IETF Logo Mail Archive

Re: [regext] Federated Authentication for Machine-to-Machine Interactions in RDAP

Rick Wilhelm <Rwilhelm@PIR.org> Thu, 28 July 2022 12:44 UTC

Return-Path: <Rwilhelm@PIR.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A10F5C14CF11 for <regext@ietfa.amsl.com>; Thu, 28 Jul 2022 05:44:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.806
X-Spam-Level:
X-Spam-Status: No, score=-1.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pirorg.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLWIs6_OSE2g for <regext@ietfa.amsl.com>; Thu, 28 Jul 2022 05:44:35 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED334C14F693 for <regext@ietf.org>; Thu, 28 Jul 2022 05:44:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DUwU7hbTknMy0Q0IvO64YMkavr/t38cptFRWnNcE68InPPayfjv6estafqPUuFue9NzExXdURYdjspKN1/W0cE0vvrG/q0kiMJcyNbVXjYhvv3dWwdxSUAzKdam7JpWEJithem9i4mZpfSmC7DMgl75B02U2A3StKZPRue2YPZdb/o6mnoeSai+sVZecR/NadWjrLM6PsmJdgwSdIKHi8etI90XfAG0PEGl0d3QgCRQGlDNFh3FW2/magIz1YI1GryPjKeOSngk7204e+D34Ntwjbqe+lv3sAu5IBt4/4le01Yftb2HtmZ9i7YH5jPsYQWue72FItNtIluJRfwakhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gH4ZNJiVux0ctPobbkjgDwdfvExdvoqCY6uRI9fhTgE=; b=epaW3K19QpmUfUaL39SjZTOFd3jNIK3rJoY21Vvcx8t+i7rBlq42nlzz1KgHHXIKYPTEDYm5jFUfwOXi6jKbSVGaym78BukUyOGIXsv70SfQrVT0N3cxEuj46Amz609dqafbGPPfNqiDXYHSFSCl6mm57hKLc+9Ez2ckOlXvWQPgun+MLZmUI8FuBLM9wavn7uZLR3ArDmbC9909EIDlWXVHWx2rivJ29ATLfXeT/if4/umuCEGtafJaVWBspPBdmwdvd5k7biH2YA9QSusQFNUjF/onmW63rOc6dXy7jie/jgEFGw1SzvuR/3LXDu2A6uXq1nze0/2SJUfLrKikpA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=pir.org; dmarc=pass action=none header.from=pir.org; dkim=pass header.d=pir.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pirorg.onmicrosoft.com; s=selector2-pirorg-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gH4ZNJiVux0ctPobbkjgDwdfvExdvoqCY6uRI9fhTgE=; b=jyuqEMTXlKNBvm9PuLTly1cKZTuwbgyycqxo4mvxJRlTboyiM0gLTp4MyYkwIwUg5mTK18BNhlRAvCawK88eZeXXZ6HmoaZLkRIl7bTtO1JWMPWs6SE8Tjr1wVrf+Djx/3T+zjYQ0kRvFed2OGU+OJCMomPiaR+KisUUltLd6FQ=
Received: from BY5PR10MB4179.namprd10.prod.outlook.com (2603:10b6:a03:206::8) by BN6PR10MB1251.namprd10.prod.outlook.com (2603:10b6:405:f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Thu, 28 Jul 2022 12:44:29 +0000
Received: from BY5PR10MB4179.namprd10.prod.outlook.com ([fe80::1521:31a5:949b:8aee]) by BY5PR10MB4179.namprd10.prod.outlook.com ([fe80::1521:31a5:949b:8aee%4]) with mapi id 15.20.5482.006; Thu, 28 Jul 2022 12:44:29 +0000
From: Rick Wilhelm <Rwilhelm@PIR.org>
To: "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: Federated Authentication for Machine-to-Machine Interactions in RDAP
Thread-Index: Adih5DMCEp6v43VfSnSxcjRQLNyVKQAma+LU
Date: Thu, 28 Jul 2022 12:44:29 +0000
Message-ID: <BY5PR10MB4179DDFA5662E13C15B25544C9969@BY5PR10MB4179.namprd10.prod.outlook.com>
References: <5a9b171385c5492e8d64492aa8cf6092@verisign.com>
In-Reply-To: <5a9b171385c5492e8d64492aa8cf6092@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=PIR.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 550b57f9-b7e0-4f54-fc1f-08da7096e9a9
