IETF Logo Mail Archive

Re: [regext] Comments to the feedback about epp-over-http

Francisco Obispo <francisco@unr.com> Thu, 31 March 2022 18:21 UTC

Return-Path: <francisco@unr.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1207A3A17E6 for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 11:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=unr.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7higoSIBYquU for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 11:21:25 -0700 (PDT)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD463A1C50 for <regext@ietf.org>; Thu, 31 Mar 2022 11:21:18 -0700 (PDT)
Received: by mail-pg1-x52c.google.com with SMTP id o13so414654pgc.12 for <regext@ietf.org>; Thu, 31 Mar 2022 11:21:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unr.com; s=echo; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:embedded-html; bh=OqWlkyFYGQgJ5nfJkPVPCu8eD7qIkhNc5Yw+aUtSyk4=; b=S+ouR2xzIynHNDLkPkyYRYoQJThqujITPW/B9Qkq1vyJZftLJLcJTs687QLKThDroQ wD/5A4XBBmhKtBIocd/nR+J/kIBH5Astc0ymCmqZTrmLuFj3dSlEcTomR2QiSvKNUOhi O+dbUfKe5f3pxyjfQ+eCRIOqWEn7WIXDhFaimAmQh0j0V5R0SlCUjtUNCaSV+4GVonix pKkd6hlvcYdHSJqpAwyj0wjQJmWNj+yfwAxLX0UmKb5nm8b7RGfmld+4p8Urh7Ce5RD8 6QKiOWfgSi4NhgQRa/r+UW3FUgU4ZNydD8+cAm8RwAUkFXz2lU1Bz4PoZ2g+PzhE6Sg9 if8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:embedded-html; bh=OqWlkyFYGQgJ5nfJkPVPCu8eD7qIkhNc5Yw+aUtSyk4=; b=Le1OPTotI8o7ShmEntFNmMHVgHhqwtcBPbRVwX1qhWzfX+RpHj4T23hzKGmo/omrxK bnlRaF/g9P17T6xsSACIZTov+nc4469yqSonocLWjQtHCVQb2P+pdDBYDnw5tcWHqrvY hYYrEhYGeK45mJXgTjsoll609Pmg7xTOByHOwn0x5J/cnn/IzYnDOUceBd0lVDm/u3Ij GOPd3/prWgIN6mTi24CXNJ4l9yQjjaJbTV5FZAaUKuga/9dcdtecCH7/58gPLA7VafiY LeW8ZWiH5QC7aiqXemdmm+3TjdKVbah6rRsShjqjzbj5W0Cz1a9V3q+zUc7NFMUNXuRI I6oA==
X-Gm-Message-State: AOAM530zwVBuHHWhLOmq44TlGsSyUbzcZgelcMTGPkzmbYWFwjCR76IX bWgxDe9tfgdwEIB0B24qI6rv6g==
X-Google-Smtp-Source: ABdhPJxDzTJt8l99YTlMqn5XMb9PZ3OOQFPuzTEJfZcN3kLVuyy8xD0zPZlfmfNiPezwE7nm1CiQHQ==
X-Received: by 2002:a63:1554:0:b0:363:794c:9e31 with SMTP id 20-20020a631554000000b00363794c9e31mr11752917pgv.66.1648750877660; Thu, 31 Mar 2022 11:21:17 -0700 (PDT)
Received: from [192.168.6.85] (ip70-187-179-142.oc.oc.cox.net. [70.187.179.142]) by smtp.gmail.com with ESMTPSA id p27-20020a056a000a1b00b004f3f63e3cf2sm182487pfh.58.2022.03.31.11.21.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 31 Mar 2022 11:21:17 -0700 (PDT)
From: Francisco Obispo <francisco@unr.com>
To: Mario Loffredo <mario.loffredo@iit.cnr.it>
Cc: Patrick Mevzek <pm@dotandco.com>, regext@ietf.org
Date: Thu, 31 Mar 2022 11:21:15 -0700
X-Mailer: MailMate (1.14r5852)
Message-ID: <25E251B5-32D0-4E11-8383-F6CFFFD72CB8@unr.com>
In-Reply-To: <20457027-440b-02a5-82b8-3bef4e95819a@iit.cnr.it>
References: <0843A6FD-79B8-45B9-BE58-0BCED21C19B0@verisign.com> <1b87995b-700b-0d16-1241-c69cf142c3f7@iit.cnr.it> <8346151e-acc1-8e9a-f8ce-ac4d2f6a8dac@knipp.de> <759658bd-4781-a9cb-b7dd-88ba596fe2b0@iit.cnr.it> <58f622e5-1548-4894-a14c-c21125972a74@www.fastmail.com> <de81a129-68a4-8759-ee00-09ef2091ec22@iit.cnr.it> <6E923AA5-4027-4188-8DA3-6A93F39A3173@unr.com> <20457027-440b-02a5-82b8-3bef4e95819a@iit.cnr.it>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_029CC5AB-58FF-4F52-A859-7EEB5C746972_="
Embedded-HTML: [{"plain":[194, 3188], "uuid":"B02CD85C-1649-45BD-8744-BEA61083F0B8"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Vyk2O6dUi8Qqpeq3dOqlCrMBw68>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 18:21:30 -0000

