Re: [regext] Comments to the feedback about epp-over-http

Francisco Obispo <francisco@unr.com> Thu, 31 March 2022 20:19 UTC

Return-Path: <francisco@unr.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D9A3A08F5 for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 13:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=unr.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTkVMqk_1hu6 for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 13:19:08 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 756E03A08D0 for <regext@ietf.org>; Thu, 31 Mar 2022 13:19:08 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id i11so578854plg.12 for <regext@ietf.org>; Thu, 31 Mar 2022 13:19:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unr.com; s=echo; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version; bh=XR0NSigI5PxXGOCPSsVGMcnYOMBv12MKFfoAzhwhF4c=; b=AIuF+440kn6qSycxmlIcBBW4v8pOMZpWhDbuCxV5QKs7ENz+mzYI6aplnhpkiOm1yO i85ChgNJUP7YxrJ4xCJ9fpAC30WrmOUH1B3lF+kSiySRimRwGt+Iy+qCzEiqXIX4YyHv w//ZzBrt5Zw56m+jsNJFVZbHiFASYjg6Hnl1B9sOAOjF6ct7wmVr26kub+ij2EofC6Po 5LLSUA5+GrrefNzg/KMmhcX12Lz6hVUA6UostwUqtluuBMDGwAjFcRkEPnQ9N80R2FIo CfOQAx/LJ9bUzAwZkxNpezMzVIl/Pdn1W6b0Yw651B3n6DR3AVgi8OeoyOP12Z5/IX8O 0IrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version; bh=XR0NSigI5PxXGOCPSsVGMcnYOMBv12MKFfoAzhwhF4c=; b=YTdQ4U16O1rt8nvFbDc9sYaqerx1RgTIQIrrgnmMv/cZBU5Bh5tRWUPKb66vaRmHCL AyF8V1BF7iNkIVw/QXJEry9KNgg2HjnQWjupw3zOA8SaiaPYFuGMAlt4bEMyRZ3J+LLz ss70lSb8DZOdmXITrVhssqf2JC1FqH0VwzSbZKloHmvfH62wja49E4cBgj/FEFNzxZUS H2rAsSfYCyLVZwI8JdyfEFp89TU0d4h7XqrluZpzdQVpT4RcHTPsfjjA0oVlHfeyO8Cq oaXw46eaTTe1LQVzCbmRpfOLCPg6ehU8U7RwRSppGIdfN0GaeCYpjGMsA1YyZF6o7BOG Wuow==
X-Gm-Message-State: AOAM530BPKefc0NVEAVQBGR7ISibw0ADxXi+61bBD5SpXz9CqI/e6oR7 oJ/aEFQeoSHVBpIHduH6knR7CsbYbp1RUQ==
X-Google-Smtp-Source: ABdhPJxBNTJFh8EYI1LqumRml80naZPvaSNj7YPauPH9A53+3ItyYnzBtzbfVs0RU34o3UrTh+pI8g==
X-Received: by 2002:a17:90a:a78c:b0:1b8:b769:62d0 with SMTP id f12-20020a17090aa78c00b001b8b76962d0mr7890826pjq.227.1648757947177; Thu, 31 Mar 2022 13:19:07 -0700 (PDT)
Received: from [192.168.6.85] (ip70-187-179-142.oc.oc.cox.net. [70.187.179.142]) by smtp.gmail.com with ESMTPSA id z15-20020a056a001d8f00b004fda37855ddsm285902pfw.168.2022.03.31.13.19.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 31 Mar 2022 13:19:06 -0700 (PDT)
From: Francisco Obispo <francisco@unr.com>
To: Mario Loffredo <mario.loffredo@iit.cnr.it>
Cc: regext@ietf.org
Date: Thu, 31 Mar 2022 13:19:04 -0700
X-Mailer: MailMate (1.14r5852)
Message-ID: <01C969FA-3BE7-4F97-A171-A73C97D58580@unr.com>
In-Reply-To: <c2bbe76c-4efd-4e92-3098-028291298001@iit.cnr.it>
References: <0843A6FD-79B8-45B9-BE58-0BCED21C19B0@verisign.com> <1b87995b-700b-0d16-1241-c69cf142c3f7@iit.cnr.it> <8346151e-acc1-8e9a-f8ce-ac4d2f6a8dac@knipp.de> <759658bd-4781-a9cb-b7dd-88ba596fe2b0@iit.cnr.it> <58f622e5-1548-4894-a14c-c21125972a74@www.fastmail.com> <de81a129-68a4-8759-ee00-09ef2091ec22@iit.cnr.it> <6E923AA5-4027-4188-8DA3-6A93F39A3173@unr.com> <20457027-440b-02a5-82b8-3bef4e95819a@iit.cnr.it> <25E251B5-32D0-4E11-8383-F6CFFFD72CB8@unr.com> <c2bbe76c-4efd-4e92-3098-028291298001@iit.cnr.it>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_145D29FD-45EF-4B57-8A9D-DE03E75D05E4_="
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/TYzpl9FUmhDKKDP3XgX_BSEVP74>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 20:19:14 -0000

Hi Mario,

Response inline.

On 31 Mar 2022, at 13:03, Mario Loffredo wrote:

> Hi Francisco,
>
> appreciated but:
>
> 1) The ssl variables in NGINX are different.


Yes, they usually are :-)

>
> 2) Even supposing to extract CN or SAN, as it seems one should do in 
> NGINX via a regular expression, it doesn't necessarily correspond to 
> the registrar username to access the EPP server.

Well, whichever method is used, it is important to tie the SSL client to 
the `clID` otherwise an authorized client could try to login with a 
separate account, so it serves the purpose of a multi-factor 
authentication:

* IP address whitelist
* SSL client certificate pinning
* clID/password combination

> 3) I repeat: why should I complicate a solution to come to another 
> that I consider less efficient?

Those methods described above, happen at different layers in the stack, 
it is not complicated, this is exactly how we operate today (at least 
Tucows Registry), SSL certificates are checked to ensure they belong to 
the clID.

IMO a new transport for EPP should at least offer the same safeguards.

>
> Thanks again for the example that maybe will be useful in the future 
> :-)
>

N/P, this is very similar to how IP access works at the HTTP level using 
the `X-Forwarded-For` header or similar approach to signal the 
application information about the client.


Francisco