Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-regext-rdap-openid-27> for your review
rfc-editor@rfc-editor.org Fri, 05 April 2024 21:54 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0841C1519B7; Fri, 5 Apr 2024 14:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 575YQcGpzfWR; Fri, 5 Apr 2024 14:54:07 -0700 (PDT)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C65FC14F5EE; Fri, 5 Apr 2024 14:54:07 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 0FA11192F7B5; Fri, 5 Apr 2024 14:54:07 -0700 (PDT)
To: shollenbeck@verisign.com
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, regext-ads@ietf.org, regext-chairs@ietf.org, zalbanna@verisign.com, superuser@gmail.com, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20240405215407.0FA11192F7B5@rfcpa.amsl.com>
Date: Fri, 05 Apr 2024 14:54:07 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/n-VfHXVrBHh7NptmaSeqtOetDQE>
Subject: Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-regext-rdap-openid-27> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 21:54:11 -0000
Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!-- [rfced] To improve readability, would you like these sentences to be formatted more like a list? Original: This document uses the terms "client" and "server" as defined by RDAP [RFC7480]. This document uses the terms "Access Token", "Authorization Code", "Authorization Endpoint", "Authorization Grant", "Client Authentication", "Client Identifier", "Protected Resource", "Refresh Token", "Resource Owner", "Resource Server", and "Token Endpoint" defined by OAuth 2.0 [RFC6749]; the terms "Claim Name", "Claim Value", and "JSON Web Token (JWT)" defined by JSON Web Token (JWT) [RFC7519]; the terms "ID Token" and "UserInfo Endpoint" defined by OpenID Connect Core 1.0 [OIDCC]; and the term "JWT Access Token" defined by RFC 9068 [RFC9068]. Perhaps: This document uses the following terminology. Terms defined by [RFC7480]: * client * server Terms defined by [RFC6749]: * Access Token * Authorization Code * Authorization Endpoint * Authorization Grant * Client Authentication * Client Identifier * Protected Resource * Refresh Token * Resource Owner * Resource Server * Token Endpoint Terms defined by [RFC7519]: * Claim Name * Claim Value * JSON Web Token (JWT) Terms defined by [OIDCC]: * ID Token * UserInfo Endpoint Term defined by [RFC9068]: * JWT Access Token --> 2) <!--[rfced] As "capabilities" is plural, should "type" also be made plural? Note that this sentence occurs twice in Section 3.1.3. Original: An RDAP client sends an RDAP "help" query to an RDAP server to determine the type and capabilities of the OpenID Providers that are used by the RDAP server. Perhaps: An RDAP client sends an RDAP "help" query to an RDAP server to determine the types and capabilities of the OpenID Providers that are used by the RDAP server. --> 3) <!-- [rfced] We suggest updating Sections 4.1 and 5.1.1 to use definition lists <dl> instead of ordered lists <ol> because each item is in the form of term and definition. Please let us know if this is acceptable. --> 4) <!-- [rfced] Please review each artwork element in the xml file. Specifically, should any artwork element be tagged as sourcecode or another element? Additionally, please review the "type" attribute for the sourcecode elements in the XML file and let us know if any further changes are needed. If the current list of preferred values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) does not contain an applicable type, then feel free to suggest a new one. Also, it is acceptable to leave the "type" attribute not set. --> 5) <!-- [rfced] FYI - In Section 5.1, we updated the following paragraph to a definition list, which matches the definition list in Section 4.2. Please let us know if there are any objections. Original: This specification describes two new data structures that are used to return information to a session-oriented client: a "farv1_session" data structure that contains information that describes an established session, and a "farv1_deviceInfo" data structure that contains information that describes an active attempt to establish a session on a UI-constrained device. Current: This specification describes two new data structures that are used to return information to a session-oriented client: "farv1_session": A data structure that contains information that describes an established session. "farv1_deviceInfo": A data structure that contains information that describes an active attempt to establish a session on a UI- constrained device. --> 6) <!-- [rfced] FYI - In Sections 5.2.1, 5.2.2, 5.2.4.1, and 5.2.4.2, we moved the instances of "NOTE:" regarding line wrapping into the artwork to match RFC 8792. --> 7) <!-- [rfced] Should the following lines also appear within the <artwork> element to match the examples in Sections 5.2.1 and 5.2.2? Section 4.2.1: https://example.com/rdap/domain/example.com?farv1_qp=legalActions Section 4.2.2 https://example.com/rdap/domain/example.com?farv1_dnt=true Section 5.2.1: https://example.com/rdap/farv1_session/login ... https://example.com/rdap/farv1_session/login Section 5.3: https://example.com/rdap/farv1_session/status Section 5.4: https://example.com/rdap/farv1_session/refresh Section 5.5: https://example.com/rdap/farv1_session/logout --> 8) <!-- [rfced] To match common usage, would you like to update "smart telephone" to "smartphone"? Original: This method requires an End-User to use a second device (such as a smart telephone) that has access to a web browser for entry of a code sequence that is presented on the UI- constrained device. --> 9) <!