Re: [regext] Review of draft-ietf-regext-rdap-redacted-09

"Gould, James" <jgould@verisign.com> Fri, 09 December 2022 13:37 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99CF3C14F6E7; Fri, 9 Dec 2022 05:37:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.085
X-Spam-Level:
X-Spam-Status: No, score=-7.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzDw5Zo7y5Gj; Fri, 9 Dec 2022 05:37:54 -0800 (PST)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97617C15170C; Fri, 9 Dec 2022 05:37:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=87110; q=dns/txt; s=VRSN; t=1670593074; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=1c/6MFRVEJJlt1UDo57kMNM6kVPZnznrhlb9empcjTw=; b=C9N02uQWTzox4W61gYom6cAIxbtHYr/WSu8QBoDGbK43b8x5mnDIaMZV foWlzujL4u5oS91A5T+X6Rmv3dIMHDU3sdoGBizef/LmWEbv6JvOWDTXM i5t2082fSjBsJpw/b+/hYlqe52ncLmjKbps6GkkmJqNsbwRg7j51NXVXH TL36fA65JjCe85+klpITj6/jNi9i9sF7DvJDIxdE+NYVEqnIM20lq9TgC dbgGl+gVCzYVwuIXeLO3nAk1Am8yTYmUcKRVJRdTIC1JJxI/8Ktk7TkPj VtNC+zDhARtoUq137KEs8/xtXIHkLWx3fEY8hHGvjgKgoSIUhz51VvQw6 w==;
IronPort-Data: A9a23:GhuOAKsltM1DCnjTsl9+rxZDq+fnVFJeMUV32f8akzHdYApBs4E2e luraxnfZ67dN2L1esc2NtqGQXl2sMWAzoUwSgNqpCpmEnhDo8aVX4uVIEuoMnicd52THRM6v ptPZ9CZcp5qEXTW/R39Yubsp3J3ifvRH+v3A76ZakidKeMFpAIJ0HqPzMZl29c06TTAPz6wh T+bT6wzUnek3jd7PzpMseSbrhwHUJ/a6GhC4VVkOfwS5QOOnSUcBshCePu7ISqlH9EIROCzS +qTlO3o92iApR1yVIuumeihLxdTHuKLZFmE0XNaC6P43nCuysBTPoMTbZLwPm8L0mzU9zwI9 OhwiHCQdesIFvPHkb1EWBJVTC91ZKYf9uHNeCW075Odlx3Meie8nvwxUBhmbIYVxL16UDpEn RA6xJLhTTjY3r7rn+jrIgVIrp5+RCU+FNpH4hmM9RmAUbB8B8irr5zivbdwxC03it1FAcHQb s8YbSsHRBnbanWjAH9OYH4FtLru1yeXnwFw8grP//NtuzmLlmSd7ZC2WDbrUo3SLSlqthvAz o721zyRKg0XMtWZ1Q2E/hqE7gMYtXqmMG66POTQGs9C2DV/9ERKYPElfQLTTc2Ct6KLc4k3x 3o8oXNy8PdopCRHefGmN/GwiCbsUhc0BYIMQ7VigO2H4vK8Dw2xXgDoQtPdATCPWQBfqTECj ze0c93V6TNHl+S1FHTN5KWupjqVYiMEEnVBWipUZF5QizXjiNlbYhPnZOxFSZGTo+2tQ3fuy DeQtG43i/MNl9UNka68+DgrgRr1/t6QEVVzv1iMGD70hu96TNfNi4iA61fc8PJMBJiUVFiav XcC3cOZ6YjiCLnUxHPUGrxRRtlF4d63NhLmrVprM6NxqQmj2Fi8fI0M5D9xcRIB3sEsPGWBj FXokQFS45tQMWGCYqh7ao69GoIhyq2IPdfiSfnQb9lmbpV3dQTB8CwGTUKK1m7x1Ukhja96I 5qUfNawSGwWALwi1je6TuwB3LMDxy0iyyXUX5+T5w6q3reOeFaURKsLdlyUYYgEALisqh/Tq slZOtvSkVBETve4ZyjMtIQUa1oQKyF9G4rtrYpccevrzhdaJVzNwsT5mdsJE7GJVYwM/gsU1 hlRgnNl9Wc=
IronPort-HdrOrdr: A9a23:xsPa1KGMT0rnqTrkpLqEy8eALOsnbusQ8zAXPhhKOHhomszxra yTdYcgpHjJYVcqKQsdcL+7WJVoLUm3yXcx2/h1AV7AZniahILLFvAA0WKK+VSJcBEWtNQtt5 uIGJIQNDSENzlHZLHBjjVQfexM/DDNytHPuQ6X9QYVcekhAZsQlzuRJDzraXFLeA==
X-IronPort-AV: E=Sophos;i="5.96,230,1665460800"; d="png'150?scan'150,208,217,150";a="18712142"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 9 Dec 2022 08:37:51 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.016; Fri, 9 Dec 2022 08:37:51 -0500
From: "Gould, James" <jgould@verisign.com>
To: "jkolker@godaddy.com" <jkolker@godaddy.com>, "kowalik@denic.de" <kowalik@denic.de>, "draft-ietf-regext-rdap-redacted@ietf.org" <draft-ietf-regext-rdap-redacted@ietf.org>
CC: "regext@ietf.org" <regext@ietf.org>
Thread-Topic: RE: Review of draft-ietf-regext-rdap-redacted-09
Thread-Index: AQHZBoQlSmLG2bgRn0+LmEZIXah3jq5lmdQA
Date: Fri, 09 Dec 2022 13:37:51 +0000
Message-ID: <793A2926-6463-4A3D-ADE1-BF87634F7126@verisign.com>
References: <43919685-F588-4B05-AC6B-7AD0BD263FAB@verisign.com> <210384dc-7a4f-84c3-0990-c50486e598f5@denic.de> <CH2PR02MB6357E098C38E2F882AB1C336BF179@CH2PR02MB6357.namprd02.prod.outlook.com>
In-Reply-To: <CH2PR02MB6357E098C38E2F882AB1C336BF179@CH2PR02MB6357.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.66.22101101
x-originating-ip: [10.170.148.18]
Content-Type: multipart/related; boundary="_005_793A292664634A3DADE1BF87634F7126verisigncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/5KFV2gslpWs-cPhADLL8zu1vi7Y>
Subject: Re: [regext] Review of draft-ietf-regext-rdap-redacted-09
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2022 13:37:58 -0000

