Re: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
Rick Wilhelm <Rwilhelm@PIR.org> Tue, 12 July 2022 20:04 UTC
Return-Path: <Rwilhelm@PIR.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72FBBC157B52 for <regext@ietfa.amsl.com>; Tue, 12 Jul 2022 13:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pirorg.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIc3oFk3fcLt for <regext@ietfa.amsl.com>; Tue, 12 Jul 2022 13:04:36 -0700 (PDT)
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam07lp2044.outbound.protection.outlook.com [104.47.51.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A266C157B42 for <regext@ietf.org>; Tue, 12 Jul 2022 13:04:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mp7WEIxARUMYzSFw/LUEQuH8zF5ID59tdJ7NynV+289EK9u2apQjK1dpNBeIiTxy83KMG6Ep/tw5VDNAMMyPot2rVrSOWbonOAGW3HU2kRF/8Aapr/65ex+rh7ws/8Zng2Vn/WfiN/JQeNb1z+uZEVrfhFgxNrbOJ/pH9dNYjpl2Y+JVzojTmjo4R9DrOUXgNxS06eFYtbha4tqVpLnkEpNTJ15sEuq6XyTsZ6fuEtgAIcFRnMsXFNqdbfUvFVAc4toydgOuVpW+jIFiZXFpY2o6oRUTEspWZ75hcU3JbQP7sL+sF7j7nEdV84HjP6ygYgOox2FTnVu3wJv4y57vcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Zv67Wf6sKZ698JX5Vf5IFLHU7e0sbkXy7T6eHei0qKw=; b=ePtIxbjTx07ZemaXEC6CyPCmpTz7R5DKbRH51FC/npDC1Z+fzJzGe+IatU8iY8sJGcPMGWGBna2hKj1S982Of6etT6mrNKE5JivxEYkwXCQ+TQHRNBDkZHN914CeVCCbnPEUEY4jJ1NrqdbHwkEjaSznwep4d2cNBcjWq/cPlVPo5w+ww3U2/oK0tAeVJ4iEMBk7lYxFBHeT6fWjN4BE/bzSXdRaG+8Op03am8GHTSjtHJNCkqFg/DHF0plSdKmmbYYJGnNFj/mUABOB7JDBm4jNPigWynaPqRGHQOCnl/7f4IcQzANMw8dSnmhEZwGRIyn9kIbvHQ0xkYOqBjg8Rg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=pir.org; dmarc=pass action=none header.from=pir.org; dkim=pass header.d=pir.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pirorg.onmicrosoft.com; s=selector2-pirorg-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zv67Wf6sKZ698JX5Vf5IFLHU7e0sbkXy7T6eHei0qKw=; b=iGLRce6gj4j2rBUXOgFlTRk22HaFrIKDrsvQKyHcpbETePqI7j1CMF9xzq9NgsblEOOXkDgNwyQrm5Rw4OdmX2F+KCRvXj+70FdDgbKhlbski3aC7qNq0wgFC+Er1XZrvPniOHZVg2H0BFZ58AESqUd3Mq/Ebud5tprut0QwRXw=
Received: from BY5PR10MB4179.namprd10.prod.outlook.com (2603:10b6:a03:206::8) by DM6PR10MB3833.namprd10.prod.outlook.com (2603:10b6:5:1d2::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.21; Tue, 12 Jul 2022 20:04:30 +0000
Received: from BY5PR10MB4179.namprd10.prod.outlook.com ([fe80::1521:31a5:949b:8aee]) by BY5PR10MB4179.namprd10.prod.outlook.com ([fe80::1521:31a5:949b:8aee%4]) with mapi id 15.20.5417.026; Tue, 12 Jul 2022 20:04:30 +0000
From: Rick Wilhelm <Rwilhelm@PIR.org>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>, "jgould=40verisign.com@dmarc.ietf.org" <jgould=40verisign.com@dmarc.ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
Thread-Index: AQHYlfErOYryTOFLcEa1k/pEddYKCK16txaAgABw+g0=
Date: Tue, 12 Jul 2022 20:04:30 +0000
Message-ID: <BY5PR10MB41796EC637D479D88E38E9EEC9869@BY5PR10MB4179.namprd10.prod.outlook.com>
References: <920FFD8E-B060-416D-B838-61010E51C50A@verisign.com> <08c3a4aecaeb467eac9152b880cc85ba@verisign.com>
In-Reply-To: <08c3a4aecaeb467eac9152b880cc85ba@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=PIR.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1d2eccd6-aee1-48a0-79f2-08da6441bb2a
