Re: [regext] Roman Danyliw's Discuss on draft-ietf-regext-rdap-sorting-and-paging-17: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Thu, 24 September 2020 15:12 UTC
Return-Path: <rdd@cert.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271AC3A0D76; Thu, 24 Sep 2020 08:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sgnI0imQwFp8; Thu, 24 Sep 2020 08:12:33 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB8F3A0D60; Thu, 24 Sep 2020 08:11:48 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 08OFBdJ2002888; Thu, 24 Sep 2020 11:11:39 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 08OFBdJ2002888
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1600960299; bh=n9W1244qu+c25R9DXYkyivvJGvi+BYuWvJYIHH31vwc=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=CQA49espnKIK7n6G8y7VU7k6Oi3IYHkKOIp5umOYNGhsugSe0HOF0jxrBsgKcIBxB E2zxoONtg+qRNmjRDq8aKKSUXxRp2pO8ywkgRV9yLtbLHqtzrpyCIgeVfNZjKfg4IL +YM/KQLzt8yQ7z+piMEsE5FCeKWd3FKwZHHVx6qA=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 08OFBZIn030768; Thu, 24 Sep 2020 11:11:35 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 24 Sep 2020 11:11:35 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Thu, 24 Sep 2020 11:11:35 -0400
From: Roman Danyliw <rdd@cert.org>
To: Mario Loffredo <mario.loffredo@iit.cnr.it>, The IESG <iesg@ietf.org>
CC: "draft-ietf-regext-rdap-sorting-and-paging@ietf.org" <draft-ietf-regext-rdap-sorting-and-paging@ietf.org>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>, "regext@ietf.org" <regext@ietf.org>, Tom Harrison <tomh@apnic.net>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-regext-rdap-sorting-and-paging-17: (with DISCUSS and COMMENT)
Thread-Index: AQHWka49kmzMOZPbwUmRLE1LGFyeHKl4JWsA//++38A=
Date: Thu, 24 Sep 2020 15:11:34 +0000
Message-ID: <a88b1a3b452a440f8f30cad5e07fe1d6@cert.org>
References: <160086803388.29105.12080739329882950467@ietfa.amsl.com> <b237abbb-7567-9070-d0b8-e81b1b63a8ca@iit.cnr.it>
In-Reply-To: <b237abbb-7567-9070-d0b8-e81b1b63a8ca@iit.cnr.it>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.135]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Qp8fue4MhWnWs0YAzSK_eMNbM6o>
Subject: Re: [regext] Roman Danyliw's Discuss on draft-ietf-regext-rdap-sorting-and-paging-17: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 15:12:42 -0000
Hi Mario! > -----Original Message----- > From: Mario Loffredo <mario.loffredo@iit.cnr.it> > Sent: Thursday, September 24, 2020 10:56 AM > To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > Cc: draft-ietf-regext-rdap-sorting-and-paging@ietf.org; regext-chairs@ietf.org; > regext@ietf.org; Tom Harrison <tomh@apnic.net> > Subject: Re: Roman Danyliw's Discuss on draft-ietf-regext-rdap-sorting-and- > paging-17: (with DISCUSS and COMMENT) > > Hi Roman, > > thanks a lot for your review. Please find my comments inline. > > Il 23/09/2020 15:33, Roman Danyliw via Datatracker ha scritto: > > Roman Danyliw has entered the following ballot position for > > draft-ietf-regext-rdap-sorting-and-paging-17: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-sorting-and-pa > > ging/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > ** Canonical Reference for JSONPath. Section 2.1/2.3.1 describes > > field(s) whose syntax is in JSONPath. The shepherd’s note > > acknowledges that there is no good reference for JSONPath. > > Nevertheless, the text needs to be clearer on where to turn to for guidance. > > > > (1) Section 2.3.1 says: “Such a reference could be > > expressed by using a JSONPath. The JSONPath in a JSON document > > [RFC8259] is equivalent to the XPath [W3C.CR-xpath-31-20161213] in a > > XML document. > > > > (2) The JSONPaths are provided according to the Goessner v.0.8.0 > > specification [GOESSNER-JSON-PATH]. > > > > (3) Further documentation about > > JSONPath operators used in this specification is included in > > Appendix A. > > > > Taking the perspective of the implementer, which of these three > > resources is canonical for understanding JSONPath: > > > > (a) [W3C.CR-xpath-31-20161213] = a reference marked normative that has > > nothing to do with JSON but suggests equivalence through a few examples. > > > > (b) [GOESSNER-JSON-PATH] = a reference marked as informative which is > > being used to describe the normative mapping between JSONPaths of the > > RDAP fields in the text, and is the actual description of the JSONPath > > syntax. The shepherd’s note points out the difficulty of using this > > as a normative reference > > > > (c) Appendix A = self-contained text which describes JSONPath > > independent of > > (a) and (c). As an aside, I’m not sure of the completeness of this write-up. > > Additionally, the IETF is currently considering it’s own version of > > JSONPath -- https://datatracker.ietf.org/doc/charter-ietf-jsonpath/ > > > > IMO, the fig leaf of citing [W3C.CR-xpath-31-20161213] is > > inappropriate (as in, it isn’t the actual reference) and unnecessary > > (as in, it’s just there to meet the letter of having a normative > > reference). I recommend being practical about the need: > > > > -- Use language to the effect of saying the “JSONPath used here is a > > flavor defined in XXX” > > > > -- Make “XXX” be Appendix A. > > > > -- Bolster Appendix A to say something to the effect of “this version > > of JSONPath is inspired by [W3C.CR-xpath-31-20161213] (informative > > reference) and an articulation of what is used in production > > [GOESSNER-JSON-PATH] (informative reference)”; and where necessary, add > more language around the syntax. > > > > This approach will also allow for new JSONPath WG to define a variant > > which is not strictly compatible (if that’s where the work goes). > > > > I’m open to an alternative approach. I just want to end up with a > > single clear reference of where to read about this documents particular > JSONPath syntax. > > [ML] I agree it is less misleading. I'll rearrange Section 2.3.1. and, consequently, > Appendix A as you suggest. However, I would like to outline that JSONPath > operators used in this document are commonly supported. No script expression > has been used. The current draft of JSONPath WG Charter mentions Goessner' > specification