IETF Logo Mail Archive

Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23

"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 17 August 2023 19:56 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB84C15153E; Thu, 17 Aug 2023 12:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZDd9dbHS-zQ; Thu, 17 Aug 2023 12:56:34 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 728FCC15109A; Thu, 17 Aug 2023 12:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=18960; q=dns/txt; s=VRSN; t=1692302193; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=kcoNzvQvGOlMQJe6rUGHYhyLish7SfFJrJggeTnGFkE=; b=PVJEUjSgKE5/rW71g/3f+zYONSlh06+ldTs83DsYqJvi2uTKGu0IXGxs nzKYiWR8Krbf3lAljK20t70QoKH0VXAA62TAkPBPbTlF722hy9h2/gfzv sbpZNR5+jWefuk2crijPIc9A7OZZu5UYi0l5XjDXDnM2dxu373fu4Tf0T C//w6+1mqR5OEDVEZ56BqVf/dncEznPlAHx/xljC0kiwWUoZo/JDllBHN Ee3CdOMANaonynfXDfauveQyoM20SpEDl2LOsU/LhXYhpNjcF2Gpqz01B yLH1Lg8i/yGFTfqeupTB1kR0LgeiRlZ0LFXt4/VyEArlvaMiWQSdBJ3Lh w==;
IronPort-Data: A9a23:OargQKydgvszE99GhA56t+c2xyrEfRIJ4+MujC+fZmUNrF6WrkUFz mdMXT+CP/2KMGLwKIsjbI7i/RwC6JOGm4JhTARupC00HyNBpPSeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjP3OHPymYAL9EngZbRd+Tys8gg5Ulec8g4p56fC0GArlV ena+qUzA3f7nWYtWo4ow/jb8kg37K2t4GlwUmEWPpingnePzxH5M7pCfcldH1OgKqFIE+izQ fr0zb3R1gs1KD90V7tJOp6iGqE7aua60Tqm0xK6aID76vR2nRHe545gXBYqQRwO12jWxYAZJ OJl7vRcQS9xVkHFsLpFD0kAS0mSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KSZf8 qVALGlUUi/d38ym/qjjVu1Xl/12eaEHPKtH0p1h5RvjK68ZZ73zG/yM+9Rfxi92j8wIA+zFY YwSbj8HgBboOkUJYwhMTstjx6H01hETcBUBwL6RjbE35GzXwQp73bPuGMTYYN2RRMpT2E2fo woq+kyjXkBHZIfBkFJp9FqD1tT0rAmhSbgAFYyFxMF1hwSr6HUMXUh+uVyT5KPRZlSFc8lCM 0EO5zEjt4A98UWqSp/2WBjQiGSJsRMMR/JRHvE0rgaXxcL8+QuWC3gYCzVBYd08r+c3SCAkk FiTkLvU6SdHuqeTEG2b+6fM9HapJzJTKG4ZICUDCwEf5YClvpsoiFTESdML/LOJs+AZ0ArYm 1iixBXSTZ1K5SLX/81XJWz6vg8=
IronPort-HdrOrdr: A9a23:Wo5DSKzrxhudJzXAWQP8KrPw8b1zdoMgy1knxilNoHtuA6mlfq GV7ZYmPHDP6Ar5NEtPpTniAsa9qBrnnPZICOIqTNSftWfd2VeAHcVN4Yzv2DX8FyC73f4178 tdWpk7LNHrF1B1gYLZ7BnQKbwd6ejC1Kyzn+/RwzNWUAdwZ8hbgjtREAqBDUFsfgVACKc4EJ b03KF6mwY=
X-Talos-CUID: 9a23:UzhDm216/Au1z6f4o/3TFLxfXdEiKyXZlS7sHBHgJ3ZXUuWJTWSBwfYx
X-Talos-MUID: 9a23:a2D0uQpLYoXcV8YfdFIezx4yD/xZyf6/MlIMoKg0hNaDbBReIijI2Q==
X-IronPort-AV: E=Sophos; i="6.01,180,1684800000"; d="scan'208,217"; a="24958361"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.31; Thu, 17 Aug 2023 15:56:32 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2507.031; Thu, 17 Aug 2023 15:56:31 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "superuser@gmail.com" <superuser@gmail.com>
CC: "regext@ietf.org" <regext@ietf.org>, "AlBanna, Zaid" <zalbanna@verisign.com>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23
Thread-Index: AQHZzXjmEGmbowwhZEaK6KR43lvV1a/pudLAgADqGYCAAkiQgIACAlkA///4hnA=
Date: Thu, 17 Aug 2023 19:56:31 +0000
Message-ID: <9b1d217f603f422e8113a6fe0adfb5d8@verisign.com>
References: <169141539729.16856.3286991888155976046@ietfa.amsl.com> <CAL0qLwZ6TOUS-PgNbVN3xatsTtQppzROou4AbgMSNCKnaFf8Fg@mail.gmail.com> <6b39bd1ebabd4135b3c54a404409ccb8@verisign.com> <CAL0qLwZS7NcJGOr4PNaENb-hZzOq_oYQHZ_3_2FxXwgY1HMCag@mail.gmail.com> <b2ef6a44ad584a439126e3df56ec9167@verisign.com> <CAL0qLwZtEU7r+JWdf4MZJ-MY9jjA=SRUGiUVYrSN-0juy3smMw@mail.gmail.com>
In-Reply-To: <CAL0qLwZtEU7r+JWdf4MZJ-MY9jjA=SRUGiUVYrSN-0juy3smMw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D5_01D9D123.63A8AEC0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ZMN1g7xudKPYHvCMDBlhSt1b6eo>
Subject: Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2023 19:56:38 -0000