Jody,

I thought adding the transition period to the MUST NOT would provide for some flexibility for those that need to transition from placeholder redaction to draft-ietf-regext-rdap-redacted, but I believe a server would implement a hard cutover (e.g., supporting the draft with no other form of redaction).  With that in mind, I’ll modify option 1 to be simply MUST NOT without any reference to a transition period.


1.      Keep MUST NOT – The Section 3 sentence is “The use of placeholder text for the values of the RDAP fields, such as the placeholder text "XXXX", MUST NOT be used for redaction.”.

2.  Change MUST NOT to SHOULD NOT – This enables the draft to recommend that placeholder text not be used for redaction, but still enable the server to support it in parallel with the redaction methods defined in the extension.  The Section 3 sentence would become “The use of placeholder text for the values of the RDAP fields, such as the placeholder text "XXXX", SHOULD NOT be used for redaction.”.

3.  Remove the normative language – Change the Section 3 sentence to “The use of placeholder text for the values of the RDAP fields, such as the placeholder text "XXXX", has been used for redaction.”.

4.  Remove reference to placeholder text use for redaction – Just lead Section 3 with the sentence “This section covers the redaction methods that can be used with the redaction signaling defined in Section 4.2<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-regext-rdap-redacted%23section-4.2&data=05%7C01%7Cjkolker%40godaddy.com%7C03bdff32aeb64d19ef4308daceb9b1ca%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C638049594251190871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V%2BP67JW8FHgh2fmp3u3peTK27KTc%2BMeOMQ6zIQcI8j8%3D&reserved=0>.”.