--[rfced] Would using a list improve the readability of this text? Original: The requests described in this document are typically performed in a specific sequence: "farv1_session/login" (or the related "farv1_session/device" and "farv1_session/devicepoll" requests) to start a session, "farv1_session/status" and/or "farv1_session/ refresh" to manage a session, and "farv1_session/logout" to end a session. Perhaps: The requests described in this document are typically performed in a specific sequence: 1. "farv1_session/login" (or the related "farv1_session/device" and "farv1_session/devicepoll" requests) to start a session, 2. "farv1_session/status" and/or "farv1_session/refresh" to manage a session, and 3. "farv1_session/logout" to end a session. --> 10) <!--[rfced] IANA Considerations A) Since the Value and Description columns are defined in Section 9.3 for the "Registration Data Access Protocol (RDAP) Query Purpose Values" registry, should a definition for the Reference column also be included? And should "Reference: RFC 9560" be added to each entry to match the registry? B) To make the Description of domainNameControl more concise, may we update it as follows? Original: Value: domainNameControl Description: Tasks within the scope of this purpose include creating and managing and monitoring a registrant's own domain name, including creating the domain name, updating information about the domain name, transferring the domain name, renewing the domain name, deleting the domain name, maintaining a domain name portfolio, and detecting fraudulent use of the Registrant's own contact information. Perhaps: Value: domainNameControl Description: Tasks within the scope of this purpose include, for a registrant's own domain name, creating the domain name, updating information about the domain name, transferring the domain name, renewing the domain name, deleting the domain name, maintaining a domain name portfolio, and detecting fraudulent use of the registrant's own contact information. C) To reflect the verbiage of other Descriptions in the "Registration Data Access Protocol (RDAP) Query Purpose Values" registry, may we update the Description of regulatoryAndContractEnforcement as follows? Original: Value: regulatoryAndContractEnforcement Description: Tasks within the scope of this purpose include tax authority investigation of businesses with online presence, Uniform Dispute Resolution Policy (UDRP) investigation, contractual compliance investigation, and registration data escrow audits. Perhaps: Value: regulatoryAndContractEnforcement Description: Tasks within the scope of this purpose include investigating the tax authority of businesses with online presences, investigating Uniform Domain-Name Dispute-Resolution Policy (UDRP), investigating contractual compliance, and registering data escrow audits. --> 11) <!--[rfced] Instead of using a link, may we update this sentence to use a citation and add a reference entry to the Informative References section? Original: The set of initial values used to populate the registry as described here are taken from the final report (https://www.icann.org/en/system/files/files/final-report- 06jun14-en.pdf) produced by the Expert Working Group on gTLD Directory Services chartered by the Internet Corporation for Assigned Names and Numbers (ICANN). Perhaps: The set of initial values used to populate the registry as described below are taken from the final report produced by the Expert Working Group on gTLD Directory Services chartered by the Internet Corporation for Assigned Names and Numbers (ICANN) [gTLD]. ... [gTLD] Expert Working Group on gTLD Directory Services (EWG), "Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service (RDS)", June 2014, <https://www.icann.org/en/system/files/files/final-report- 06jun14-en.pdf>. --> 12) <!-- [rfced] References A) The following OpenID Connect references appear to have been superseded by 2023 versions. As we were unable to find URLs to the previous versions, we have updated them to reflect the most current versions. Original: [OIDCC] OpenID Foundation, "OpenID Connect Core incorporating errata set 1", November 2014, <https://openid.net/specs/openid-connect-core-1_0.html>. Current: [OIDCC] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", December 2023, <https://openid.net/specs/openid-connect-core-1_0.html>. ... Original: [OIDCD] OpenID Foundation, "OpenID Connect Discovery 1.0 incorporating errata set 1", November 2014, <https://openid.net/specs/openid-connect-discovery- 1_0.html>. Current: [OIDCD] Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0 incorporating errata set 2", December 2023, <https://openid.net/specs/openid-connect- discovery-1_0.html>. ... Original: [OIDCR] OpenID Foundation, "OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1", November 2014, <https://openid.net/specs/openid-connect- registration-1_0.html>. Current: [OIDCR] Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2", December 2023, <https://openid.net/specs/openid- connect-registration-1_0.html>. B) As the "application/x-www-form-urlencoded" section is mentioned within the body of the document when [HTMLURL] is cited, we have updated the URL of this reference to link to the whole document rather than the specific section. Original: [HTMLURL] Web Hypertext Application Technology Working Group (WHATWG), "URL (Living Standard)", September 2023, <https://url.spec.whatwg.org/#application/x-www-form- urlencoded>. Current: [HTMLURL] WHATWG, "URL (Living Standard)", March 2024, <https://url.spec.whatwg.org/>. --> 13) <!