From: Murray S. Kucherawy <superuser@gmail.com>
Sent: Thursday, August 17, 2023 11:56 AM
To: Hollenbeck, Scott <shollenbeck@verisign.com>
Cc: regext@ietf.org; AlBanna, Zaid <zalbanna@verisign.com>; 
regext-chairs@ietf.org
Subject: [EXTERNAL] Re: [regext] Publication has been requested for 
draft-ietf-regext-rdap-openid-23



[SAH] [snip]

 In Section 3.1.2, what is a "given period of interaction"?

[SAH] The intention here is to use encourage clients to use one form of 
interaction or the other consistently in the course of sending RDAP queries 
and receiving RDAP responses over a given period of time. For example, don’t 
mix in token-oriented actions while in the middle of a session-oriented 
interaction.



OK, I thought you might have actually been trying to say "session".  But the 
same text could legitimately mean, say, "month", or "before an unspecified 
timeout expires"; in the latter case, I'd be wondering what timeout you mean.

[SAH] Yes, I was trying to say “session” without using that word because 
token-oriented clients don’t establish sessions in the way the term is used in 
the document. On the other hand, would it be clearer to say something like 
“within an exchange of requests and responses over a period of time”?



What's the advice to an implementer of token-oriented clients?  It feels like 
we're trying to describe a time boundary beyond which you can establish a new 
pattern.  What might that be for non-session situations?  It's fine if there's 
no good answer, but I wanted to tease out any opportunity to be more crisp 
here.

[SAH] What I’m trying to say here is that a client shouldn’t mix 
token-oriented requests in between session-oriented login and logout requests. 
Maybe that’s the best way to say it: “Clients MAY operate as either 
session-oriented or token-oriented clients, but they MUST do so consistently 
by not mixing token-oriented and session-oriented requests while interacting 
with an OP.” Does that work?





[SAH] [snip]







In Section 3.1.4.1, same question.

[SAH] This SHOULD exists because other methods exist to discover the provider. 
The server might not support the query parameter because it can determine the 
issuer from the given credential (Gmail maps to Google, for example), or it 
may only support a single identity provider.



But if I use one of those other methods, is there any degradation to 
interoperability or security?

[SAH] Not that we’re aware of. At least one implementer has confirmed that it’s 
more common not explicitly receive anything that identifies the provider. The 
alternatives are described in 3.1.4.



OK so this seems like a good candidate for another SHOULD-unless construction 
as you did above.  Thanks for clarifying.

[SAH] OK, how about this: “Alternatively, if mapping of an End-User's 
identifier is not possible, or not supported by the RDAP server, the RDAP 
server SHOULD support explicit specification of a remote OP by the RDAP client 
in the form of a query parameter as described in Section 5.2.2 unless the 
remote OP has been identified using an out-of-band mechanism.”?







In Section 5.1.1, the entire object is OPTIONAL.  This doesn't seem right. 
Would there be any practical use to such a thing?

[SAH] A token-oriented client won’t ever establish a session.



Does that mean at least one of the object's attributes will always be set?  If 
so, a MUST at the bottom indicating such would tighten this up (e.g., "X is 
OPTIONAL, Y is OPTIONAL, Z is OPTIONAL, but you MUST set at least one of 
them").

[SAH] Mario helpfully reminded me that Section 5.2.3 describes the objects to 
be returned in a response based on success or failure. How about adding this 
to 5.1.1 right before the example: “Note that all of the members of the 
"farv1_session" data structure are OPTIONAL. See Section 5.2.3 for 
instructions describing when to return the minimum set of members.”



Thanks, I hadn't connected the two.  So the normative prose around this does 
indeed say an empty object is syntactically legal, but 5.2.3 provides guidance 
that it should really never happen.  Do we need to protect consumers against 
the possibility of a syntactically valid but semantically nonsense empty reply 
by giving them guidance about how to handle such a thing?  I'm fine if the 
answer is "no", but I wanted to ask the question.

[SAH] I think we’re safe with not saying any more that’s already in RDAP 
itself: if a client sees something it doesn’t expect, it can safely be 
ignored.

v2.23.0 | Report a Bug | By Email