x-ms-traffictypediagnostic: DM6PR10MB3833:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jFXsyMnBhAXZmoZUL0NCjuHTA8l1zdTmaKn769Xjs6+rXy4Wkv/1eNuJ53pAvb06nCNly8ijjknv3Eb8wUlzvPUfX0gtsT6ZAKbAf9Yb6BwQPalW6RyImoXD/TyOfZtLmqmIzEMPhBxJOkjj+EACJHeAsW8i7OL+2QKhhgYaFZ7/77FfipwA1KT1dGR+87XCqO9MMBnkal+KD9u9z2jzWm/IHibCW12WXNzUW1zVB85xaQQQbx2DUKRaLeb0AT+qMOKn890UfPVAuaXAAd2wWmshBK3Ixp7nmq5ZdiTi95+z0mrHXw/l6/KGT4Gik1qWSc2nE++dPpbWTKVXzSeiiAYir+8OF0zz2f7BkUORmXVdG1dlY+u5L8XqFxjyBE3nL5FJdIaL5VcTC73nH+Mz2xXTVb2OjdY4MU4k9crrlOd6TogZxlYCWEFTqeWW3a8Vj20FdQ1WUqWvINOBgzuzwBJwI07csPuJo4S5TlmcHcaiWfOdl0V2CoVH7c3d7gYt0T79lZJzdmJC6pTv9OtC3FbgZyVqvsuQxv9ZW24/3EbXNURHjcRDKTHXkoiKrIYW2UmpbSfGNlfKDTzDm0gVBiSvCj7PRbauGNS1C1N82EZjvkcH4gQo2oH2ipo9af9CLfLyPMqYPdPglSTJfSpAG0vdsCUfIp0KsLqbh4ownG+B2wveNCtskulUw61QIS3L4hoeiUQyA7OQhEKN2jgrIgFmIU6z9aCpj/j7+tj0dcgdU6ymas+u/BzEj9vFjADEHFAFD/VPxpwDp1+nO6iOROI6N+ZRqobrrGGyCOAJV42KierK9GKrsNABs/jpzn935lU3hH9ZtaN9G6eXWTsTqtIZ1k63fGour2/xHQxXKnA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR10MB4179.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(376002)(396003)(346002)(39840400004)(136003)(91956017)(64756008)(83380400001)(122000001)(66476007)(66556008)(8676002)(66446008)(66574015)(84970400001)(66946007)(8936002)(38100700002)(186003)(86362001)(76116006)(2906002)(55016003)(166002)(5660300002)(52536014)(9686003)(316002)(6506007)(966005)(53546011)(7696005)(33656002)(41300700001)(110136005)(26005)(478600001)(40140700001)(71200400001)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6HlWqMyH1m43vRT6WpFvWLNETkxShULb6prOrZwmyd032dmD689lk717r22ua8GzJkFcKStWzfQvS8vCeraCCurdG2W2KHzAMoDetWtukvRfh7lN44F3CUMwLEdrcrdzWOPCCR1KVVFhLem4WDNSMi7BMLxZNBMNhvomow78oq3VrKzOpFzygFWno5zXLU3yT1qmCQ2wuLaRpORoa0cUXgbf9SE2IvqJ2006HYeUOg29bj/kw0N7BYMSYI/yVHlllPNiuLJ9psPcne6iDFWC8eUqo/fLw3uqbsk87Dwqxu3L9r4gqVW25E6fHpKEIUuZyKy2lLrmoCA8xRuQQRgW+wshM1Tp2ADORKLmL5tuiD1YNhv6EB9yEGcMq8kuAr/4idHpt52Iy/HMI0DrVBFOy1+BiepGRJ5ulhrzO1h2VTL9scaCnBM79HhJeCrnvP+hcXDXz+8nKvvt+XlYokWm8GyAu/50ARXvwiOl5cjIMekiYQcfPuEEG2mhgMxttgDkYZSAdr4f5U86hyhZB6xall96ZWxKaaDszdm73m9SOtKG5bpaj7+04fCGExX6N+F10jR0nPmRZQcdtqAxc52skW8+o89mNOlyrB45c0H3AP5mjrL2tISLwTAO1xisXXT77pqV7uWm8eg6HDsXlgmTMeYX9gtFD7Q98nS9pOXnhSkuIxnINUDYzlK8cxO6pMdkoSWnezHAouPf2754FxkKEQyMntNkzSCnIvdeI0YB/JfIO1EijC1hCtly9QtgGiv+tNzT3owRNXcWCyXrF0UkTON4hEKcuFu8VBn3GrHp6pBFHPHrrNDKo6y7zhEyDOGTS4WyNt0K5Y3ouFsXOHUNbjPj5bTqvdh5HzkrgWkvZVlkaUoBqnRr5qlDXfr9cRdVuVfumgZUGfuPYTN9NcTnLmGklFhwfF0V2kMDgTCeJgsH7Xg6tykhrONZVkEthV58Z5mmsfydxPbJRmziZxjRvdMSb9kel51nXcx7TwZ6oHD/eMdock4H1vMuCLGBqhhXYXkluhCL62YFJ6JSW0Kfpr5B/9d694vVfZ7i6uZyDSsb+wsZeLxuAPvGFMEg0qARD63IOFPzUtAVM+/Cb25F0wGRdICuH9YtGXP/2C1ooa14iyx8GUEOSllcxEyupNx0X9yB9dUxbSE4neCh+ptOf4KKn68VLQefm3wBAoDzCpfF40Oc69kwfd15q+ownCwiyn0LVPT3mABHbpMHdq6S2pYHIEZfi065597IguqjiMhdJoqxHjbcTu88pAh904Vft3Kp5qh9XDZjgTqxb0r5RqHu7apdBuVVp/sF9wGTjYgOF+U8PH28uL9D6FH0BullHGciRMe8LEZ+vBOMBzGEmBbn5PfkVLqkBv3jCWEpCOYx4O3BTkc2P80ggShHsatlAp0QbqR+ZrKR5aVrlweJvez+h8vIqU8pNkV2mVlw81AgWcXlRRtLQzi6+BdC8w5ur79SbTfheY4Zez22Q/dFYlIZf218fFTDkFu9s3YGCk7kVvxIU3aVWACy4sR/rc8JpxBFFsBcxQZsZnOW/FHHNViaOZGFmmFRJOJtpnzNDhbIcAMdy9QK9jKD23gDbfao+THszGN8i6EhGTlIIrjaHQ==
Content-Type: multipart/alternative; boundary="_000_BY5PR10MB41796EC637D479D88E38E9EEC9869BY5PR10MB4179namp_"
MIME-Version: 1.0
X-OriginatorOrg: pir.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4179.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1d2eccd6-aee1-48a0-79f2-08da6441bb2a
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2022 20:04:30.1496 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6c8ced78-b98f-4fa4-b6df-38beaa0d935d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nkDlGcYsvpsEVqHC0j/35LMVr7Hlp4DIsz6pn9pLEeT6lS9gtmF1Rh8eM7XU7yJBF1Uh64kkwrNGqAlSrDLRFQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR10MB3833
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Y6ToB3q81JdSCOgF3VF8LMZLytI>
Subject: Re: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 20:04:40 -0000
