Re: [regext] Mirja Kühlewind's No Objection on draft-ietf-regext-allocation-token-09: (with COMMENT)
"Gould, James" <jgould@verisign.com> Mon, 06 August 2018 14:53 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C2E2130E0D; Mon, 6 Aug 2018 07:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4eBaRbPOEou; Mon, 6 Aug 2018 07:53:19 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FD3E130DE4; Mon, 6 Aug 2018 07:53:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=36843; q=dns/txt; s=VRSN; t=1533567199; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=/0drA0D0kaQ6jp7Jn1abGcRAFmCzRZro7SVbQF7v1UQ=; b=NJRugC7TCX0CBKBOqKZrtPoatPj8Rrcxet7gEEYv2cZZEUadX4ZR5Gr+ 4lvoD/G5YRBQ5T+DrkoGmXsG1yakBfjmFI1hia+84ucye0u+aOofeYK+5 g+b7p4942xvoVvL99JtRlDqlFcB29V9WopnDic1ZAEp6eoGzqhkgq3YOE TZZBMUD8LQqHpQ6OEarFzopWiyJkkdEEiacKtO2Rhcm/2dObTJ53VkRTA UqZOt9RFhot2VusvXaHAwCmxkgzsxkm4XYVK9DHLvnuMLsHgX7uYUjmce BITM6KroGbUD8MNMOz21i437JtTVXkK3Tf+3uS4kiFLUoi1RHQn0BL8xf g==;
X-IronPort-AV: E=Sophos;i="5.51,452,1526356800"; d="scan'208,217";a="5272753"
IronPort-PHdr: 9a23:tjRAvhwk5G18DyXXCy+O+j09IxM/srCxBDY+r6Qd0ukWLfad9pjvdHbS+e9qxAeQG9mDtbQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYghEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2ybIUPAOgPMuZZs4byqEADogGiCQmpHu7j1iVFi33w0KYn0+ohCwbG3Ak4Et4AsXrUq8j1NKMPXuyt0aLGyS/Mb/ZI1jfm5oTDbxcsofODXbJ3bMrRzVQgGhjbjlqOs4zlPiiV1uUCs2id9eZvSeWvi2s+pgx3vzOhyMAsiozTiYIUzFDJ7Tt5z5gvJd25U057YNGkEJ1RtyGcK4R6WN8tQ2ZtuCoiy70Jp4K7fCYQxJQg3R7fZPqKeJWL7BL7TOudPCt0iGh4dL+9iRu+61Wsx+3yW8Wu31tHrTJJnsTQunwXyhDe6NSLRuFg8kqu2juDzR3f5+JcLUA6i6XWKIItz7s1m5UJsknOGjT5lUD4gaOIa0op++2l5P/jb7jnpJKRMoF5hw/8P6sznMG0HP42PRIUX2eB/OSxzLjj/UrkT7pUlvA2iazZsIzCJcQcu665HxdZ0oY95Ba7CDeryMkVk2UfIl5YeB2Jl4fnNFDSLPzlF/u/nUijkDBxx/DeJLHuGIjCImLdkLf7ZrZ97VRQxxY0zdBa/55UC7cBL+zvWkLpqdDUEgU1PxG2zuvpEtlxy4MTVGyVDqKWM67eqVqI6fguI+mIao8VojH9K/096v7sgn85nkIdfa200pYMdnC3AO5mI0SCYXrtjdcBF30GsRY5TOzvkFGCSyJcZ26uX6Ig4TE2EIOmApnfRoCjm7GB3zq7EYNWZmBCFF+NH3bod4OZVPsWbiKdPNNhmCQeVbe9U48hyQ2utAjixrpmMOXU4SIYuIni1Ndr++3Tmws+9TtuD8SSy2uNVX17nnsURz8q26ByuVZ9xUmM0admjP1YCcVf6O9JUgggNJ7c1fd6BsvzWg3fYteJRkyqQtK8ATE+Vtgx2cMBY15hG9W+iRDOxzKqDKUJl7yRBZw77qHc03/wJ8lj13bG2rIsgEQ4TcRRLW2pmql/9xLNCILTlEWZjamqf7wG3CHR7GeD0XaOvEZAXQ5oVKXIRm0QZkzKrdvj4EPNUqOhCbM9PgRdzs6CL7NAasf1glVeWPfjJNPebnqrm2iuChaH2LyNbJbxdmUcwirdFEYEnxoU/XacOgg0Hj2hrH7GDDxyCVLvZFvh/vRkqHyhQE800xiGb0x/2Lqp9B4ZnOacRO0c3r0atyYhtyx4E0y539LSDNqPuxBufLldYdM65ldLzH7Ztwt+PpO+KaBvnV8efBprv0PgzRl3DZ9Akcd55E8tmUBXKLia2Rtiaj6Y2Z3vO7vbYinT0SyBKuSejlDTzNi++boC6PA1tFTlsEevG1Z0oFt91NwAmVSb+5HGSEIwWJf8SQx/oxp1oKzebgEj6pnVznxjN++/tTqUiIFhP/cs1hv1J4QXC6iDDgKnVpRCX8U=
X-IPAS-Result: A2GpAAAmYGhb/zCZrQpZAxwBAQEEAQEKAQGCV4FagScKg3WICY4vJZVnFIErFyQLIwuEPgIXgzI0GAECAQEBAQEBAgEBAoEFDII1JAEOLxwvCAEFAQEBAQEBJwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGQEEASNIDgULAgEGAjgDBwICAjAaCwIECgQFgyABgRtcF5A1m0iBLopQiSCBQj6BEicME4JMgxsCAQEBAYEqARIBCS0KHQmCOjGCJAKHfIoiiBUDBgKGGIp4RoNbiDKCA4YcgkyHTAIEAgQFAhSBQYEaWBEIcBU7KgGCPgmCHBcRgzSFFIU+bwEMJI0hgR+BGwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 6 Aug 2018 10:53:17 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 6 Aug 2018 10:53:17 -0400
