IETF Logo Mail Archive

Re: [Last-Call] last call reviews of draft-ietf-regext-epp-eai-12 (and -15)

"Gould, James" <jgould@verisign.com> Tue, 30 August 2022 20:11 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF7DAC15DD54; Tue, 30 Aug 2022 13:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8DfLweavQDp; Tue, 30 Aug 2022 13:11:19 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE6BEC15DD50; Tue, 30 Aug 2022 13:11:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=14464; q=dns/txt; s=VRSN; t=1661890279; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=v3hB72H3rz3ZWN64RKgSI0ls8d8omErH5XSomGTo2uk=; b=kz6x/KWr025MJHcBjOBQcRufbBSvVNqJrWbCzUwkre8nJom16BIez+pq xAgAO5kHQ2wMxAEjCPMWsD71ZMnwG7Gy4RqEtdWWk2gHH1d38NLV4+jqm 0cj7oDp68sYAgDwDzt9b1DV3r0/0157UQTmL0ipLhUXoWCEIcopOCeNMJ UZRKCbJIIRYpfW79OJiGzwEULBEyckRh/2aTwDpJQTewpMmhDhey9Zb3c 3gKlpnjW7XZW9jpfpbEGDTylq2mA5iw/jb29GUmGgeMDE3uaTl/pH33JS ySUwK4Ba4Srjli7LvDbDh8oMnBBGV//YsFWv97tU2qP/z3jKtPjSu5Fyk g==;
IronPort-Data: A9a23:JaE4X67Dlal76aCmeUxlqQxRtMvGchMFZxGqfqrLsTDasY5as4F+v jZMCz/QPqmDMWP9fN4kPd/koxwBuZ/Uy9U3GwFvrys9Eysa+MHIO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvymTras1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws LsemeWGULOe82MyYzl8B56r8ks15qyi42tA5TTSWNgQ1LPgvyhNZH4gDfzpR5fIatE8NvK3Q e/F0Ia48gvxl/v6Ior4+lpTWhRiro/6ZWBiuFIPM0SRqkEqShgJ70oOHKF0hXF/0GzVwo8rm L2hgrTrIeshFvWkdO01DUEEQ3kmVUFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m5 fMpDBcdXwq4pLixkI+7UsVrjcMDFZy+VG8fkikIITDxJ8wAGK/lbpWSv5lG1zAqnoZHEbDAf dEfLzFoaXwsYTUWYhFOV8l4xbrzwCWuG9FbgAv9Sa4f4WfU0Qh9+KbgKtvOe9OMA85Smy50o 0qfoDmoWkFHZbRzzxLCqHuWoeLVsRjwc5pMF4GI1uFqrnaMkzl75Bo+EAHTTeOCoky5W9QaK kEI9AIspqt0/0uuJvH3Uhm0pX+YlhEZUttUVeY97Wml0qPayx6QCHQJRT4Hc9FOnMYsWRQr2 0OH2dTzClRHvKecR27Y97qIo3aoNCcYPXNHaDccCAYM4p/qpIUbjx/TQJBkCqHdptn8Ai21y DmOqAA/iqkdy8kR2M2T513IjiKwjpnEUgBz4R/YNkqkt1N/aI+/T42l9Vad6uxPRK6WQ1/Et WIYs8mT8O5ICouC/BFhW80HBrfw+PCIIGWGxEVxBd8k9i/o8Xnld5pWuXdgPlxvdM0DfFcFf XPuhO+Y37cLVFPCUEO9S9PZ5xgCpUQ4KenYaw==
IronPort-HdrOrdr: A9a23:XieFyKsr0Zq4tVxqjBgFXqV77skDptV00zEX/kB9WHVpm5Sj5q STdPRy73PJYK54YgBcpTnyAtjmfZq6z+8I3WBxB8bZYOCIgguVxe1Zh7cKhgeQfhEWldQtqp uIEZIOa+EYZGIS5a3HCUuDYrQdKbK8n5xA8N2+854bd29Xgs9bgjuRQTzrdHGeDDM2fKbQXv Cnl7J6ThSbCA8qUvg=
X-IronPort-AV: E=Sophos;i="5.93,276,1654560000"; d="scan'208";a="17590859"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Tue, 30 Aug 2022 16:11:16 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2375.031; Tue, 30 Aug 2022 16:11:16 -0400
From: "Gould, James" <jgould@verisign.com>
To: "john-ietf@jck.com" <john-ietf@jck.com>, "beldmit@gmail.com" <beldmit@gmail.com>
CC: "paf@paftech.se" <paf@paftech.se>, "art@ietf.org" <art@ietf.org>, "draft-ietf-regext-epp-eai.all@ietf.org" <draft-ietf-regext-epp-eai.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "regext@ietf.org" <regext@ietf.org>, "i18ndir@ietf.org" <i18ndir@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>
Thread-Topic: [EXTERNAL] Re: Re: [Last-Call] last call reviews of draft-ietf-regext-epp-eai-12 (and -15)
Thread-Index: AQHYvGqckCLvM3qtnUS2P51xlPdIyK3IHBGA///EaoA=
Date: Tue, 30 Aug 2022 20:11:16 +0000
Message-ID: <D5C516B1-5346-4EC7-93CF-B485B4138D8C@verisign.com>
References: <61E9B7D4-F227-491D-98CE-DD71DAFE1EE5@verisign.com> <82C76D8CDB0BC80BD960B314@PSB>
In-Reply-To: <82C76D8CDB0BC80BD960B314@PSB>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.62.22061100
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <95EC3729C89B084B804B88353DE8F190@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/SCEsJ32D3vpSQbpEUmdvIORVBUI>
Subject: Re: [Last-Call] last call reviews of draft-ietf-regext-epp-eai-12 (and -15)
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 20:11:25 -0000

