IETF Logo Mail Archive

Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt

Pawel Kowalik <kowalik@denic.de> Tue, 06 December 2022 17:08 UTC

Return-Path: <kowalik@denic.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE4BC1524AB for <regext@ietfa.amsl.com>; Tue, 6 Dec 2022 09:08:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyMESH5fql6O for <regext@ietfa.amsl.com>; Tue, 6 Dec 2022 09:08:46 -0800 (PST)
Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [IPv6:2001:67c:2050:102:465::110]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E23CAC1524B2 for <regext@ietf.org>; Tue, 6 Dec 2022 09:08:44 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4NRRhM2vtWz9t0N; Tue, 6 Dec 2022 18:08:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1670346515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=w8lcnPUvsuvUt8SfbcfrE9UbCEofj+0fUsKLTn6whaQ=; b=g2l+DfR/Bjetdx+bjltbEwBHIbetMUtP1gApCVOfnqQwMR+Cdw/N4finCOsDBs7oPqBPEJ b12Xk70a0IXUHU7XlUJ0K7TRcfHXiA/F6lI+lJIjqFkTZHyBs2WxrW03srCM8GLepKCkiZ oFSGxyPFgTs55CQQimX7kmKkVNci/k0HTIWcd6E1R+7OeANlU6OaQouwpsVGflIvSCMHCF hac76hsVvjIvBpCqm7Oo+fQp0zjhPt8yDhi500rIWNwkUDSCdBpW4/pIjJlQHonDyU/on0 g8z790nMBFlOjhahfwtwQhdcjglMMeYhp6v0xFHF7xg4B7JiBw2mjbHr0/+Jiw==
Message-ID: <08ac4c18-01a8-25ea-784b-e7cdf447c7ca@denic.de>
Date: Tue, 06 Dec 2022 18:08:29 +0100
MIME-Version: 1.0
From: Pawel Kowalik <kowalik@denic.de>
Content-Language: en-US
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>, "regext@ietf.org" <regext@ietf.org>
References: <166999115592.50686.10179207835682222803@ietfa.amsl.com> <9bab275f5714470fa5b0db29eed137e5@verisign.com> <c0b80021-b79d-7d4f-a8ba-0da171c4a381@denic.de> <fed85c1e6e8d4dc798f1ab8c89dcc225@verisign.com>
In-Reply-To: <fed85c1e6e8d4dc798f1ab8c89dcc225@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-MBO-RS-ID: 4a8999b3cb6eda7238e
X-MBO-RS-META: 1ifzbm15pefskzxtaqmib6x6b7o5w8f8
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/_DoaAFa7_XnaeVPUlIRyU7aTPOM>
Subject: Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-19.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2022 17:08:50 -0000

Hi Scott,

Feedback below.

Am 06.12.22 um 15:23 schrieb Hollenbeck, Scott:
> Thanks for the feedback. More below...
>
>
>> - we discussed that we do not care that much about remote OPs, however the
>> issue of access_token coming from an unknown OP remains. My proposal for a
>> simple solution would be just to require a query parameter "OP Issuer
>> Identifier" with each RDAP query for non-default OP server. This would be an
>> add to 6.2
> [SAH] The document already includes the "farv1_iss" query parameter that's
> used with a login query. It can be used in this context as needed. Are you
> suggesting that the document should include support for a client sending a
> "farv1_iss" query parameter with a (for example) domain query such that the
> RDAP server will start a session-oriented login process prior to processing
> the domain query? If not that, are you suggesting that receipt of a
> "farv1_iss" query parameter will simply identify the issuer to the RDAP server
> so that the RDAP server can attempt to process the access token received from
> a token-oriented client? The latter makes more sense to me.
[PK] Yes, absolutely I meant the latter.
>
> I see value in remote OPs. In the ICANN registry/registrar world, I fully
> believe there is room for entities like law enforcement, security researchers,
> intellectual property interests, and similar "communities of interest" to
> deploy and operate identity providers for their members. That model scales
> better than every registry/registrar RDAP server operator having to operator
> their own OP and issue credentials to every person who wants access to their
> service. If they do that, they might as well just issue user names and
> passwords for use with HTTP Basic authentication.
[PK] Yes I see that too, therefore with "farv1_iss" it would be working.


Kind Regards,

Pawel

v2.23.0 | Report a Bug | By Email