Briefly, I think that (per a point that Mario made) the situations described below are different and might merit consideration differently. Specifically, these situations: > Let's look at the server-side options again for situations in which the server > receives a login followed by a login, or a logout where there's been no > login, > or a refresh without an active session, or a session status without an active > session: - Login followed by login: sounds similar to a point that Mario made related to extending a session; seems fine, not an error - logout where there has been no login: while it might be tempting to want to give back an error, I would argue that this gives up security info about the client. Therefore, is there harm in just saying “ok” ?? - refresh without an active session: should give back error - session status without an active session: should give back error Thanks Rick From: Hollenbeck, Scott <shollenbeck@verisign.com> Date: Tuesday, July 12, 2022 at 9:17 AM To: jgould=40verisign.com@dmarc.ietf.org <jgould=40verisign.com@dmarc.ietf.org>, Rick Wilhelm <Rwilhelm@PIR.org>, regext@ietf.org <regext@ietf.org> Subject: [EXTERNAL] RE: [regext] Login/Logout Processing (was RE: I-D Action: draft-ietf-regext-rdap-openid-15.txt) CAUTION: This email came from outside your organization. Don’t trust emails, links, or attachments from senders that seem suspicious or you are not expecting. Thanks, Jim. I'm working on -16 to address this topic and other recent feedback. I'm planning to include text that describes error return conditions. Scott > -----Original Message----- > From: Gould, James <jgould=40verisign.com@dmarc.ietf.org> > Sent: Tuesday, July 12, 2022 9:13 AM > To: Hollenbeck, Scott <shollenbeck@verisign.com>; Rwilhelm@PIR.org; > regext@ietf.org > Subject: [EXTERNAL] Re: [regext] Login/Logout Processing (was RE: I-D > Action: draft-ietf-regext-rdap-openid-15.txt) > > Caution: This email originated from outside the organization. Do not click links > or open attachments unless you recognize the sender and know the content > is safe. > > Scott, > > My preference is option 1, where if the request conflicts with the current > state it needs to result in an error. > > -- > > JG > > > > James Gould > Fellow Engineer > jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE- > B4BA42740803/jgould@Verisign.com> > > 703-948-3271 > 12061 Bluemont Way > Reston, VA 20190 > > Verisign.com <http://secure-web.cisco.com/146IYbLb06o7EQ5y-<https://protect-us.mimecast.com/s/KdwUCOYzm8CAvABCvFYvF?domain=secure-web.cisco.com> > S9CI7Wv51aAaxl8hFAuOBaHou3sDkfQPFMQu6BUoW4k5ofYC5YtOj6XXRCKD > HYzan_NZGxdaN0YSvV0pwQb7R9i9kzQj1h9R05Pagm54- > 27p6uMqOMzoZGv2vinpZe2J8m4PKqdSLdJjiCepHPZ1JM1mtuI50NVmuZ8vRF > i_0YBy7IEEjGceS0HpXLfup5UC4X63esKGLab9WHmN- > OZdrNHmUQpEtHd1kkwxdbMiJ2nTpenX/http%3A%2F%2Fverisigninc.com%2 > F> > > On 7/7/22, 11:02 AM, "regext on behalf of Hollenbeck, Scott" <regext- > bounces@ietf.org on behalf of shollenbeck=40verisign.com@dmarc.ietf.org> > wrote: > > > Thanks, Rick. Trimming things up a bit and changing the subject > appropriately... > > >>> In the last sentence: Is the client required to wait until the access > >>> token has > >>> expired before submitting the new login request? Or can it send > logout > >>> and > >>> login back-to-back? (Or even just a login command while currently > logged > >>> in?) > > >> [SAH] Let's talk about this. What's appropriate behavior? IF the server > >> gets a > >> "login" during an active session, it can either ignore the second "login", > >> or it > >> can return an error. Similarly, it the server gets a "logout" when there's > >> no > >> active session, it can either ignore the "logout" or return an error. I'm > >> inclined to return an error to explicitly note that the submitted > >> query/command > >> wasn't