2013 11:54:27 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id ADCA121F9402 for <apps-discuss@ietf.org>; Mon, 25 Mar 2013 11:54:26 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id d46so3429483wer.2 for <apps-discuss@ietf.org>; Mon, 25 Mar 2013 11:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=rxnjwMqGkJ9oSx7g0nJ5V+387QLIUeq8/iohIaNuH7g=; b=AH1oEG2cfliV28g+Qqvf3ZSvLVYh2yj5ybZLpU+25e+mxts72bXTAGzcbRafPE0WBk FYflxd9HK6O+SqbPYoEQyvs4Pp3Nxb/ylHhmuRJY1rcKrArz3eqFtiB0zkOmlmHHVavl Auszyg4B1x6vIdX5TJFOhd4eTQKl2XEA0EwTIGMBA2XBrbKYCeXOL6IjrHU5UJoFkGRN rnXBD+WyTSnWBIaFYUJWN13FPqUPtPfHYzlmBuAG23IO5W8XcQ6MWAPVV+AUo46pZhKn mJ32MZAOJMIQGXr4v1Glj4IjU/MgA53fpmJoweK/6TGlDZBWuVw+4+g92BC31AkHU6uL W/lA==
MIME-Version: 1.0
X-Received: by 10.180.185.44 with SMTP id ez12mr27398096wic.33.1364237665662; Mon, 25 Mar 2013 11:54:25 -0700 (PDT)
Received: by 10.180.13.71 with HTTP; Mon, 25 Mar 2013 11:54:25 -0700 (PDT)
In-Reply-To: <515040D2.1080409@tana.it>
References: <CAL0qLwbgjnt8Msofok3ExKBmChtQPfMEFgrrZBimEzU5CYgSjA@mail.gmail.com> <CAKHUCzxfBtLTt3p3moGgEQx+p5kr=-e2Mn58xaqNvWFGiW=Lpw@mail.gmail.com> <514432BC.1010805@tana.it> <51443483.9030805@tana.it> <CAKHUCzwBrEPSVc4VtJMKZLm+5it3h7dLiW+YZ=_xO2OwP_rLoA@mail.gmail.com> <51458A59.8040206@tana.it> <CAL0qLwYEe9Wmvr-+eZL_yqChRf+a+11zRXCmW2Md9PGvH9PK-g@mail.gmail.com> <514DFAC8.7040406@tana.it> <CAL0qLwbqNUbPOYbXQEzM6X4=RLiqCQG2TbsO9A8PaE+a3Z3oNQ@mail.gmail.com> <514EEBB7.40205@tana.it> <CAL0qLwZZ3iB1BwtfK6TxooEzbTwSxm-KZYgcMMdPUp3OyMpMag@mail.gmail.com> <515040D2.1080409@tana.it>
Date: Mon, 25 Mar 2013 11:54:25 -0700
Message-ID: <CAL0qLwa4+na-bAauXN1cySyxLxrKWETONcVLc-Ncf5tdyhY+4w@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Content-Type: multipart/alternative; boundary="001a11c2257473803104d8c45546"
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] The authentication server id, was rfc5451bis
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 18:54:28 -0000
On Mon, Mar 25, 2013 at 5:19 AM, Alessandro Vesely <vesely@tana.it> wrote: > On Sun 24/Mar/2013 22:06:41 +0100 Murray S. Kucherawy wrote: > > I'm not in favour of changing to a grammar that matches current use to > > the exclusion of other uses without a good reason to do so. Since in > > the prose we talk about authserv-id being a domain name in the typical > > case but basically also say it could be anything the operator wants to > > use, I think "value" is the right thing there. > > Besides the parsability point (quotes), the intended use of this piece > of data is rather overloaded. Let me recap some requirements: > > 1. Identification of the ADMD for assessing trust relationships > (and possibly also for POP3 MUAs to send back complaints, > per Section 5.3 of RFC 6650), > I don't see a reference to this work there. > 2. uniqueness of the identifier, > This is key for identifying your own, but it doesn't speak to a necessary syntax. > 3. similar in syntax to a fully-qualified domain name, > There's nothing saying an ADMD can't use a simple word or even a single punctuation here (so long as it fits the grammar). Ideally it's most useful when it's in this form, but an ADMD could use "---" as an authserv-id and still get results useful to it. A complete sentence would also be valid. I can't think of a good reason to restrict this to look like a domain name if it doesn't actually represent a single DNS domain entity. One ADMD could be doing authentication service for lots of domains, but it's still one ADMD. If I run a service that does email authentication for tons of domains, why could I not use "Murray's Authentication Service" for an authserv-id? Or even the empty string? As long as the producer and consumer are consistent in their uses of it, all of your stated requirements are met. > 4. transport tracing data such as the SMTP queue ID or a timestamp > (semantic hints would also go here, e.g. "all signatures checked > but failures not reported" vs "checking