x-ms-traffictypediagnostic: BN6PR10MB1251:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dhohgzrl+4urU57eiMRSPSNHwa57j2e+mIQNxi5owk0Gvtmol9YsFW0jI7xLand4cWaezxe6lew9yv3uL3wGZkHD11TdxU7rY7NjmIwTxVypIAAnzBjFLcENgIT7J3Mzi4Qb0i5rHh2LETO/KS8Dd1WMq+nxPoYShdM1+awC4GN5En61dxGX6Nssi9utMZK0QmDk28CJjOy83tXg23XRk5brpsXHBaaOOTa1JxC7ovKbs4EQUS3XgZISxhiN/RuifVEqqg5lkRVMrpWe6z2u5K0ARf2WFfA3gt+X6YpLgdDEAEzKMQaN75ovvG7ceAXVDJIYvwAM3BIp3Wk8+oFJLAbMai3ke9osIHNk+NBndgTEo8YfTVElsOrEJpwJh0BNxUmycJgjQ4pV6SSLTau+UQQDlAZ67nHM8WADoGW660bx4TbQjRDSLAv2mLkX3mDJmwkGfeaR5rCCQB80QyAOWCUYb6xMt+H/OOIjMAUymFtzm8eQrR/VpovYMJ4NrNVavjCZTqC450L0rk/v15N2VSXfHtnOzdljk8RXL3GOzhLsEKIO7oASdwksGB1maUCEMyKVE4IziBXuDGUcbPYcunQFkWmLUKu6k91YSV+jCCbMeiRI9VOIKpeQnSBC6D0vyC8yMoM26Gh9sFfvhP01N0414zDEJaOw0nZ+MeW5tG7yvth6FuyzeIuMkEvqVnrR42xE8FpmpZDi6pCePnewywMIaqqlgdGmHbq6rbF+gNbSyfK7EwyLERXgKTVK1KmQF/spXSUNGykiiMIFFkvXAnW5hASYcn6rI8b+qSpGhpTC400fJSuzyQ+wg8oAGMuWNgpOncWzTMGRNDXTWecTXXYIcGI2sH7Oo6f69Y29h3M=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR10MB4179.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(376002)(136003)(39840400004)(366004)(396003)(478600001)(5660300002)(52536014)(33656002)(2906002)(8936002)(86362001)(41300700001)(53546011)(966005)(6506007)(9686003)(7696005)(55016003)(166002)(122000001)(186003)(38070700005)(83380400001)(38100700002)(71200400001)(8676002)(110136005)(64756008)(66556008)(316002)(76116006)(66946007)(91956017)(66446008)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rlIVoPGH3VEFo7C8InGrQAQbQZAL/RE8wtUwoa8iMtOic6NlLq2+ozV6CAmyDPAz53pZARv/l7e2W0T1J5N2jRCTQL4AsMyehs1//WVgOIpYKwqIrOhDXtPSx9ozECJxuqhJedGZbKtGNYYUuId/IhOx9ww4iD5TaOLbi4+NI0htiVgsgGMuYkB10/dcMVQpA8No/kiAQF8yLZLrHyXXwk15aDQlotUNBvJZUFTY01G8tHT+5xOrOU1PFNJY/ctm50CuwRx3In1GyWI1TpZHerSr4lvxvU495lP0LTTPKQR/V/rv7rI4XbYdpBHX6Hwy79XGPF+AMu9bJ6Exe/bu3j279i+YB6EMgmMO90MTXFn1zzHNRZHSRIfwnD4+F5mTm+09s4CZ2h/ekVPqx/3/V8ofCkQMCX8xppcW8EOjzNEjHBwO1+RJHELPbD14WCT1nrUMKLl2KNKFc0ZSXEMfMkIRCELoxHw78XQb/JeN6DeKV/lyG5xU1+mDcWWrFAGIrHHUNbB/y7D858EjRPXSSbqsLtEKWyslILQ4NbeaDEuHBbVBu2tuQEQkgFQsg5oQCQ0apn6/kTyVFpPoY2ijFZwQxxNO8Ch0JlY1W7ttMzGOlCeKeyW+lR+aJmmEYXfgm9CbXtAoBOQr+dDITLCCmdi6aWgDK4tWeDzwL+sjiVO3O90lR95MQfz+Z4zOpbOtcmJVaaim+uXD92EN5PdL4yCiIQiXalZFS4fLgKTyyqwzGaj9Le0YB8EGtRRnA10iHyb9PbiCAibp6VdIRmjBvDCi3YejZwbnMlpceOdNz0dAC0cyacw/MhavTyisd656M/xjmlSlY57Xk39DOmmfvFZhRJ4DzugF5rTnIRQXYZvSpPds9psR+r9cZOrPHF8pLwiIBnY4VwX1cT9PryT5/y7wz/cAeDq3v8h2HBGy7ZP/uVd9EBVAhlVAitusaIJJ459vCEe2IJsm/OCpuirWdah70Z+IXB5QKCjw3EVQWc6h7wtenVBNX5UMkRck+V2ugkzTq7elXQ4w+0jvU6IfFvwrh4keSBQk04JZRU6nh9bScknht0acxDqcKZupUU6Yf9hLuTRErRZdfdwdz3Mr5tiUd3+A2ggRH41aP/ELbaiqxcUb+L/XXM27RAMZh/yGsbjS7Z/9ZvvQLhJtu9TY9n351PAS099tuhe1WSJ+vn2RrXJ42ETPnF4vD2FfOkA16cnnetSMn1gRVpVfa/8RPgakcrz0Rt5ufc43gmd12vX8xThQSF0vbSQxRJADVduEscU9qcacePbQ5BgAo89Gmogw86qdb3DCiKLRj+xx1TjqMwxxTwg5f+SLfqUb04PdegYOA0dn7jZWOmVugdDk9RJ1FkRWVDY+ujpLJ4M4ySEu392QwetK8YSKml61+4ayXXshtdowLBkplkO0Tlsv99gKcMMxMAYHXQI8eVofTryczPiE+YTmFeQuPhDBvMWQ2cBNaV9UyhdeFIPekSOGUTY6Y/n12CIAi/ibNMQ6/ik0MwtxeVSyBxWxG/1BNTfdSujpkuytKzjC5BrRtEa0IAxPlMe5BjjoqGAhQwLsLRjThBt6ymD0IRXUnxdtKsH+rWvsJpZfCH/AtDTj4B+dlD/v5ojml+Ka6WUQOc4Hwj89tIsmNi4JFeRLOjrNJ48ffXee2X+u33tSdBC5cYa4ew==
Content-Type: multipart/alternative; boundary="_000_BY5PR10MB4179DDFA5662E13C15B25544C9969BY5PR10MB4179namp_"
MIME-Version: 1.0
X-OriginatorOrg: pir.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4179.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 550b57f9-b7e0-4f54-fc1f-08da7096e9a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2022 12:44:29.3514 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6c8ced78-b98f-4fa4-b6df-38beaa0d935d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OGCbtQ7FGZJyhxTW2+9AGTq97kpBFij7mCuBEqOcl91+CSgXfNiCLglNpjmnxUGhYHbnYl6L2SpqVOqiU4U8JA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR10MB1251
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/D7dq6p3s9eNI5V6oOAruKRFxfbQ>
Subject: Re: [regext] Federated Authentication for Machine-to-Machine Interactions in RDAP
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 12:44:38 -0000