as the original and reference proposal and states that: > > The WG will develop a standards-track JSONPath specification, with the > primary goal of capturing the common semantics of existing implementations > and, where there are differences, choosing semantics with the goal of causing > the least disruption amongJSONPath users. > > Therefore, I'm extremely confident that this document will be perfectly > compliant with the outcomes of JSONPath WG. > > > ** Section 2.4. Does this specification provide any normative > > guidance of “cursor” beyond an opaque value constrained by ABNF? The > > text notes the notion of “offsets”, “limits”, and “keys”, Base64, CSV > > but these appear to be referenced as examples. However, Appendix B > > contains normative language around “limit” and “offset”. > > [ML] No, it doesn't. Cursor implementation strategies is out of the scope of this > document. The purpose of Appendix B is to show how the two most popular > strategies to implement pagination can be considered two ways of supporting > the cursor operator. > > I agree with you that "MUST" keywords in Appendix B are inappropriate so I'll > remove them (e.g. "MUST return" is changed into "returns") Both of these proposed edits work for me. Thanks. Regards, Roman > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thank you for the SECDIR review, Rifaat (Shekh-Yusef)! > > > > ** Section 2.3.1. The text notes that JSON Pointer is “hard to use”. > > It wasn’t clear where the mandate to use JSON Pointer came. > > [ML] JSONPath and JSONPointer are the most popuar notations used for > selecting a value in a JSON content but, unfortunately, neither of them is > suitable for representing a sorting property in an RDAP query because they > aren't coincise and URL-safe. This specification adopts a simple string as a > shortcut to identify a sorting property and provides metadata to unambiguosly > bind such string to an RDAP response field. For this purpose, JSONPath is > preferred to JSONPointer because some RDAP response values, which are > suitable for sorting, can't be identified through JSONPointer. > > Is it clear enough in your opinion? If yes, should I rearrange Section > 2.3.1 to consider such clarification? > > > > > ** Section 2.4. Please replace thelastdomainofthepage.com with > > example.* > > [ML] OK. I'll harmonize this example with the examples of RDAP queries. > I have already used "/domains?name=example*.com" in all the RDAP queries. > Additionally, I'll replace "key=thelastdomainofthepage.com" > with "key=example-N.com". > > > ** Section 2.4 Is there any semantics to read into “&cursor=wJ…” in > > Figure 5 beyond it being blob conforming to the cursor ABNF? > > Editorially, the text doesn’t reference it to explain what’s there. > [ML] It's only an example of a cursor parameter in an RDAP query. I could use > the value deriving from a simple Base64 conversion of either > "offset=100,limit=50" or "key=example-N.com" but I'm afraid it would be > misunderstood with a recommendation to use an underlying pagination > strategy and a specific encoding for cursor values. As I wrote above, cursor > implementation by servers is not a matter of this document and, obviously, a > simple Base64 conversion is not recommended to encode the cursor values. > > ** Section 7. The issue of paging is being framed as primarily a > > security issue is puzzling. It seems to me that this is about > > providing a more usable API for the client which has a net benefit of > > reducing the resources required to serve the comparable information. > > If DoS is really the concern, the queries can be rate or resource > > limited by the application or the underlying RDMS (whose underlying > > capabilities are explained in earlier text as making this process > > efficient) > [ML] The concern is about resource exhaustion in general and resource > exhaustion at server side can be caused by a targeted DOS attack but also by a > number of search requests producing huge result sets. Through the current > RDAP capabilities, a server can implement some measures: > mitigating the excessive number of queries by a single consumer (i.e. > query rate limits), restricting the potential size of the result sets (e.g. refusing > wildcard prefixed search patterns). Other measures can be addressed through > the features defined in this document: discouraging huge result set scrolling by > providing the users with the count information, splitting a huge result set in a > sequence of sustainable result sets through pagination, sorting the results so > that relevant information can be found without traversing all the result set. > > > > ** Section 7. Per the third paragraph, what is the security issue? What’s > > the threat? > [ML] The threat is resource exhaustion and consequent denial of service. > If implemented, the capabilities described in this document would contribute to > decrease the number of unnecessary search requests and limit the result set > size so that servers can mitigate the risk of resource exhaustion. > > ** Section 7. Concur with Eric, there appears to be an implicit > > assumption that returning subsets of a record set is “fast” and so is > > counting the number of records. IMO, this isn’t a problem if this is a stated > assumption. > > > [ML] Well. I think that it's a well known assumption. Counting, especially when > supported by indexes, is much faster than selection. > > Hope I caught the meaning of your comments. Please don't hesitate to request > further clarifications. > > Looking forward for your reply. > > Best, > > Mario > > -- > Dr. Mario Loffredo > Systems and Technological Development Unit Institute of Informatics and > Telematics (IIT) National Research Council (CNR) via G. Moruzzi 1, I-56124 PISA, > Italy > Phone: +39.0503153497 > Mobile: +39.3462122240 > Web: http://www.iit.cnr.it/mario.loffredo
- [regext] Roman Danyliw's Discuss on draft-ietf-re… Roman Danyliw via Datatracker
- Re: [regext] Roman Danyliw's Discuss on draft-iet… Mario Loffredo
- Re: [regext] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [regext] Roman Danyliw's Discuss on draft-iet… Mario Loffredo