Something like this would work with HAproxy:

https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/

Best,


On 31 Mar 2022, at 11:14, Mario Loffredo wrote:

> Hi Francisco,
>
> Maybe we are complicating a bit (just to be polite) something that 
> would  be very easy if the server started every EPP session only 
> after a successful Login.
>
> Anyway, just for curiosity, can you provide me with an example for 
> NGINX?
>
> It doesn't sound so simple according to this post 
> <https://stackoverflow.com/questions/64810700/reading-client-certificate-details-with-nginx>
>
> Best,
>
> Mario
>
>
> Il 31/03/2022 19:36, Francisco Obispo ha scritto:
>>
>> In a scenario where a proxy/load balancer is terminating the TLS 
>> connection, it will most likely need to extract the certificate 
>> information, and encode it into a HTTP header, so that the backend 
>> could later tie the |clID| with the certificate in a way (i.e.: 
>> |cn|).
>>
>> That's what I would do, to at least guarantee that the client 
>> certificate correspond to the |clID|.
>>
>> Best,
>>
>> On 31 Mar 2022, at 9:56, Mario Loffredo wrote:
>>
>>     Hi Patrick,
>>
>>     thanks for your interest.
>>
>>     Il 31/03/2022 17:54, Patrick Mevzek ha scritto:
>>
>>         On Thu, Mar 31, 2022, at 10:36, Mario Loffredo wrote:
>>
>>             Starting an HTTP session when receiving an EPP command
>>             other than the
>>             Login command is in .it experience (but I can speak on
>>             behalf of .pl
>>             too) very inefficient because you can't immediately lock
>>             the HTTP
>>             session to the Registrar.
>>
>>         I disagree.
>>
>>         If the transport is HTTPS (and not just HTTP), the server can
>>         request
>>         the client to send a certificate, exactly as for EPP over 
>> TLS.
>>
>>         In such case, for *any* HTTP request coming to the server, 
>> the
>>         server
>>         theoretically already knows to which client this pertains as
>>         it can
>>         consult the certificate given.
>>
>>         It can be considered a weak or partial authentication, until
>>         the EPP login
>>         is successfully executed.
>>
>>     Are you talking about a signle server or a load balancing
>>     architecture where a proxy routes the requents to a pool of
>>     backend servers?
>>
>>     In addition, it is quite simple to do at socket level. It seems 
>> to
>>     me much more complicated at the servlet level.
>>
>>     Mario
>>
>>     --
>>     Dr. Mario Loffredo
>>     Technological Unit “Digital Innovation”
>>     Institute of Informatics and Telematics (IIT)
>>     National Research Council (CNR)
>>     via G. Moruzzi 1, I-56124 PISA, Italy
>>     Phone: +39.0503153497
>>     Web: http://www.iit.cnr.it/mario.loffredo
>>
>>     _______________________________________________
>>     regext mailing list
>>     regext@ietf.org
>>
>>  https://www.ietf.org/mailman/listinfo/regext
>>
>>
>> _______________________________________________
>> regext mailing list
>> regext@ietf.org
>> https://www.ietf.org/mailman/listinfo/regext
>
> -- 
> Dr. Mario Loffredo
> Technological Unit “Digital Innovation”
> Institute of Informatics and Telematics (IIT)
> National Research Council (CNR)
> via G. Moruzzi 1, I-56124 PISA, Italy
> Phone: +39.0503153497
> Web:http://www.iit.cnr.it/mario.loffredo

v2.8.7 | Report a Bug | By Email