IETF Logo Mail Archive

Re: [regext] RDAP queries based on redacted properties

Andrew Newton <andy@hxr.us> Mon, 09 January 2023 16:56 UTC

Return-Path: <andy@hxr.us>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DC3C1522AC for <regext@ietfa.amsl.com>; Mon, 9 Jan 2023 08:56:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.894
X-Spam-Level:
X-Spam-Status: No, score=-6.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hxr-us.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id av2WG5Tzo5s9 for <regext@ietfa.amsl.com>; Mon, 9 Jan 2023 08:56:30 -0800 (PST)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 620E6C1522A1 for <regext@ietf.org>; Mon, 9 Jan 2023 08:56:30 -0800 (PST)
Received: by mail-ot1-x331.google.com with SMTP id m6-20020a9d7e86000000b0066ec505ae93so5487282otp.9 for <regext@ietf.org>; Mon, 09 Jan 2023 08:56:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hxr-us.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LO1Z5q6adWLxhTCAHA4sLGDV1CJPDLNXqjJhboHC1mQ=; b=K/8WOdjTChQKZLGRh1jSqXuwN6vQHUxNgsz/JAYaWKEZ5HOUiYwKQk0tvqkuUq2OYf rbnhkHO46i/hF2lVhsugg72INJP4aqrCmvbXWyPizDbSwjWD3NNX+4AFXzrVEZP8S3Ov K+Xp6NSKvE53T9QtBEcCGzV/4bfNJ9S6KpqAf2WR76NB2Lp9hA/Hzj4VpqGvlhijece6 VrOIsbzb0oISbYnPwAwVE/olTq0NE3boPl6htRodi0TSJzKOebor1T1OonkxbAj8pwMq 2vt48x9EA6sKY0AhOe1f/+hNfQYjfwpqhmGeYEqGM7Srv/ZRnfss/qn9zXiVMNLhcTD0 UPnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LO1Z5q6adWLxhTCAHA4sLGDV1CJPDLNXqjJhboHC1mQ=; b=NpeyYKEVJ7bybKU+fYCj/R8k74g77N87WkCM8sDgwI4+eej+QhU85OUXT7OpE9zpaz yqEIwDJnGw94IfL8RkJm5WKTQ6VPYUyg5eGzshrNqZyjg1v3oBBWR+bGsICZw92abd8C XN6UbFLrUCY8qip7QajKYSHFTnT+gfc6eb0NtX9fKsZDItOiZQoJAgMx6/wrzx3Kogze w5PjVKrn8hwnt+aTiUW+BsfTWntlAora4Y3pK1PFKrTRKLOD41zhDdkvNA71dyGp/iQA VuNmldcfaNMlfjf9543YTaaGbnU+OBtk8WuTN/JZCd/mYRfv7UBiuz60L8KM9AjJDBEh HwXQ==
X-Gm-Message-State: AFqh2koXT2IB8DEuZ23oX/Hpe1RhOtoVbpzKFpDWMip2yv6yjX450vrD wxLlyM/XmSbmr8qoSzTiM8BesXM6bd8RKpg4eLimVa93NClx3UQ9E98DQw==
X-Google-Smtp-Source: AMrXdXtldjd/JMt4dhgQqhvasLphPblZVdr0+aldwR6qXpriDHG0/V1sM69F/6YKMy0o+cIDd/fCGOLeuMGt5WRVN14=
X-Received: by 2002:a05:6830:1699:b0:670:691f:a52 with SMTP id k25-20020a056830169900b00670691f0a52mr4447349otr.154.1673283389162; Mon, 09 Jan 2023 08:56:29 -0800 (PST)
MIME-Version: 1.0
References: <15EF9CB1-C817-4D0F-B5EE-DD3D3FBB45C8@verisign.com>
In-Reply-To: <15EF9CB1-C817-4D0F-B5EE-DD3D3FBB45C8@verisign.com>
From: Andrew Newton <andy@hxr.us>
Date: Mon, 09 Jan 2023 11:56:18 -0500
Message-ID: <CAAQiQRcKdFzSQsSjnDPcfcSTxzOqto4RscOhNJn6Pw20n4wcgg@mail.gmail.com>
To: "Gould, James" <jgould=40verisign.com@dmarc.ietf.org>
Cc: "mario.loffredo@iit.cnr.it" <mario.loffredo@iit.cnr.it>, "regext@ietf.org" <regext@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/254-KH4IGJr5HKySjoW1d9z3zxc>
Subject: Re: [regext] RDAP queries based on redacted properties
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2023 16:56:35 -0000

IMHO, James is right. Redaction of handles and correlations to them
need to be supported. The fact that they are optional in the base spec
is very deliberate. And entities show up in the results of other
queries, not just entity lookups.

The privacy issue, as I understand it, is that if an entity from one
response can be cross-reference through a handle or UUID to an entity
on another response, that is a privacy leak.

