Re: [Captive-portals] Remediation url for CAPPORT

Tommy Pauly <tpauly@apple.com> Mon, 20 January 2020 05:05 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8E8120099 for <captive-portals@ietfa.amsl.com>; Sun, 19 Jan 2020 21:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0sR7j-j9Da3 for <captive-portals@ietfa.amsl.com>; Sun, 19 Jan 2020 21:05:14 -0800 (PST)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8C7C1200A3 for <captive-portals@ietf.org>; Sun, 19 Jan 2020 21:05:13 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00K52vVe051336; Sun, 19 Jan 2020 21:05:09 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : content-type : content-transfer-encoding : from : mime-version : subject : date : message-id : references : cc : in-reply-to : to; s=20180706; bh=2aBYlUxCDgMMNXR4OTNiX5+acxe+/3cynWPDPy5iE0g=; b=Qel3H81T1zQQY+o7yCboh6sfTthd+w+bUD7F1UCWIIALxyblBcFo27RhlHqBmdImPG8b IYmQxvGAGP4cO7UDtQfwpvk8xWE852rNxg45TpcpbbzfrjasPLNqa/8jZAu8n0dS9D0z BjP09+oo8QYCAP/jC+74rGJ3IZyvu1jGowgdsFNOPTeyeb1x1nD4j172BzGJHgExG6On ayJIDgV4rKoSG8hxt2pAhgNhhy4DTAdUKisg6vEHhVJA4uDiWLrIY/qwOMroZ0x8SDju DYMkC2vTeIeDbC90hj6uDVVUz2DLXADbp4W1xjjNS1RQrw3C2baGztAbzANq1MPxuywC iA==
Received: from ma-mailsvcp-mta-lapp04.corp.apple.com (ma-mailsvcp-mta-lapp04.corp.apple.com [10.226.18.136]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 2xm1j7dre1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 19 Jan 2020 21:05:09 -0800
Received: from ma-mailsvcp-mmp-lapp04.apple.com (ma-mailsvcp-mmp-lapp04.apple.com [17.32.222.17]) by ma-mailsvcp-mta-lapp04.corp.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPS id <0Q4E00LJ43GL6T00@ma-mailsvcp-mta-lapp04.corp.apple.com>; Sun, 19 Jan 2020 21:05:09 -0800 (PST)
Received: from process_milters-daemon.ma-mailsvcp-mmp-lapp04.apple.com by ma-mailsvcp-mmp-lapp04.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) id <0Q4D00300Y50ED00@ma-mailsvcp-mmp-lapp04.apple.com>; Sun, 19 Jan 2020 21:05:09 -0800 (PST)
X-Va-A:
X-Va-T-CD: 9be1fe1ce016b5d1c06c2ea623e3e596
X-Va-E-CD: c8bcc3b38ffaa402db9f454ecb937c3b
X-Va-R-CD: b796d79ffa039dc8707314280a8bcb24
X-Va-CD: 0
X-Va-ID: f03e9848-2450-45bd-a886-cb8ea57cb1eb
X-V-A:
X-V-T-CD: 9be1fe1ce016b5d1c06c2ea623e3e596
X-V-E-CD: c8bcc3b38ffaa402db9f454ecb937c3b
X-V-R-CD: b796d79ffa039dc8707314280a8bcb24
X-V-CD: 0
X-V-ID: 146cb785-1108-49c7-b607-bf330de2babc
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-19_08:,, signatures=0
Received: from [17.234.231.132] (unknown [17.234.231.132]) by ma-mailsvcp-mmp-lapp04.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPSA id <0Q4E00ZCL3GKQJ70@ma-mailsvcp-mmp-lapp04.apple.com>; Sun, 19 Jan 2020 21:05:09 -0800 (PST)
Sender: tpauly@apple.com
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: quoted-printable
From: Tommy Pauly <tpauly@apple.com>
MIME-version: 1.0 (1.0)
Date: Sun, 19 Jan 2020 21:05:05 -0800
Message-id: <25E07AEE-38AB-4EFC-A801-9CF4C80DC42D@apple.com>
References: <CAKD1Yr1G8peXKMjjz_K-=CgHdZnj_+E0ZOS6s9bLK0X9DitBMw@mail.gmail.com>
Cc: Remi NGUYEN VAN <reminv=40google.com@dmarc.ietf.org>, Erik Kline <ek@loon.com>, Erik Kline <ek.ietf@gmail.com>, captive-portals <captive-portals@ietf.org>, Heng Liu <liucougar@google.com>
In-reply-to: <CAKD1Yr1G8peXKMjjz_K-=CgHdZnj_+E0ZOS6s9bLK0X9DitBMw@mail.gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
X-Mailer: iPhone Mail (18A204a)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-19_08:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/G9uFYvgbdsylMshN6tJJNViyzns>
Subject: Re: [Captive-portals] Remediation url for CAPPORT
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 05:05:18 -0000