processed as requested. > > > [RW] First off, I will certainly defer to those with more implementation in > > this > > realm. However, based on my experience as a user, I would expect a > login > > that > > happens during an active session to "just work" and override the > previous > > active > > session. This could happen when I have an active session at the server > but > > the > > client browser (with the session) crashes or is otherwise inaccessible. > > This > > seems better than the alternative: If the new login request is refused, > > then > > the user is (essentially) locked out until the session timeout value > > expires. > > Related, if the server gets a "logout" when there is no active session, I > > think > > that it should ignore the "logout" (rather than returning an error). The > > thinking being that returning an error is at best useless and at worst could > > be > > an information leak (aka security risk). > > The document currently describes a session/refresh path segment to > perform the > kind of "override" behavior described above. Having a "login followed by a > login" do the same thing seems counter-intuitive. My own experience with > server-side session management is that there is no lockout. If the client > sends the right HTTP cookie, and the session is still active, there won't be a > problem. Another login should be possible if the "old" session gets > corrupted. > > Let's look at the server-side options again for situations in which the server > receives a login followed by a login, or a logout where there's been no > login, > or a refresh without an active session, or a session status without an active > session: > > 1. Return an error. HTTP includes a 409 (Conflict) response that can be > returned if a received request conflicts with the current state of the server. > > 2. Accept the request and ignore it. I'm not sure what an appropriate HTTP > response code would be for this situation. > > 3. Accept the request and do "something". > > Option 1 can be done consistently for all the above request sequences. > Option > 2 seems like it could mislead the client into thinking that something has > happened unless there is, in fact, an appropriate HTTP response code > available > to describe a no-op (I couldn't find one). Option 3 might be doable if we > can > figure out what the "somethings" are, like processing a second login > received > while a session is active, but the other command sequences present > problems. > As you described above, a logout received without an active session is > processed differently than the "login followed by a login" situation. Is that > really the best course of action? I think consistent behavior would be > preferred. > > Scott > > _______________________________________________ > regext mailing list > regext@ietf.org > https://secure- > web.cisco.com/1zzMrKkgYlj9VhlxPYw6YLgXo4UAztsC_b_SIIxy0OJCV9U2y757 > cdfeXR- > TsC4CBsm4x0Yza6BzHsVVgxL47gZOr0EEg3eYwSmzQahgfdLx6MCjcvGofpNEU > HHZt2Y9yHuOqVA2iKKNDFe4kYtLZHy4rnHFrCuG4pBqHTT16_dC9eQWYrcA7F > A4k25iCZW0YD3jfVPuhbDXOJoN5T2R71VL27lBZvgz67YLjIgfoeMRu8B5U9- > yu2qyTAFnQ2bvd/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2 > Fregext >
- [regext] Login/Logout Processing (was RE: I-D Act… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Mario Loffredo
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Gould, James
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Rick Wilhelm
- Re: [regext] Login/Logout Processing (was RE: I-D… Hollenbeck, Scott
- Re: [regext] Login/Logout Processing (was RE: I-D… Mario Loffredo
- Re: [regext] NA Re: Login/Logout Processing (was … Rick Wilhelm