My sense is that JSContact needs the "uid" property for some sort of
contact correlation by a user agent, which in some contexts is
something an RDAP policy might want to prevent. Maybe a compromise is
to invent a known ephemeral identifier for the "uid" property, which
would allow RDAP policy to meet whatever privacy context is needed but
also signal to the user agent that the "uid" is not very useful.
(maybe use the data: URI).

-andy


On Mon, Jan 9, 2023 at 7:29 AM Gould, James
<jgould=40verisign.com@dmarc.ietf.org> wrote:
>
> Mario,
>
>
>
> My responses are embedded below.
>
>
>
> --
>
>
>
> JG
>
>
>
>
> James Gould
> Fellow Engineer
> jgould@Verisign.com
>
> 703-948-3271
> 12061 Bluemont Way
> Reston, VA 20190
>
> Verisign.com
>
>
>
> From: Mario Loffredo <mario.loffredo@iit.cnr.it>
> Date: Sunday, January 8, 2023 at 8:38 AM
> To: James Gould <jgould@verisign.com>, "regext@ietf.org" <regext@ietf.org>
> Subject: [EXTERNAL] Re: [regext] RDAP queries based on redacted properties
>
>
>
> Hi James,
>
> please find my comments below.
>
> Il 06/01/2023 14:54, Gould, James ha scritto:
>
> Mario,
>
>
>
> The JSContact "uid" and the jCard "handle" may be redacted in the entities member of a domain query response, where the entity is returned as a sub-object.  Redaction of the JSContact "uid" and the jCard "handle" in the domain query response doesn't impact the query at all.  I don't believe it makes much sense to redact the lookup key (JSContact "uid" and the jCard "handle") for an object in the case of an entity query.
>
> Think that, at least in theory, such a policy may result in a privacy bug.
>
> Given that the entity handle must be the same when the entity is included in both a domain query response and an entity query response, if one was able to discover the method used to assign handle values to entities, he would also be able to desume a possible redacted value by submitting a an entity lookup and receiving a valid response.
>
> Obviously, in practice, the RDAP server can implement some stategies to operate consistently such as making the entity lookup to return an error when the handle is redacted somewhere in an RDAP response as well as allowing the entity lookup only to those users who can access the entity handle.
>
> But, without a clarification in that sense, redacting the entity handle depending on the entity role in domain query responses and, at the same time, allowing the entity lookup to everyone appear to me two inconsistent statements.
>
> JG – I’m not advocating for redaction of the entity handle in the domain response or the entity response but bringing up the possibility that it may be redacted in the domain response per the draft RDAP Profile.  Considering that there is a known use case that the “uid” will be redacted, it’s important for draft-ietf-regext-rdap-jscontact directly or indirectly via the use of draft-ietf-calext-jscontact to make it required.
>
>
>
> This is one reason that the draft-ietf-regext-rdap-jscontact "uid" member should not be mandatory due to the need for redaction at the sub-object level.  Can draft-ietf-regext-rdap-jscontact override the draft-ietf-calext-jscontact mandatory "uid" member to be optional to support redaction in RDAP?  The draft-ietf-regext-rdap-redacted is strictly focused on the redaction methods of the responses and I don't believe it needs to mandate or recommend policy on what quires a server needs to support or not support.
>
> As already said, I'll propose to calext to make uid optional when JSContact is used as a contact representation within protocols supporting other contact identifiers.
>
> Therefore, my proposal for the uid field in RDAP will be the following:
>
> Option 1) uid is optional - uid can be redacted or not depending on its format and server policy
>
>    The JSCard "uid" property SHOULD be a URN in the UUID namespace [RFC4122], MAY
>
>    be a URI where the URI is the URL of the lookup query for the entity
>
>    related to the contact card.  The entity lookup URL MUST always be
>
>    used regardless of the query generating the response including the
>
>    contact card.
>
> Option 2) uid is required - uid must be inherently opaque and undecipherable
>
>    The JSCard "uid" property MUST be a URN in the UUID namespace [RFC4122]. If the
>
>    uid value is generated starting from a redacted value (i.e. name-based UUID),
>
>    SHA-1 MUST be used as hashing algorithm.
>
>
>
> JG – Either draft-ietf-calext-jscontact needs to remove the “(mandatory)” marking or draft-ietf-regext-rdap-jscontact needs to override the mandatory marking to make it optional in RDAP.
>
> Best,
>
> Mario
>
>
>
>
>
> Thanks,
>
>
>
> --
>
> Dott. Mario Loffredo
>
> Technological Unit “Digital Innovation”
>
> Institute of Informatics and Telematics (IIT)
>
> National Research Council (CNR)
>
> via G. Moruzzi 1, I-56124 PISA, Italy
>
> Phone: +39.0503153497
>
> Web: http://www.iit.cnr.it/mario.loffredo
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email