IETF Logo Mail Archive

[regext] Fwd: Ideas to address the privacy implication of reverse search draft

Mario Loffredo <mario.loffredo@iit.cnr.it> Wed, 23 December 2020 12:43 UTC

Return-Path: <mario.loffredo@iit.cnr.it>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B47B3A0F44 for <regext@ietfa.amsl.com>; Wed, 23 Dec 2020 04:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KR7N_5vs_rW for <regext@ietfa.amsl.com>; Wed, 23 Dec 2020 04:43:07 -0800 (PST)
Received: from smtp.iit.cnr.it (mx5.iit.cnr.it [146.48.98.152]) by ietfa.amsl.com (Postfix) with ESMTP id 3D7363A0F35 for <regext@ietf.org>; Wed, 23 Dec 2020 04:43:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by smtp.iit.cnr.it (Postfix) with ESMTP id 1F302C03DB for <regext@ietf.org>; Wed, 23 Dec 2020 13:43:05 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mx5.iit.cnr.it
Received: from smtp.iit.cnr.it ([127.0.0.1]) by localhost (mx5.iit.cnr.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMh_aLdXF121 for <regext@ietf.org>; Wed, 23 Dec 2020 13:43:01 +0100 (CET)
Received: from [192.12.193.108] (pc-loffredo.nic.it [192.12.193.108]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by smtp.iit.cnr.it (Postfix) with ESMTPSA id A6142C01EC for <regext@ietf.org>; Wed, 23 Dec 2020 13:43:01 +0100 (CET)
References: <794d7621-f680-7cc8-acbe-6674129c044f@iit.cnr.it>
To: "regext@ietf.org" <regext@ietf.org>
From: Mario Loffredo <mario.loffredo@iit.cnr.it>
X-Forwarded-Message-Id: <794d7621-f680-7cc8-acbe-6674129c044f@iit.cnr.it>
Message-ID: <b83843bf-2856-38da-2676-d69406405330@iit.cnr.it>
Date: Wed, 23 Dec 2020 13:43:01 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <794d7621-f680-7cc8-acbe-6674129c044f@iit.cnr.it>
Content-Type: multipart/alternative; boundary="------------71804775FEF68D096CDA6719"
Content-Language: it
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/GK1oiqGus1fuB8OkgBhMLgiKkbI>
Subject: [regext] Fwd: Ideas to address the privacy implication of reverse search draft
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2020 12:43:10 -0000

Hi Ali,

please find my comments inline.

Il 22/12/2020 07:33, Ali Hussain ha scritto:
> Hi Dr. Mario,
[ML] please simply Mario :-)
>
> Apologies for replying too late.
>
> First of all thanks for your detailed comments about the proposed 
> tentative iea to make reverse search more privacy complaints keeping 
> hrpc guidelines as reference.
>
> One possible new work in giving better privacy to reverse search would 
> be to have privacy by design implementation in addition to federated 
> access using HTTP and limiting the response. The proposed mechanism 
> may use an integrity protection mechanism HMAC or standard 
> authorization mechnaum like JSON web token to bring in additional data 
> confidentiality and privacy benefits. This way we would be able to 
> easily define the custom access control policies.
>
> What do you think about it.?

[ML] The WG has already adopted a document written by Scott Hollenbeck 
(i.e. https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-openid 
<https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-openid>) about 
how to implement a federated authentication in RDAP context. OpenId is 
based on tokens exchanged between the various actors involved (e.g. RDAP 
client, RDAP server, Authorization Server). In particular, the ID Token 
is provided according the JWT format and contains information regarding 
the user identification and a set of claims describing the user. The 
RDAP server can then make identification, authorization, and access 
control decisions based on local policies and the information included 
in the ID Token.

Furthermore, the rdap-openid document defines RDAP specific claims in 
addition to the standard ones. In my opinion, the combination of OpenId 
and RDAP specific claims are appropriate to make an authorization 
decision for a client submitting a reverse search. Especially the set of 
values defined for the "purpose" claim seems to me comprehensive enough 
to include purposes which might be used to legitimate a reverse search 
request. Note also that the set of admissible "purpose" values can be 
extended.