From: "Gould, James" <jgould@verisign.com>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
CC: The IESG <iesg@ietf.org>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>, Patrick Mevzek <patrick+ietf@deepcore.org>, "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>, "draft-ietf-regext-allocation-token@ietf.org" <draft-ietf-regext-allocation-token@ietf.org>
Thread-Topic: [EXTERNAL] Re: Mirja Kühlewind's No Objection on draft-ietf-regext-allocation-token-09: (with COMMENT)
Thread-Index: AQHULZGGObgmlnXLD0eV8k84wg10I6Syz0YA
Date: Mon, 06 Aug 2018 14:53:16 +0000
Message-ID: <B7181859-5159-4373-897C-8ECA84544C22@verisign.com>
References: <153355638132.26613.6843756928813998023.idtracker@ietfa.amsl.com> <32AED330-D0FD-445C-9999-8AF31FF0E807@verisign.com> <FA75EAD4-85FA-4A40-90AD-53D4B6EFAFE0@kuehlewind.net>
In-Reply-To: <FA75EAD4-85FA-4A40-90AD-53D4B6EFAFE0@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.e.1.180613
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_B718185951594373897C8ECA84544C22verisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/KUncJ71hGg9wLCnTVSl34EC-0Sg>
Subject: Re: [regext] Mirja Kühlewind's No Objection on draft-ietf-regext-allocation-token-09: (with COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 14:53:23 -0000
Mirja,
Thanks again for your feedback.
The text says
"If an object requires an Allocation Token and the Allocation
Token does not apply to the object or an object does not require
an Allocation Token, then the server SHOULD return the
availability status as unavailable (e.g., "avail" attribute is
"0" or "false“).“
which includes the case where the "object does not require an Allocation Token“…?
No, this does not include the case where “object does not require the Allocation Token”. The protocol leaves that case up to server policy. Would it help to add the third case below?
“3. If an object does not require an Allocation Token, the server MAY return the availability status as available (e.g., “avail” attribute is “1” or “true”).”
This means that we would have the 3 cases covered with the appropriate use of the MUST, SHOULD, and MAY to support the different levels of server policy choices. Based on the protocol of providing a “hint”, the passing of an Allocation Token where the Allocation Token does not apply MUST return an error on create, so therefore the protocol behavior would be for the server to return an object that does not require an Allocation Token as unavailable. Providing the MAY in the server returning an object that does not require an Allocation Token as available, will provide flexibility for the server policy to define the behavior.
Do you agree?
