[regext] Comments to the feedback about epp-over-http

[Mario Loffredo <mario.loffredo@iit.cnr.it>]

Hi folks,

here are in the following some comments grouped by subject to last 
meeting's feedback about EPP-over-HTTP:


*1) Draft title*

Ulrich suggested to call the document EPP-over-HTTPS.

I replied that the name was assigned to be consistent with RFC5734, i.e. 
EPP-over-TCP.

SImilarly to RFC5734, the draft states, first in the abstract and then 
in the security considerations, that TLS is required.

That being said, the authors don't object to renaming the dcocument 
EPP-over-HTTPS if the WG agrees.


*2)  Cookies*

Jim (Reed) asked why cookies should be used in this case.

The reasons why we have used session cookiea are that they represent a 
standard method (RFC6265), well known to the community of REST service 
implementers, largely used and natively supported by libraries and 
frameworks on both client and server side. For example, it is the same 
method used by rdap-openid to map an RDAP session and tie it to an 
access token :-)

.it and .pl have been using this method since the beginning and the 
registrars, after being informed that they had to enable cookies in 
their HTTP clients, have no longer complained about cookie management.

In addition, the implementation of such a method doesn't  introduce any 
change to the EPP core spec. Indeed, it preserves EPP comands semantics 
and doesn't mix the application layer with the transport layer.

I would like to say that, regarding the clear distinction between those 
layers, this proposal is even better than RFC5734 as every EPP response 
is returned by the server as a consequence of receiving an EPP request.

On the contrary, in RFC5734, an EPP <greeting> is returned to the client 
after the TCP connection has been established so, at least in this case, 
the**two layers get mixed.

Which method other than session cookie shoud be used instead ?


*3)   Security Considerations*

Ulirch recommended to review the security considerations by inheriting 
those from TLS WG about which versions and ciphers of TLS to use.

Thanks a lot for the heads up, Ulrich. Surely, we'll do.


Gavin noted that, unlike EPP-over-TCP, this draft states that client IP 
address check is optional.

As a matter of fact, it is stated as recommended.

Anyway, the authors don't object to changing it into an absolute 
rquirement if the WG agrees.


*4)  Cookie vs. HTTP Connection*

One comment from James in the chat is about establishing the cookie at 
setup of the connection and not linking it to the EPP Login command.

James, can you further clarify why we should opt for establishing the 
cookie at setup of the connection and how shoudl it be possible? For 
example, what kind of request should be used to start the HTTP connection?

IMO, an HTTP session is something that is inherently unlinked to the 
HTTP connections.

HTTP connections can be broken but sessions don't get lost.

Programmatically, REST implementers are in charge of processing HTTP 
requests and building responses rather than managing HTTP connections, 
which is instead delegated to the application servers.

Finally, I would like to outline that Section 2.9.1 of RFC5730 states 
that an EPP session starts with a Login command and the mechanism 
described by RFC6265 lets (I'm quoting here) "the servers maintain a 
stateful session over the mostly stateless HTTP protocol". As a 
consequence, it seems much more practical to start the EPP/HTTP session 
as a result of a Login command.


*5) EPP/HTTP Sessions vs. HTTP3 Connections*

Ulrich remarked that, in HTTP3, it is possible to have multiple sessions 
on an HTTP connection.

This is valid also for the other HTTP versions.

In fact, an HTTP connection can be kept alive and, over it, a client 
could submit multiple login-commands-logout sequences.

This is quite usual for a smart client managing a pool of HTTP connections.

Instead, It is unlikely but not impossible to come across HTTP 
connections supporting multiple concurrent sessions.

What should be the possible drawbacks for a server in allowing the 
scenarios above?


*6) Client authentication in HTTP3*

Another note pointed out that HTTP3 client authentication requirements 
are different from this draft and they need to be reconciled.

Think that it could be sufficient to add to the security considerations 
some text similar to what is included in section 4.4 "Peer 
authentication" of RFC 9001 "Using TLS to secure QUIC":

    A client MUST authenticate the identity of the server.  This
    typically involves verification that the identity of the server is
    included in a certificate and that the certificate is issued by a
    trusted entity (see for example [RFC2818  <https://datatracker.ietf.org/doc/html/rfc2818>]).

The draft has only considered the optional use of a certificate on 
server side (not on client side). In doing that, the draft is consistent 
with another sentence in the same paragraph of RFC9001:

    A server MAY request that the client authenticate during the
    handshake.  A server MAY refuse a connection if the client is unable
    to authenticate when requested.


Would it address the feedback?



That's all for now.

Hope I did not miss anything.

Thanks a lot for your interest and feedback.

Looking forward to your further comments.

Best,

Mario


-- 
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo