Re: [regext] [Last-Call] last call reviews of draft-ietf-regext-epp-eai-12 (and -15)
"Gould, James" <jgould@verisign.com> Tue, 30 August 2022 12:18 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F2EC14CE39; Tue, 30 Aug 2022 05:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYlRoYV9lTeq; Tue, 30 Aug 2022 05:18:33 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3A9C14CEFC; Tue, 30 Aug 2022 05:18:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=21578; q=dns/txt; s=VRSN; t=1661861914; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=F3G0/b7Bk8YmtvGwzePLOLapi7xqA7gd8fsXDvi4Tj8=; b=l1+xu/ziiwWVX8hDX/ZQNeiWqxISmrQtostyDDGMW2Peybg24oRfwTV3 8oKB3OGMyrem660PNHENFfX91mZaSU1NihlJhcHPpxlQX3yaZHfSfhMgq QMk9CwfhCq8S5/wiYnWaVuDhiLglOYPKt1uTeF9P3VWFi6WBzvOLjIBLd KdB8C+P6lKk7/7XI5WIyEbi+8qVhtFDN72AFS4Cr8Gr+rCj15LewBO1uX m5wK8ImK6qXp3rYBQwnun1ykFHuUZAKHzHFbmlNeST3+KcLC8K3TX+olT bfmofpGNES90eP5ZVGfeEj14oqey8d2w1wJXdfOjrW/sQhK98syFtCDVq g==;
IronPort-Data: A9a23:apsPdKqcft/6D/n7+hhw2pGA5EBeBmLrZBIvgKrLsJaIsI4StFCzt garIBnTPKzfYmHzc4t0bt/n9RhVvZPdmNNgTVNlrn9nESwX8ZacVYWSI3mrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYGYpLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMS31GWNglaYCUpJrfPYwP9TlK6q4mlA7gdmPakjUGL2zBH5MrpOfcldEFOlGuG4LsbiL 87fwbew+H/u/htFIrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRrukoPD8fwXG8M49m/t4sol IgS78zYpTABZcUgkMxFO/VRO38mYf0eoNcrK1Dn2SCY5xWun3cBX5yCpaz5VGEV0r8fPI1Ay RAXAClQSi6+o/y3++O6eupwwZ1zNdHJBLpK7xmMzRmBZRonabr5Zfz1w/JohG52mMtJB+6Yb sZfdyB0alLLZBgn1lU/Ucp4xbjzwCCiKHsE+Dp5poJui4TX5A5+16XpPPLLd8aLXsRamACTo WeuE2HRW05Ha4zDmGvtHnSEpf7vlBqjYoUrGaSl3/tO3GaU13ESB0hDPbe8ibzj4qKkYPpdL EwSvysjsaYa9keoCNL6WnWQqnOAshsdR/JfFuQ77EeGza+8yx6QCEAcRzBdZdcm8tQ7LRQjz EOhnt71C3poqrL9YX6H/7mI6DK/JSZQN2INaD8YCAYd+5zuqYB1hxbLZtduDKDzicf6cRn0y iuW6SM3g7E7jMMX2eO851+vqyihqZXZUiY06xnZGGW/4WtRZdf1YYCp83Da4OpOaoGDQTGps 3UC3sGE8MgPAI2D0iuXT40w8KqB7eyDaSLajE43Rtw66S7r/n+4OIpXpjtkIh4vLNwff3niZ 0q7VR5t2aK/9UCCNcdfC79dwexzpUQ8PbwJjszpU+c=
IronPort-HdrOrdr: A9a23:AeE7C66FKwUq8Oi/FwPXwBXXdLJyesId70hD6qkXc20xTiX4rb HNoB1173/JYVoqNk3I+uruBEDoexq1yXcf2/hzAV7NZmjbkVrtAo1k4ZDr3jHsXwbvn9Qw6Y 5QN4xzEsf5A1Q/r8rriTPTL/8QhP2K6rqhi+ub9WpqVg0CUcxdxh10ERmWCXd7QwR6BZ40fa D22vZ6
X-IronPort-AV: E=Sophos;i="5.93,274,1654560000"; d="scan'208";a="17578499"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Tue, 30 Aug 2022 08:18:29 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2375.031; Tue, 30 Aug 2022 08:18:29 -0400
From: "Gould, James" <jgould@verisign.com>
To: "john-ietf@jck.com" <john-ietf@jck.com>, "beldmit@gmail.com" <beldmit@gmail.com>
CC: "paf@paftech.se" <paf@paftech.se>, "art@ietf.org" <art@ietf.org>, "draft-ietf-regext-epp-eai.all@ietf.org" <draft-ietf-regext-epp-eai.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "regext@ietf.org" <regext@ietf.org>, "i18ndir@ietf.org" <i18ndir@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>
Thread-Topic: Re: [Last-Call] last call reviews of draft-ietf-regext-epp-eai-12 (and -15)
Thread-Index: AQHYvGqckCLvM3qtnUS2P51xlPdIyA==
Date: Tue, 30 Aug 2022 12:18:29 +0000
Message-ID: <61E9B7D4-F227-491D-98CE-DD71DAFE1EE5@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.62.22061100
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <4E8AF4ECD1FD7945A36FB6FDFCA475CC@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/SOowil6PK0zOT4-dg6W5vYB_gME>
Subject: Re: [regext] [Last-Call] last call reviews of draft-ietf-regext-epp-eai-12 (and -15)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 12:18:38 -0000
John, You claim that the registrant's e-mail address in the registry is critical to the transfer process and therefore an ASCII address must always be provided. The EPP credential used to authorize a transfer is not the e-mail address, but the Authorization Information. I'm aware of the Form of Authorization (FOA) that relies on the registrant's e-mail address, which is currently deferred for the gaining registrar (registrar ABC in your example). RFC 9154 "EPP Secure Authorization Information for Transfer" was created to enhance the security of the Authorization Information, which should result in reducing or removing the dependency on the FOA from the gaining registrar and the use case that you're concerned with. You also claim that if the draft does not change the cardinality of the e-mail address in EPP that it's not a proper candidate for processing as an IETF standards track document. Adding support for EAI addresses as a first-class alternative to ASCII addresses in EPP is an important change that warrants an IETF standards track document. For an EAI address to be stored in