John, 

To clarify the "we" in the statement "Based on your feedback, we agree to revise the draft to be a command-response extension and to refer to an SMTPUTF8 address instead of an EAI address." are the co-editors (me and Dmitry).  We (co-editors) are attempting to address your feedback based on the scope of the draft that was discussed in the WG.  Changing of the cardinality (one to many) to support an SMTPUFT8 address in addition to an ASCII address was first brought up by you during the IETF last call.  It sounds like you agree that an ASCII address is not required, which is good.  Where we (co-editors) and you disagree is your proposal of changing the cardinality of the e-mail addresses in EPP, which is a material change that we (co-editors)  don't believe is warranted.  If there is the need to change the cardinality of e-mail addresses in EPP, then a new EPP extension can be created for that purpose.  That is not intended to do handwaving, but to state how things are handled in EPP.  My point around the FOA and RFC 9154 was meant to show that the concern you raised is not a current issue and should not be an issue in the future.  

We can agree to disagree on the cardinality proposal.  I would like to hear from others on this topic. 

Thanks,

-- 
 
JG



James Gould
Fellow Engineer
jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/>

On 8/30/22, 3:44 PM, "John C Klensin" <john-ietf@jck.com> wrote:

    Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 

    (TL;DR summary at end)

    --On Tuesday, August 30, 2022 12:18 +0000 "Gould, James"
    <jgould@verisign.com> wrote:

    > John,
    > 
    > You claim that the registrant's e-mail address in the registry
    > is critical to the transfer process and therefore an ASCII
    > address must always be provided.

    That is not what I said and I have explained, several times now,
    that I have not said or claimed it.  What I have said is that,
    if a non-ASCII email address is to be supported, there should be
    provision --as part of this change, not some handwaving about
    future possible extensions-- for an all-ASCII alternative to be
    provided.

    >  The EPP credential used to
    > authorize a transfer is not the e-mail address, but the
    > Authorization Information.  I'm aware of the Form of
    > Authorization (FOA) that relies on the registrant's e-mail
    > address, which is currently deferred for the gaining registrar
    > (registrar ABC in your example).  RFC 9154 "EPP Secure
    > Authorization Information for Transfer" was created to enhance
    > the security of the Authorization Information, which should
    > result in reducing or removing the dependency on the FOA from
    > the gaining registrar and the use case that you're concerned
    > with.  

    This is all wonderful.  But unless you are prepared to show that
    RFC 9154 has been universally adopted, all the above does is to
    strengthen the case for allowing for (again, I did not say
    "requiring in practice") an all-ASCII alternative address when a
    non-ASCII one is supplied.  And, even if you could show that
    level of adoption, it would have nothing to do with all of the
    other uses of information that might reasonably be expected to
    be in registry databases.

    > You also claim that if the draft does not change the
    > cardinality of the e-mail address in EPP that it's not a
    > proper candidate for processing as an IETF standards track
    > document.  Adding support for EAI addresses as a first-class
    > alternative to ASCII addresses in EPP is an important change
    > that warrants an IETF standards track document.  

    I didn't say that either.  I'm not even convinced that
    "cardinality of the e-mail address" is relevant.   I believe it
    was you who claimed that, since that cardinality was not
    changed, there was no need to show this document as updating
    5730.    What I have tried to say on that subject, several
    times, is that draft-ietf-regext-epp-eai is either making a
    substantive change to 5730 or it is purely supplemental to it.
    If it is making a substantive change, then it must be identified
    as updating 5730.