> The check command, per RFC 5731, supports many domain names in a single command, and it provides "a hint that allows a client to anticipate the success or failure of provisioning an object using the <create> command" . The Allocation Token in draft-ietf-regext-allocation-token is a single value that is applied to all domain names, where we don't want the protocol to be overly strict in defining the availability value. The most strict policy would be to return all domain names that don't require an Allocation Token or where the Allocation Token doesn't match as unavailable. Since the Allocation Token may apply to only one of the domain names in the list, the protocol only requires (MUST) the server to return an Allocation Token match as available. The Allocation Token mismatch is treated as a SHOULD and a non-applicable Allocation Token is undefined to enable server-policy to determine the behavior. Does this make sense?
Okay, then the SHOULD makes sense. Eventually provide some more explanation in the draft.
Would adding the 3rd case address the explanation concern?
Thanks,
—
JG
James Gould
Distinguished Engineer
jgould@Verisign.com
703-948-3271
12061 Bluemont Way
Reston, VA 20190
Verisign.com <http://verisigninc.com/>
On 8/6/18, 10:26 AM, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> wrote:
Hi James,
thanks for the reply.
> Am 06.08.2018 um 15:47 schrieb Gould, James <jgould=40verisign.com@dmarc.ietf.org>:
>
> Mirja,
>
> Thank you for your review and feedback. My responses are embedded below.
>
> —
>
> JG
>
>
>
> James Gould
> Distinguished Engineer
> jgould@Verisign.com
>
> 703-948-3271
> 12061 Bluemont Way
> Reston, VA 20190
>
> Verisign.com <http://verisigninc.com/>
>
> On 8/6/18, 7:53 AM, "Mirja Kühlewind" <ietf@kuehlewind.net> wrote:
>
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-regext-allocation-token-09: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-regext-allocation-token/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Two quick questions (and I'm really no expert here, so these questions might be
> stupid):
>
> 1) Why should the check return 'unavailable' if the object does not require an
> Allocation Token but the check is send with an Allocation Token (sec 3.1.1)? Is
> that obvious to everybody else but me or should that maybe be further explained
> in the doc? And inline with that, why is it not a MUST to return 'unavailable'
> if a Token is required but the sent token doesn't match?
>
> JG - The draft really doesn't discuss the case where the object does not require an Allocation Token and the check command includes the Allocation Token, but it does cover the two cases where the object does require an Allocation Token and the passed Allocation Token matches (MUST return available) and doesn't match (SHOULD return unavailable).
The text says
"If an object requires an Allocation Token and the Allocation
Token does not apply to the object or an object does not require
an Allocation Token, then the server SHOULD return the
availability status as unavailable (e.g., "avail" attribute is
"0" or "false“).“
which includes the case where the "object does not require an Allocation Token“…?
> The check command, per RFC 5731, supports many domain names in a single command, and it provides "a hint that allows a client to anticipate the success or failure of provisioning an object using the <create> command" . The Allocation Token in draft-ietf-regext-allocation-token is a single value that is applied to all domain names, where we don't want the protocol to be overly strict in defining the availability value. The most strict policy would be to return all domain names that don't require an Allocation Token or where the Allocation Token doesn't match as unavailable. Since the Allocation Token may apply to only one of the domain names in the list, the protocol only requires (MUST) the server to return an Allocation Token match as available. The Allocation Token mismatch is treated as a SHOULD and a non-applicable Allocation Token is undefined to enable server-policy to determine the behavior. Does this make sense?
Okay, then the SHOULD makes sense. Eventually provide some more explanation in the draft.
>
>
> 2) Why is this mechanism not applied to delete, renew, and update?
>
> JG - Allocation is when the server assigns the sponsoring client of an object based on the use of an Allocation Token credential, which is not applicable to a delete, a renew, and an update. The common case for allocation is with the use of the create command and the less common case for allocation is with the use of the transfer command (e.g., transfer from server to sponsoring client). The draft did initially include support for an extended update that defines a new verb like "allocate", but the WG agreed to remove the extension of the update.
Okay.
Mirja
>
>
>
- [regext] Mirja Kühlewind's No Objection on draft-… Mirja Kühlewind
- Re: [regext] Mirja Kühlewind's No Objection on dr… Gould, James
- Re: [regext] Mirja Kühlewind's No Objection on dr… Mirja Kuehlewind (IETF)
- Re: [regext] Mirja Kühlewind's No Objection on dr… Gould, James
- Re: [regext] Mirja Kühlewind's No Objection on dr… Mirja Kuehlewind (IETF)