-- [rfced] Throughout the text, when citing non-RFC section numbers, the formats somewhat vary. For simplicity, would you like to update all instances to the following format to match how RFCs are referenced? Note that we haven't included every example below. Current: the "application/x-www-form-urlencoded" section of WHATWG URL Standard [HTMLURL] ... Section 5 of the OpenID Connect Core protocol [OIDCC] Perhaps: Section "application/x-www-form-urlencoded" of [HTMLURL] ... Section 5 of [OIDCC] --> 14) <!-- [rfced] Terminology A) The following terms are capitalized in the text but are lowercase in the corresponding cited RFCs. Should these be made lowercase to match the corresponding RFCs? Lowercase in RFC 6749: Access Token Authorization Code Authorization Code Flow Authorization Endpoint Authorization Grant Token Endpoint Token Request Token Response Lowercase in RFC 6750: "Bearer" authentication scheme Lowercase in RFC 8628 and only hyphenated when in attributive position (i.e., when followed by a noun): End User Lowercase in RFC 9068: JWT Access Token Additionally, should "Authorization Request" also be made lowercase to parallel usage in other previously published RFCs? B) The following terms appear to be used inconsistently throughout the document. Should they be made lowercase for consistency and to match the corresponding cited RFCs? Lowercase in RFC 6749: Client Authentication vs. client authentication Client Identifier vs. client identifier Protected Resource vs. protected resource Refresh Token vs. refresh token Resource Owner vs. resource owner Resource Server vs. resource server Lowercase in RFC 6750: "Authorization" header vs. authorization header Not consistently capitalized in RFC 7519: Claim Value vs. claim value C) Throughout the text, the following terminology appears to be used inconsistently. May we update to the version on the right to match more common usage? Identity Provider > identity provider issuer identifier > Issuer Identifier RDAP Client > RDAP client RDAP Server > RDAP server End-User Identifier > end-user identifier D) Might it be helpful to the reader to clarify the slash in cases like the following (i.e., does it stand for "and", "or", or "and/or")? Note that this appears in several places; the following is just an example. Original: An RDAP server/RP needs to be able to map an End-User's identifier to an OP. Perhaps: An RDAP server or RP needs to be able to map an End-User's identifier to an OP. E) We see "farv1" expanded two different ways. May we update both instances to the following to be consistent? Current: Federated Authentication for RDAP version 1 ... version 1 of a federated authentication method for RDAP Perhaps: federated authentication method for RDAP version 1 F) FYI - To match the OpenID Connect Core 1.0 reference, we updated one instance of "ID token" to "ID Token". Please let us know if there is any objection. --> 15) <!--[rfced] Acronyms A) FYI - We have added expansions for abbreviations upon first use per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. Representational State Transfer (RESTful) B) For the term "OpenID Provider", may we update the first instance to be "OpenID Provider (OP)" and all subsequent instance to "OP"? --> 16) <!--[rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> Thank you. RFC Editor/st/ap On Apr 5, 2024, at 2:51 PM, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2024/04/05 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9560.xml https://www.rfc-editor.org/authors/rfc9560.html https://www.rfc-editor.org/authors/rfc9560.pdf https://www.rfc-editor.org/authors/rfc9560.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9560-diff.html https://www.rfc-editor.org/authors/rfc9560-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9560-xmldiff1.html The following files are provided to facilitate creation of your own diff files of the XML. Initial XMLv3 created using XMLv2 as input: https://www.rfc-editor.org/authors/rfc9560.original.v2v3.xml XMLv3 file that is a best effort to capture v3-related format updates only: https://www.rfc-editor.org/authors/rfc9560.form.xml Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9560 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9560 (draft-ietf-regext-rdap-openid-27) Title : Federated Authentication for the Registration Data Access Protocol (RDAP) using OpenID Connect Author(s) : S. Hollenbeck WG Chair(s) : James Galvin, Antoin Verschuren Area Director(s) : Murray Kucherawy, Orie Steele
- [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-regex… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Hollenbeck, Scott
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Sarah Tarrant
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Hollenbeck, Scott
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Sarah Tarrant
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Hollenbeck, Scott
- [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-regex… Sarah Tarrant
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Hollenbeck, Scott
- [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-regex… Sarah Tarrant
- Re: [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-r… Hollenbeck, Scott
- [auth48] [IANA] AUTH48: RFC-to-be 9560 <draft-iet… Sarah Tarrant
- [auth48] [IANA #1363266] [IANA] AUTH48: RFC-to-be… David Dong via RT
- Re: [auth48] [IANA #1363266] [IANA] AUTH48: RFC-t… Sarah Tarrant
- [auth48] AUTH48: RFC-to-be 9560 <draft-ietf-regex… Sarah Tarrant