My preference is option 1 (“Keep MUST NOT”), and I agree that if the normative language cannot remain that option 3 (“Remove the normative language”) is the best alternative.

Can others from the working group provide their preferred option to address Pawel’s last open feedback item?  All of Pawel’s feedback will be incorporated in draft-ietf-regext-rdap-redacted-10.

Thanks,

--

JG

[cid:image001.png@01D90BA9.85CEC740]

James Gould
Fellow Engineer
jgould@Verisign.com<applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<http://verisigninc.com/>

From: Jody Kolker <jkolker@godaddy.com>
Date: Friday, December 2, 2022 at 2:27 PM
To: Pawel Kowalik <kowalik@denic.de>, James Gould <jgould@verisign.com>, "draft-ietf-regext-rdap-redacted@ietf.org" <draft-ietf-regext-rdap-redacted@ietf.org>
Cc: "regext@ietf.org" <regext@ietf.org>
Subject: [EXTERNAL] RE: Review of draft-ietf-regext-rdap-redacted-09

My preference would be that if the server is supporting this draft that placeholder text is not allowed to be returned for any redacted field.  I'm not sure what a transition period would look like.  It seems to me that a server is either supporting the draft with an "rdapConformance" value of "redacted" or it's not supporting the draft and does not return the "redacted" value in the “rdapConformance” value.  If "redacted" is returned, placeholder text should not be used.

I would support option #1 without a transition period.  Servers are free to continue with the responses used today that do not include the “redacted”  “rdapConformance” value if the server is returning placeholder text.  One the draft is supported without placeholder text, the “redacted” “rdapConformance” value can be returned in the responses.

However, I can live with Option #3 where the RFC acknowledges that placeholder text has been used in the past.

Thanks,
Jody Kolker.

From: Pawel Kowalik <kowalik@denic.de>
Sent: Friday, November 25, 2022 1:50 AM
To: Gould, James <jgould@verisign.com>; draft-ietf-regext-rdap-redacted@ietf.org
Cc: regext@ietf.org
Subject: Re: Review of draft-ietf-regext-rdap-redacted-09

Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad@.



Hi James,



Thanks for that.

My preference would be 3 or 4, to focus the draft on signaling, allowing the clients to recognize redacted fields.



Kind Regards,

Pawel


Am 23.11.22 um 16:57 schrieb Gould, James:
Pawel,

I add responses embedded below with “JG4 – “.

For the WG, I’m including one discussion topic at the top for consideration:


Section 3 currently states “The use of placeholder text for the values of the RDAP fields, such as the placeholder text "XXXX", MUST NOT be used for redaction.”  Pawel raised an issue with the MUST NOT language and proposed to use SHOULD NOT.  I view the use of placeholder text redaction as an anti-pattern that should be disallowed when implementing draft-ietf-regext-rdap-redacted, but I do recognize the potential need for a transition period.  I summarize the options below:



1.  Keep MJST NOT with Transition Period – Formally define the transition period that is based on server policy in a new Transition Considerations section.

2.  Change MUST NOT to SHOULD NOT – This enables the draft to recommend that placeholder text not be used for redaction, but still enable the server to support it in parallel with the redaction methods defined in the extension.

3.  Remove the normative language – Change “The use of placeholder text for the values of the RDAP fields, such as the placeholder text "XXXX", MUST NOT be used for redaction.”  To “The use of placeholder text for the values of the RDAP fields, such as the placeholder text "XXXX", has been used for redaction.  …”.

4.  Remove reference to placeholder text use for redaction – Just lead section 3 with the sentence “This section covers the redaction methods that can be used with the redaction signaling defined in Section 4.2<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-regext-rdap-redacted%23section-4.2&data=05%7C01%7Cjkolker%40godaddy.com%7C03bdff32aeb64d19ef4308daceb9b1ca%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C638049594251190871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V%2BP67JW8FHgh2fmp3u3peTK27KTc%2BMeOMQ6zIQcI8j8%3D&reserved=0>.”.