Lorenzo, my impression is that the User Portal URL (already distinct from the Venue URL) should cover that use case; or at least we should encourage it to be so. Once a user is logged in, the page generally won’t just show a new log in. If for some reason the renew page needs to be a different URL, it could simply redirect the user portal URL whenever the user is logged in.

If we have three URLs, then we’d have two URLs, the User Portal the new Extend URL, that would each only be useful at certain mutually exclusive times: one before log in and one while logged in. That seems like an easy opportunity to encourage portal designers to have a single page, so we don’t have a UI in android or iOS that ever presents a link that takes you to a useless “you’re logged in” page.

I’m all for having the venue URL be distinct, but let’s just use a Boolean to indicate if the user portal URL is a useful URL while logged in or not. 

Tommy

> On Jan 19, 2020, at 8:50 PM, Lorenzo Colitti <lorenzo@google.com> wrote:
> 
> I do think something is needed here because we don't want the device
> to put up a "you're running out of time, please click here to extend"
> prompt/notification, if tapping that prompt goes to a page that just
> says "you're logged in" without allowing the user to extend. If the
> network doesn't support extending sessions, then the device should not
> display the prompt. So we should give the network a way to express via
> the API whether it's possible to extend the user's time or not.
> 
> Once we do decide to have something like that in the API, ISTM that a
> separate URL is more useful than just a boolean. Whether the URL is
> present or not gives you the boolean; the content of the URL makes it
> easier for network operators because it means they can provide a
> specific "manage my connection" page that is different from the login
> page. The operator could of course decide what to display based on the
> login state of the user; this just makes it easier.
> 
> But as long as this is not the same as the venue URL, that works for
> me. We do want it to be separate, because we expect most operators
> will primarily want to surface the venue URL, and we don't want them
> to have to make a choice between surfacing the venue URL and making
> the session easy to extend.
> 
> Cheers,
> Lorenzo
> 
>> On Fri, Jan 17, 2020 at 4:25 PM Remi NGUYEN VAN
>> <reminv=40google.com@dmarc.ietf.org> wrote:
>> 
>> As far as the Android implementation is concerned, I think it would be nice to have capport API support in the next (android R) version; however due to deadlines, it's going to be harder for me to change the attributes read from the API very soon.
>> Following this discussion my current plan is to support an optional "remediation-supported" boolean, and only prompt users to extend their session shortly before it expires when it is set to true. Hopefully the boolean can be added to the current draft or in a future, separate draft considering that we seem to roughly agree on it, but if the group eventually realizes that it wants to go in another direction, we'll update behavior in subsequent releases.
>> 
>> Does that make sense ?
>> 
>> Cheers,
>> 
>> Remi
>> 
>>> On Wed, Jan 15, 2020 at 9:30 AM Erik Kline <ek@loon.com> wrote:
>>> 
>>> If there's working group consensus to add it to the current API draft then definitely add it.  Otherwise, probably a separate document that would need a call for wg adoption.
>>> 
>>> Separately, and hopefully without starting a massive bikeshed, is there a more apt word than "remediation"?  I think this specific word carries the connotation of "fixing an error" or "correcting damage" and it seems like the use here would be broader.  But perhaps I'm completely mistaken.
>>> 
>>> On Tue, 14 Jan 2020 at 16:21, Heng Liu <liucougar@google.com> wrote:
>>>> 
>>>> It seems most are comfortable with adding a remediation-capable boolean, which is simpler than another url while also making it explicit on whether remediation is provided or not, so UE could display different notifications.
>>>> 
>>>> Anyone have any objections on adding this boolean please?
>>>> 
>>>> If not, what's the next step on moving this forward please?
>>>> 
>>>> Thanks,
>>>> Heng
>>>> 
>>>> On Tue, Jan 14, 2020 at 12:38 PM Tommy Pauly <tpauly@apple.com> wrote:
>>>>> 
>>>>> Any captive portal that is newly adopting the CAPPORT API will hopefully be testing the setup in the new model, and will have to think about which URLs to map to different user experiences.
>>>>> 