the registry database, it needs to pass through 3 levels of policy. The registry policy needs to support receiving either an ASCII address or an EAI address. The registrar policy needs to support collecting an EAI address as an alternative to or in additional to an ASCII address, and support passing the EAI address to an EAI-enabled registry. The registrant decides, according to their policy, to provide an EAI address to the registrar. The protocol should not override these policy decisions by mandating an ASCII address always be provided. In line with Universal Acceptance (UA), what draft-ietf-regext-epp-eai does is to enable the servers (registries) and clients (registrars) to pass EAI addresses as first-class citizens to ASCII addresses in EPP, with the appropriate signaling and behavior obligations. Based on your feedback, we agree to revise the draft to be a command-response extension and to refer to an SMTPUTF8 address instead of an EAI address. Changing the cardinality of the e-mail addresses in EPP to continue to support an ASCII address is required policy is not in line with the purpose this draft. Thanks, -- JG James Gould Fellow Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 8/23/22, 3:34 PM, "John C Klensin" <john-ietf@jck.com> wrote: Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. (shortening the quoted text to focus on things about which I have more to say) --On Monday, August 22, 2022 08:40 +0200 Dmitry Belyavsky <beldmit@gmail.com> wrote: > Dear John, > Many thanks for your comprehensive response! > > > > On Sun, 21 Aug 2022, 18:24 John C Klensin, <john-ietf@jck.com> > wrote: > >> Dmitry and James, >> >> I think several different issues are getting intertwined here, >> some of which rise to the level of principles. It is clear >> that we are making different assumptions about what is >> relevant and important and almost as clear that we are not >> going to convince each other. As I said earlier, that is why >> we pay the IESG the big bucks. >> >... >> (2) As Patrik pointed out, there is a community interest (both >> general and in ICANN policy) in making it easy for registrants >> to switch registrars (whether the earlier registrar remains in >> business or not). For a registrar to treat business >> relationship data that do not affect users, various >> authorities, or elements of the DNS itself, as confidential >> is entirely reasonable. However, usable contact information >> for registrants does not fall into that category but, >> instead, is information registries have been required to have >> in their possession since before there was an ICANN (a >> principle reaffirmed many times since then). > Probably this is the most important point. So let me explain > how the business process looks like from my point of view. > > I am aware of two transfer scenarios. > > First implies a one domain transfer. In this case a registrant > should be already registered as a client and provide some > email address. If this address is SMTPUTF8, it means that the > registrar-acceptor supports sych addresses. If not, then > registrar-acceptor can update the contact associated with the > transferring domain immediately after acceptance. So it is not > a show stopper. > > The second one is bulk transfer in case of emergency. In that > case it is the registrar's interest to be able to get more > clients. >... Aha! This may identify another area where we have been understanding terminology, and hence the problem, differently, leading to some failure to communicate. I hope Patrik, who has been closer to the issues in recent years than I have, will comment further but... There is a third case that I think is different from your first one. Back in the ancient times when I was advising ICANN and then on the ICANN Board it was considered at least as important as your second one. My understanding of your first case was not considered a significant issue, partially for the reason you identified. That third case is best illustrated with a made-up example that drifts rather far into policy issues but it probably helps explain why, if registries are going to allow non-ASCII addresses in the registry databases, they need to be able to specify that ASCII alternatives be there too... and that implies that a way to provide such addresses should be part of the protocol. Suppose, I am a registrant of foo.example., registered there through registrar XYZ. I am happy with the name, with the registry for the "example." TLD and so on, but, perhaps due to changes in their business policies, am completely fed up with having XYZ as a registrar. So what I want to do, perhaps only at renewal time, is to register/renew the domain via a different registrar, perhaps ABC. The transfer case now involves the very fundamental and long-debated question of who the domain, foo.example, actually belongs to. Policy decisions have been made repeatedly that the answer is not XYZ. Because of the original name acquisition, I am registered as a client of XYZ. I have supplied them with a non-ASCII email address as the administrative contact (at least) for foo.example (probably the other contact addresses as well). I go to make the switch and perhaps ABC, despite whatever else attracts me to them, does not yet handle non-ASCII addresses. The registry does not have a non-ASCII address so ABC cannot use information there to validate me. Even if XYZ has an all-ASCII backup address (one that was not made available to the registry) hidden away, they have no technical, and probably no external policy, reason to cooperate. All of myself, ABC, and the registry now have a problem on our hands, one which could be resolved by an ICANN policy requiring that XYZ release all of the information they have on me (whether they consider it part of their business relationship or not) and including any special authentication information, or a specific list of data that include alternate email addresses, to ABC and/or the registry. To the best of my knowledge, there is no such policy and I would not be optimistic about the ability to create one quickly. Another solution would be an ICANN policy, mandatory for all contracted parties at least, requiring that everyone support non-ASCII email addresses written in any script supported in Unicode (not just, e.g., characters derived from the root MSR because these are email addresses, not domain names). Not holding my breath about that either. Of course, if the registry is feeling cooperative, they could contact me on behalf of ABC, get themselves in the middle of the transaction, and sort this out even though they have business incentives to avoid getting into the middle of this if possible (there are several opportunities here and above that could provide full employment to many lawyers). But consider a related case. Suppose that, instead of "foo", I had registered an IDN string using a script that the registry had no staff who could read or type and no MUA that knew how to utilize. No problem so far because of how IDNA works, but assume that I supplied an email address whose local part (as well as the domain part) were in that script. The path to which that leads is the reason for the "don't register what you don't understand" language in the IDNA specs and its reinforcement and explanation in the ill-fated draft-klensin-idna-rfc5891bis. And the bypass for the problem is, of course, availability _in the registry database_ of an alternate, all-ASCII, address in addition to the non-ASCII one. >> (3) Whether a registrant is allowed to supply a non-ASCII >> email address at all and, if they are allowed to do that, >> whether an ASCII alternative should (or must) be supplied is, >> we are agreed, a matter for registry-registrar agreements -- >> at least until national governments, other authorities, or >> ICANN itself step in. I don't think anyone has suggested >> that supplying an alternative all-ASCII address through the >> protocol should be a requirement imposed by the IETF >> (certainly I have not). I imagine that the REGEXT WG making >> a strong recommendation on the subject would even be viewed >> by some as an intrusion on ICANN's scope of authority. >> However, it is important that the protocol be able to >> accommodate the inclusion and transfer of that alternate >> address information lest someone --perhaps even someone >> acting on behalf of a registrar who believes its interests >> would be served by making transfers difficult-- claim in an >> ICANN forum that such information is unnecessary and >> difficult to provide --and hence should be excluded from >> discussions-- because the IETF decided it was not allowed in >> the protocol. > Well... Providing an opportunity to provide multiple email > addresses within object (no matter if they are ASCII or > SMTPUTF8) is probably worth doing but out of scope of this > document. Otherwise I don't understand your point here :( My point --see my earlier note to James-- is that, if this is out of scope for this document, then the document is probably not a proper candidate for processing as an IETF standards track document. >> (4) To say almost the same thing from a different perspective, >> if the purpose of this specification is to reduce the number >> of incompatible ways in which registry-registrar pairs do >> things, then please recognize that there is a strong >> possibility (as predicted by the SMTPUTF8 specification >> family), either immediately or after experience starts to >> accumulate, that alternate all-ASCII addresses will be >> required for some combinations of actors (before you removed >> the text, it strongly implied just that). If you allow them >> in the protocol and data structure, then people who need to >> transmit them will have a guide as to how to do so. If they >> are not allowed in the protocol, they you would be actively >> encouraging different ways of doing things by forcing >> different arrangements for transferring that information. >> Given what everyone who has studied database theory knows >> about the dangers of transmitting closely linked data in >> separate pieces it is even more likely that they will invent >> alternatives to this protocol as soon as the requirement (or >> even an option) for transmitting an all-ASCII alternative >> address to the registry arises. > It is a fair point - but I'm not sure if it is in the scope of > IETF. Registrars have a lot of such quirks and any registry > adds more and more. And that arguably makes some ICANN policy-making prerequisite to the IETF processing this document. Whatever the IETF does, it should not be standardizing things that will make the Internet work worse in the absence of real-world realities. All of the above really says is that, if there is a choice, any protocol standardization effort should encourage good behavior (whether it can successfully discourage bad behavior or not). Note particularly the "forcing different arrangements" part. >> (5) Finally, there is a procedural issue that seems to have >> gotten lost in the other (particularly i18n) discussions. The >> base EPP spec [RFC5730] says that there are three ways to >> extend the protocol -- protocol, object, and command-response >> levels. It does not say there can never be additional ways or >> that other ways are not possible but it does say "three >> ways". This document defines and adds a fourth, a >> "functional extension". No matter how harmless that addition >> is and even if the WG is certain it would never be used for >> anything other than this particular spec (in which case the >> reasoning should probably appear in the spec), that >> constitutes an update to 5730 that should be appropriately >> reflected in the RFC header and other document metadata. If >> it really were a change to allow changes to the function of >> EPP (I don't think it is and believe the term may be badly >> chosen), then the community is owed an explanation of why the >> function and/or scope of an Internet Standard is being >> changed as part of what ought to be a fairly minor extension. > I believe that the change in this document is quite similar to > the protocol extension - but definitely doesn't fit to it > perfectly. From the other point of view we technically don't > change the formal XML scheme for the email address - as I > wrote in the very first version of the document. As shown in the longer analysis in my earlier note today, that is correct. But, if no change to the formal XML scheme for the email address is needed, then this document need specify only the command-response negotiation between registrar and registry about whether the "real" syntax for email addresses can contain non-ASCII characters. Everything else is just a source of confusion. Of course, that still does not address the need for a way to transmit an all-ASCII alternative if the primary email address requires SMTPUPT8 support. > Do you think it makes sense to add that our document updates > RFC 5730? If that is what you are doing (e.g., if it is adding an extension type), I think that not only makes sense but is necessary. best, john
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… Dmitry Belyavsky
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [I18ndir] [Last-Call] last call revi… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… Dmitry Belyavsky
- Re: [regext] [Last-Call] last call reviews of dra… Hollenbeck, Scott
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… Dmitry Belyavsky
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [Last-Call] last call reviews of dra… Gould, James
- Re: [regext] [Last-Call] last call reviews of dra… Василий Долматов
- Re: [regext] [Last-Call] last call reviews of dra… John C Klensin
- Re: [regext] [I18ndir] [Last-Call] last call revi… Martin J. Dürst
- Re: [regext] [I18ndir] [Last-Call] last call revi… Asmus Freytag