Please respond to the mailing list with your thoughts on the options or if you have any additional options.   My preferred option is option 1 “Keep MJST NOT with Transition Period”.



Thanks,

--

JG

[cid:image002.png@01D90BA9.85CEC740]

James Gould
Fellow Engineer
jgould@Verisign.com<applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fverisigninc.com%2F&data=05%7C01%7Cjkolker%40godaddy.com%7C03bdff32aeb64d19ef4308daceb9b1ca%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C638049594251190871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fP1nLiTs%2FEs8%2FG5T0nuXDr7B15JQ0%2BykFbmrJd4rMYY%3D&reserved=0>

From: Pawel Kowalik <kowalik@denic.de><mailto:kowalik@denic.de>
Date: Wednesday, November 23, 2022 at 9:23 AM
To: James Gould <jgould@verisign.com><mailto:jgould@verisign.com>, "draft-ietf-regext-rdap-redacted@ietf.org"<mailto:draft-ietf-regext-rdap-redacted@ietf.org> <draft-ietf-regext-rdap-redacted@ietf.org><mailto:draft-ietf-regext-rdap-redacted@ietf.org>
Cc: "regext@ietf.org"<mailto:regext@ietf.org> <regext@ietf.org><mailto:regext@ietf.org>
Subject: [EXTERNAL] Re: Review of draft-ietf-regext-rdap-redacted-09


Hi James,

My comments below.
Am 23.11.22 um 14:17 schrieb Gould, James:
[...]

JG3 – What triggered the creation of this extension was a proposal to use placeholder text for redaction, which in my opinion is an anti-pattern that needs to be directly addressed.  I believe that you see the need to support a transition period that would be up to server policy.  See my comment below related to creating a Transition Considerations section to make this explicit.  The draft can define the methods for redaction, disallow the use of placeholder text for redaction outside of a transition period, and add explicit support for a transition period with a set of considerations.  Does this meet your needs?

[PK3] OK, please include also this part in the Abstract and Introduction, that the draft also defines certain rules for redaction to mitigate the anti-patterns, if there is a consensus in WG to mandate how redaction is done.



JG4 – I’m raising the options for discussion in the WG to hopefully find a consensus option.

Populating the existing value with a static placeholder value as a signal for redaction is different from what is defined for the "Redaction by Replacement Value Method", which changes the value to a non-static value or moves the location of the value.
[PK2] I believe it should be perfectly valid to replace one email with another email (for example privacy proxy email) without moving it, shouldn't it? For me it would be "Redaction by Replacement Value Method" where both paths are same.


JG3 – Yes, use of a privacy proxy email is a form of "Redaction by Replacement Value Method", since the real value is not being provided but a replacement value is being used instead.  In this case the “method” value is “replacementValue” and the “replacementPath” is not used.  Does this need to be clarified in the draft, since the intent is to support replacing the value in place or replacing the value using an alternate field, such as the replacement with the “contact—uri” property?
[PK3] Now I see it from examples that replacementPath might be omitted. It would be good to have some normative text defining that.

JG4 – Ok, I’ll look to add clarification text.

[...]

JG3 – Ok, that helps.  I believe the biggest issue from a client perspective is when they expect a non-empty value, and the server implements the Redaction by Empty Value Method and then returns an empty value.  The use of the placeholder redaction text can be used in parallel with draft-ietf-regext-rdap-redacted during a transition period.  The duration of the transition period would be up to server policy.  What I don’t want to introduce is parallel forms of redaction for beyond a transition period.  How about including the definition of a transition period in a Transition Considerations section and updating the MUST NOT language to “The use of placeholder text … MUST NOT be used for redaction outside of a transition period defined in Section X . In the Transition Considerations section, it can define that placeholder redaction text may exist and may overlap with this extension during a transition period that is up to server policy.  Then there can be a set of considerations for the server and client in making the transition.  I believe this would address the transition more explicitly and leave the timing of the transition up to server policy.  Do you agree?