>>>>> A page that only says "you're logged in!", and has no way of adding more time, etc, is in my opinion a relatively useless page. If we provide a separate URL for remediation, it would seem to encourage such a design. Not including this would hopefully urge the portal design to a cleaner model.
>>>>> 
>>>>> I do think the boolean is nice for highlighting to the captive portal deployer that they should think about remediation. I'd be more ok with that model, although it could also be an extension as we gain experience in deployment.
>>>>> 
>>>>> Thanks,
>>>>> Tommy
>>>>> 
>>>>> On Jan 13, 2020, at 6:00 PM, Remi NGUYEN VAN <reminv=40google.com@dmarc.ietf.org> wrote:
>>>>> 
>>>>> If we show prompts to the user shortly before the session expires, we'd like to make sure that we can redirect them to some page where they can fix the problem, instead of landing on a page saying "you're logged in". The user-portal-url would work fine with a remediation-supported boolean for that purpose; having a separate URL gives additional flexibility to the access point operator, but from the point of view of the client I think both are fine.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Remi
>>>>> 
>>>>> 
>>>>> On Tue, Jan 14, 2020 at 10:02 AM Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote:
>>>>>> 
>>>>>> I have a similar initial reaction to Erik's. Adding another URL that effectively is just another user portal, but meant to be used at certain times, adds a lot of complexity. I'm certainly not ruling out adding such a key as need arises, but I'd hesitate to make it part of the initial set.
>>>>>> 
>>>>>> Particularly, if we start seeing the "venue URL" be the main landing page we redirect people to once they're logged it, it kind of makes sense to let the user portal be the status/remediation/payment page.
>>>>>> 
>>>>>> Tommy
>>>>>> 
>>>>>> On Jan 13, 2020, at 4:06 PM, Erik Kline <ek@loon.com> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Mon, 13 Jan 2020 at 15:26, Heng Liu <liucougar=40google.com@dmarc.ietf.org> wrote:
>>>>>>> 
>>>>>>> On Sun, Jan 12, 2020 at 2:34 PM Erik Kline <ek.ietf@gmail.com> wrote:
>>>>>>>> 
>>>>>>>> Why should this different from the user-portal-url?  It seems to me that either the user-portal-url would remediation UI elements or it wouldn't.
>>>>>>> 
>>>>>>> Some CP vendors want to specify a different URL specifically tailored for remediation of a session.. By providing a 3rd URL, we can accommodate this use case..
>>>>>> 
>>>>>> 
>>>>>> If the remediation URL is available but the user (somehow) navigates to the user-portal-url, what do they see?
>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> With this 3rd URL, if the bytes/time does expire should the OS try to launch an interaction the remediation URL and then fallback to the user URL if it failed to load?  In which case, why not just leave all interaction with the user-portal-url?
>>>>>>> 
>>>>>>> if a remediation URL is present, and if it fails to load for whatever reason, no need to fallback to user portal URL: CP vendor should make sure the remediation URL is working properly (this is similar to user-portal url should work properly, if not, there is no other way for user to clear a CP)
>>>>>> 
>>>>>> 
>>>>>> I guess I'm just trying to be mindful of one person's flexibility is another person's complexity..  I think this just doubles the number of URLs that the CP vendor needs to make sure function correctly.
>>>>>> 
>>>>>>>> If the vendor doesn't implement a means to extend your session without completely shutting everything down and forcing to the user to restart the interaction flow anew, I could see that an OS would not want to bother the user with an interaction where they couldn't actually do anything useful.  But that might suggest a boolean capability, rather than a new URL (remediation-supported={true|false})?
>>>>>>> 
>>>>>>> A boolean field could also be a positive signal to notify UE that remediation is possible, but this would prevent CP vendors from using different URLs for remediation.
>>>>>>> 
>>>>>>> (As mentioned in the initial thread, this URL approach is also taken by the Passpoint release 2.0 spec to signal remediation process.)
>>>>>>> 
>>>>>>> regards,
>>>>>>> Heng
>>>>>>> _______________________________________________
>>>>>>> Captive-portals mailing list
>>>>>>> Captive-portals@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Captive-portals mailing list
>>>>>> Captive-portals@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>>>> 
>>>>>> 
>>>>> 
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org
>> https://www.ietf.org/mailman/listinfo/captive-portals