stops on first success"), > This also doesn't appear to me to demand a specific format (as above). > 5. version identification, > That's not part of the authserv-id itself. > 6. examples of valid authentication identifiers are "example.com", > "mail.example.org", "ms1.newyork.example.com", and "example-auth". > The last string in that list is not what most people think of as a fully-qualified domain name, but as you point out, it's perfectly acceptable. > > Bullets #3 and #6 are compatible with "domain-name". By using domain > names in the traditional ways, even though they are not required to be > in the DNS, operators can easily implement #1 and #2. Conversely, > we'd need production rules to parse a "domain-name" inside the rest of > the "value" if the grammar were relaxed that way. > > Alternatively, we can meet #4 and #5 by relaxing or extending the > "version". For example: > > authres-header = "Authentication-Results:" [CFWS] authserv-id > [ [CFWS] separator [CFWS] ex-version ] > ( [CFWS] ";" [CFWS] "none" / 1*resinfo ) [CFWS] CRLF > > authserv-id = domain-name > > artext = ALPHA / DIGIT / ; RFC 5322 atext without "=" > "-" / "_" / > separator > > separator = "!" / "#" / ; dot-atom characters that cannot > "$" / "%" / ; be part of a domain-name > "&" / "'" / > "*" / "+" / > / "/" / > "?" / > "^" / > "`" / "{" / > "|" / "}" / > "~" > > ar-dot-text = 1*artext *("." 1*artext) > > ex-version = [CFWS] ar-dot-text [CFWS] > I think we're wandering off into some bikeshedding here. I'm curious to know if anyone else supports this more complicated notion. I certainly don't agree with making the "separator" be anything other than "/". The overall grammar is pretty clean right now: break on unescaped semicolons and you get paragraphs of useful information; the first paragraph is the authserv-id stuff, and everything else is "method=result" followed by relevant method parameters; any unescaped "/" followed by a number is a version. Is there a reason to complicate that? Semantically, allowing "anything the operator wants to use" conflicts > with the requirement that a parser explicitly knows it, in the new > Section 2.4. IMHO, unrecognized ex-versions could just be ignored, as > the format is determined by the field name. > How does it conflict? -MSK
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Dave Cridland
- [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Alessandro Vesely
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Alessandro Vesely
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Dave Cridland
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Alessandro Vesely
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Dave Cridland
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Alessandro Vesely
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Alessandro Vesely
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Scott Kitterman
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy
- [apps-discuss] The authentication server id, was … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] The authentication server id, … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] The authentication server id, … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … John Levine
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] The authentication server id, … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] The authentication server id, … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … SM
- Re: [apps-discuss] The authentication server id, … John Levine
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] The authentication server id, … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] The authentication server id, … Alessandro Vesely
- Re: [apps-discuss] The authentication server id, … Murray S. Kucherawy
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Dave Cridland
- Re: [apps-discuss] draft-kucherawy-rfc5451bis Murray S. Kucherawy