[PK3] If the WG is in consensus to keep "MUST NOT" then Transition Considerations is a good way to cover the smooth transition.

JG4 – I’m raising the options for discussion in the WG to hopefully find a consensus option.



[...]

    Another approach would be to define a way of interpreting the JSONPath

    so that it is reversible or even defining a subset of JSONPath which is

    reversible in the narrower RDAP context.



JG2 - I'm not sure what is meant by JSONPath that is reversable.  I believe that JSONPath needs to be used as defined.
[PK2] Reversable means that you can unambiguously re-create the original object structure based on the path. Normalized JSONPath have this property (see 2.8 of JSONPath draft) but may not be the best in case of array members identified by a property value of array member, like in jCard. The expressions like $.entities[?(@.roles[0]=='registrant')] can be also reversible, but this is not true for just any JSONPath expression. If we would define a narrowed down definition of JSONPath expressions which are allowed, we could achieve the property of reversibility and maybe even that one kind of object or property would have exactly one and only possible JSONPath describing it. Again - it's just an idea how to deal with removed paths. It may be also not worth following if we assume "redacted name" would be the leading property (see below).

JG3 – Thanks for the reference, I’ll review it and see whether something can be used.  My initial thought is that it’s going to be too complex and won’t cover the broad set of use cases in RDAP.  Right now, we’ll assume that it can’t be used in draft-ietf-regext-rdap-redacted, but it’s being reviewed.




    In the end, implementing a client, I would rather want to rely on the

    "redacted name" from the "JSON Values Registry" for paths which have

    been deleted, and treating the path member as only informative.



    If you agree for such processing by the client I suggest to put it down

    in the chapter 5 (maybe splitting it into server and client side).



JG2 - From a client perspective, I believe I would first key off the "redacted name" to route my display logic and then I would utilize a template RDAP response overlaid with the actual response and the JSONPath to indicate the redacted values.  It would be nice to hear from some clients on this to identify useful client JSONPath considerations.
[PK2] If I would be implementing the client likely I will do exactly this.


JG3 – Ok, the “JSONPath Considerations” section will have two subsections of “JSONPath Client Considerations” and “JSONPath Server Considerations”, where the above will be the starting JSONPath client consideration.  How about the JSONPath Client Consideration:

When the server is using the Redaction By Removal Method<file:///Users/jgould/projects/github/rdap-redaction/draft-ietf-regext-rdap-redacted.html#redaction-removal> (Section 3.1<file:///Users/jgould/projects/github/rdap-redaction/draft-ietf-regext-rdap-redacted.html#redaction-removal>) or the Redaction by Replacement Value Method<file:///Users/jgould/projects/github/rdap-redaction/draft-ietf-regext-rdap-redacted.html#redaction-replacement-value> (Section 3.3<file:///Users/jgould/projects/github/rdap-redaction/draft-ietf-regext-rdap-redacted.html#redaction-replacement-value>) with an alternate field value, the JSONPath expression of the "path" member will not resolve successfully with the redacted response. The client can first key off the "name" member for display logic and utilize a template RDAP response overlaid with the redacted response to successfully resolve the JSONPath expression.
[PK3] OK




[...]



JG2 - Your reference to $.entities[0] is an example of an element in an array, but its' not referring to a fixed field position of a fixed length array, such as the case for redacting the "fn" jCard property.  There is no intent to block all cases of redacting objects via the use of an array position.  Is there better language than "using the fixed field position of a fixed length array" to provide the proper scope?

OK, now I get it. My proposal would be: "The Redaction by Removal Method MUST NOT be used to remove an element of an array where position of the elements in the array determines semantic meaning of the element."

JG3 – Just a tweak, how about “The Redaction by Removal Method MUST NOT be used to remove an element of an array where the position of the element in the array determines semantic meaning.”?

[PK3] Thanks.

Kind Regards,

Pawel