    It is fairly clear to me that, if a document said "there are
    three ways" and one adds a fourth, that it is a change
    ("update").  Contrary to an earlier claim from you about what I
    said, I never claimed that the document said "there can be only
    three".

    Of course, if you are dropping the "functional extension" idea
    and moving to one of the extension types specified in 5730, that
    issue is, of course, moot.

    > For an EAI address to be stored in the registry database, it
    > needs to pass through 3 levels of policy.  The registry policy
    > needs to support receiving either an ASCII address or an EAI
    > address.  The registrar policy needs to support collecting an
    > EAI address as an alternative to or in additional to an ASCII
    > address, and support passing the EAI address to an EAI-enabled
    > registry.  The registrant decides, according to their policy,
    > to provide an EAI address to the registrar.  The protocol
    > should not override these policy decisions by mandating an
    > ASCII address always be provided.

    Ok.  Really interesting.  And almost completely irrelevant to
    this particular specification and protocol, as you have
    indicated in the past.  You have left several actors whom I
    consider important out of your explanation, but that is almost
    completely irrelevant as well.  I even agree about the last
    sentence but, while I will again point out that the experience
    with SMTPUTF8 addresses (outside narrowly defined contexts)
    would recommend providing such addresses, neither I (nor, as far
    as I can remember), anyone else has recommended "mandating"
    them, much less overriding any policy decisions.  Instead, the
    recommendation has, consistently, been that the protocol for
    passing along non-ASCII addresses (I note that you continue to
    use "EAI address" above) if the relevant actors decide to do
    that also make provision for passing along all-ASCII ones should
    those actors make that decision.

    If I try to rephrase that into the language of your paragraph
    above, if any of the relevant actors, including those I believe
    you have omitted, decide that a non-ASCII email address is not
    acceptable unless an ASCII alternative is supplied, the protocol
    should not override that policy decision by making it impossible
    to provide such an address, at least without going back to the
    IETF and trying to initiate additional work that, because it was
    not designed when the protocol specification was approved, might
    turn out to be more kludge-like than desirable.

    > In line with Universal Acceptance (UA), what
    > draft-ietf-regext-epp-eai does is to enable the servers
    > (registries) and clients (registrars) to pass EAI addresses as
    > first-class citizens to ASCII addresses in EPP, with the
    > appropriate signaling and behavior obligations.

    I was not aware that the IETF had accepted the efforts of the UA
    effort as binding technical judgments rather than, e.g.,
    promotional efforts from another community.   References to that
    work and its conclusions are notably missing from the document.
    I recommend that we not go there.

    > Based on your feedback, we agree to revise the draft to be a
    > command-response extension and to refer to an SMTPUTF8 address
    > instead of an EAI address.  Changing the cardinality of the
    > e-mail addresses in EPP to continue to support an ASCII
    > address is required policy is not in line with the purpose
    > this draft.

    Could you, or the WG Chairs, please explain "we" as used in the
    paragraph above?  I just took a quick look at the REGEXT mailing
    list archive and there is no evidence of any discussion in the
    WG -- the only relevant messages are those copied from this list
    discussion.   I also note that the minutes of the REGEXT meeting
    from IETF 114 say, in part, 

    	"This document has quite some discussion in the
    	IETF-wide last call, and issues reported from: i18ndir,
    	secdir and artart LC.

    	"No in-meeting comments beyond the above."

    So, whomever "we" is, it presumably is not the WG who forwarded
    this document to the IESG for publication approval and that has
    tracked it closely since, approving of each change.   I also
    note that, despite the changes you outline above, the Shepherd's
    report has not been updated since April.


    TL;DR summary, as promised...

    I appreciate the changes you have outlined above.  I should
    perhaps wait for a new draft, and perhaps a new Shepherd report,
    before commenting further, but, assuming those changes will be
    as I am assuming, there is only one remaining
    technical/substantive issue and that is whether, if you are
    going to provide for transmitting a non-ASCII email address in
    the protocol, you should also make provision for supplying a
    non-ASCII alternative in the protocol as well.   Such provision
    would be consistent with the recommendations and experience of
    the EAI WG as well as several of the examples I have tried to
    supply; not providing it is inconsistent with both.  You will
    please note that the previous sentence does not say "required to
    use" -- that is clearly a policy matter -- only that the
    provision should be there.

    At this point, there is a separate issue, which is whether,
    given almost no evidence of WG discussion of this document after
    it was adopted (converted from draft-belyavskiy-epp-eai) and
    certainly not after external reviews started to be requested,
    this is properly processed as a WG document with the strong
    assumption of consensus within the WG rather than as an
    individual submission by the authors, perhaps one that the WG
    decided was a good idea in principle.

    thanks,
       john

v2.23.0 | Report a Bug | By Email