Therefore, it seems to me that your requirements/solutions have been 
addressed by rdap-openid.

Definitively, reverse search is only one of the possible queries clients 
can submit and servers can authorize so I don't think we need to add in 
the reverse-search draft anything beyond what is stated by RFC7481 and 
rdap-openid.

Neither we must explicitly require an RDAP provider to accept always a 
reverse search only if previously authorized. As it is stated in section 
7, we can only require that this capability must be compliant with the 
rules about privacy protection each RDAP provider is subject to and each 
RDAP provider is responsible for pursuing this objective.


Best,

Mario

>
> Thanks,
>
> Regards,
> Ali Hussain
>
>
> On Fri, Dec 4, 2020 at 1:27 AM Mario Loffredo 
> <mario.loffredo@iit.cnr.it <mailto:mario.loffredo@iit.cnr.it>> wrote:
>
>     Hi Ali,
>
>     thanks a lot for your interest.
>
>     Obviously, I'm willing to collaborate with anyone who plans to
>     implement the reverse-search capability and I'm open to any idea
>     that can contribute to make the proposal more comprehensive.
>
>     I'm also available to give my humble contribution to harmonize the
>     reverse-search specification with the concepts described in the
>     hrpc draft.
>
>     That being said, if I interpreted your idea correctly, you are
>     proposing an operation model where the capability is open to
>     everyone but the access to possible sensitive response data are
>     reserved only to authenticated users, right?
>
>     If so, I have a couple of comments:
>
>     - The RDAP servers are already engaged in tailoring their
>     responses on different user profiles due to GDPR. Sensitive data
>     redaction is usually achieved through a combination of practices
>     like not returning optional sensitive data, replacing the value
>     of  mandatory sensitive data (like jCard "fn" for individuals),
>     publishing only those sensitive data which the owner has
>     previously given the explicit consent for. So which additional
>     issues should your proposal address?
>
>     - In the case of a reverse-search, what must be allowed to
>     authenticated users is not the access to the data returned by the
>     capability but rather the capability itself.  Of course, the
>     reverse search is not the only query capability that can be
>     controlled. For example, at .it we don't permit everyone to submit
>     a generic search query.  This can be done either through the
>     well-known HTTP authentication methods as described in RFC7480 or
>     by applying a federated authentication to RDAP as defined by
>     Scott's rdap-openid extension.  To make an ad-hoc access control
>     easy to implement, the reverse-search draft introduces the
>     specific "/reverse" path and lets servers furtherly regulate the
>     access on a per-entiy-role basis.
>
>     Definitively, maybe I'm missing something but do we really need
>     anything other than what already exists?
>
>     Best,
>
>     Mario
>
>
>     Il 04/12/2020 01:47, Ali Hussain ha scritto:
>>     Hi All,
>>
>>     It wa  interesting to see the interest during REGEXT IETF 109
>>     meeting call to address the the privacy aspects of draft
>>     (draft-ietf-regext-rdap-reverse-search).
>>     So far my idea to improve the reverse search to first make the
>>     JSON object for the required level of privacy critical data.
>>     Based on the tag the partial response suppresses the privacy part
>>     of responses by encoding and in order to decode it, it must
>>     present an identity to federated access control.
>>     I am also reviewing the hrpc draft to bring some valuable input
>>     form their guidance.
>>     Please let me know what you think and is anyone else interested
>>     to work on this?
>>     Thanks,
>>     Regards,
>>     Ali Hussain
>>
>>     _______________________________________________
>>     regext mailing list
>>     regext@ietf.org  <mailto:regext@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/regext  <https://www.ietf.org/mailman/listinfo/regext>
>
>     -- 
>     Dr. Mario Loffredo
>     Technological Unit “Digital Innovation”
>     Institute of Informatics and Telematics (IIT)
>     National Research Council (CNR)
>     via G. Moruzzi 1, I-56124 PISA, Italy
>     Phone: +39.0503153497
>     Web:http://www.iit.cnr.it/mario.loffredo  <http://www.iit.cnr.it/mario.loffredo>
>
-- 
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo

v2.23.0 | Report a Bug | By Email