Scott, et al,

Great question.  One use case that comes to mind is working with law enforcement.  In certain situations, authenticated access to RDAP data is required to override the default restrictions on disclosure.  However, for operational security reasons, the law enforcement agency (LEA) doesn’t want individual query sources to be revealed.  And so the LEA sends all if it’s internal queries through an internal source, like an internal web page that then sends the queries on to the RDAP server.  (In certain situations, there may also be restrictions on the RDAP server logging those queries, but that’s a different issue.)

I think that right now, this sort of arrangement could be handled by an IP passlist.  A rather blunt instrument to be sure, which can be challenging to implement in certain operational situations.  There may be other solutions that I either don’t know or am not recalling.

Offering this as a possible use-case.  Not sure if it’s worth adding to the draft.

Thanks
Rick


From: regext <regext-bounces@ietf.org> on behalf of Hollenbeck, Scott <shollenbeck=40verisign.com@dmarc.ietf.org>
Date: Wednesday, July 27, 2022 at 5:48 PM
To: regext@ietf.org <regext@ietf.org>
Subject: [EXTERNAL] [regext] Federated Authentication for Machine-to-Machine Interactions in RDAP
CAUTION: This email came from outside your organization. Don?t trust emails, links, or attachments from senders that seem suspicious or you are not expecting.

OAuth 2.0 includes the ability to authorize a class of clients known as
"confidential clients" in a machine-to-machine manner using the "Client
Credentials Grant". The grant is described here:

https://datatracker.ietf.org/doc/html/rfc6749#section-4.4<https://protect-us.mimecast.com/s/4pxXC820GEtj8lKTMnlTD?domain=datatracker.ietf.org>

A description of confidential and public clients can be found here:

https://datatracker.ietf.org/doc/html/rfc6749#section-2.1<https://protect-us.mimecast.com/s/1DB0C9rPJgHmVvpsPN3QF?domain=datatracker.ietf.org>

Note that this requires some sort of prior arrangement between the client and,
in our case, an RDAP server, such that the client can be authenticated by an
Authorization Server without explicitly identifying, authenticating, and
authorizing the specific human users who might be using the client. For
example, the client might have a password that's been assigned by the RDAP
server operator. The federated authentication draft doesn't currently include
anything to support this type of grant. Should it? Is there an RDAP use case
for which this would be useful?



Scott

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext<https://protect-us.mimecast.com/s/IatlC0RPwLi20KLc3_feM?domain=ietf.org>

v2.23.0 | Report a Bug | By Email