IETF Logo Mail Archive

Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23

"Murray S. Kucherawy" <superuser@gmail.com> Fri, 18 August 2023 05:54 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80A8BC15106C; Thu, 17 Aug 2023 22:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMdGRQ6DjUah; Thu, 17 Aug 2023 22:54:31 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDFA9C14CE54; Thu, 17 Aug 2023 22:54:30 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-99e14e4c30aso10865466b.0; Thu, 17 Aug 2023 22:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692338069; x=1692942869; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IqnrjCsxcLrSrUDcg09N8r6qe8wENbjpNSXr47wEQs8=; b=SsFJjq/R+yedDCuSMkYDW/6Gdo7uRbdt/Ctiou6Kqeq9EpUy6WPKBURPI78PdcX56s yX9XEtKACLQweoV0h1Wfdfz+FBBOVGg9L2hde0clw1PGF1jmJxIqKrC/QEZDgrqiD1Tb eS7oHObF9yeZXtm/VqEWZgRB9bg4qXQds5p+qHWXNhy8Q/LAG8ehDDvoVyKJzBamLCp2 cPy3bg3N/uYCzE1nvnZ17U/PEnnhSMw5v4DwykvSW7cYquO/hcioe5UWub8ULRC7Mnpe a1gbZiIJnJKROjC+3YO3CeY93kR3VpoVOc5PCC4XLg6HyMT87smX5kG4TjgVQK7LkHE2 6Scg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692338069; x=1692942869; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IqnrjCsxcLrSrUDcg09N8r6qe8wENbjpNSXr47wEQs8=; b=IA2k6+Wp+LgWbRkvFjGno+CFJsX+LX6p12hJmLFpBQOdcktZ1LT5BF832CBpWfdTPQ GPnzTxt1DV2BsH9R3UZyRyazh1+7EHJlLUu4sDGbJEKzRfdrYSSi0+WxyxV6RsuKPCzw RRx8wUUD4wl7YXK3PXPQKmegLNbrxwW/XKftXLJYMwQfWG5ZdMejij0fne7Qd5TbFtmT ld9sDNPh3oiy2L39TyuX7kgEGB0kJsmu9R7NT1KSmrGC0x2sGF2Y9w4nowd70bjJ7oAW 3tvG7q58bWZ0PyLKJU7Hsqab1P/rIEzs8ur8gvVjjaYAsbsfVwF8AwefvLZdvUgiLv7L dBLw==
X-Gm-Message-State: AOJu0YwRj8XXYWM76keLhlxQvd5XhTPKyZfcLUiN24gzIgmGjg3usMTO nQ6bwFVHeJ/taKRemX6yUKCKa6+bs6TnBQhLEyJddH0t
X-Google-Smtp-Source: AGHT+IEG4/wAKBAaAXjctV81yk5e24lTQT6EWm6uQIBjl0+XwXS+yswzSbaZXADjQgnJurnsOIBsfmspbBnd9qZPm7I=
X-Received: by 2002:a17:906:dc:b0:99c:ae07:2836 with SMTP id 28-20020a17090600dc00b0099cae072836mr1046118eji.3.1692338069081; Thu, 17 Aug 2023 22:54:29 -0700 (PDT)
MIME-Version: 1.0
References: <169141539729.16856.3286991888155976046@ietfa.amsl.com> <CAL0qLwZ6TOUS-PgNbVN3xatsTtQppzROou4AbgMSNCKnaFf8Fg@mail.gmail.com> <6b39bd1ebabd4135b3c54a404409ccb8@verisign.com> <CAL0qLwZS7NcJGOr4PNaENb-hZzOq_oYQHZ_3_2FxXwgY1HMCag@mail.gmail.com> <b2ef6a44ad584a439126e3df56ec9167@verisign.com> <CAL0qLwZtEU7r+JWdf4MZJ-MY9jjA=SRUGiUVYrSN-0juy3smMw@mail.gmail.com> <9b1d217f603f422e8113a6fe0adfb5d8@verisign.com>
In-Reply-To: <9b1d217f603f422e8113a6fe0adfb5d8@verisign.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 17 Aug 2023 22:54:17 -0700
Message-ID: <CAL0qLwbfRWFXzbKy=XLjArH493n6KFGhhgOVsNpHxm1c3cmnMw@mail.gmail.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
Cc: "regext@ietf.org" <regext@ietf.org>, "AlBanna, Zaid" <zalbanna@verisign.com>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000072916906032c29dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/htoFGnDMzK5bSAe-ZDotDXOxloY>
Subject: Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2023 05:54:35 -0000

On Thu, Aug 17, 2023 at 12:56 PM Hollenbeck, Scott <shollenbeck@verisign.com>
wrote:

> *From:* Murray S. Kucherawy <superuser@gmail.com>
> *Sent:* Thursday, August 17, 2023 11:56 AM
> *To:* Hollenbeck, Scott <shollenbeck@verisign.com>
> *Cc:* regext@ietf.org; AlBanna, Zaid <zalbanna@verisign.com>;
> regext-chairs@ietf.org
> *Subject:* [EXTERNAL] Re: [regext] Publication has been requested for
> draft-ietf-regext-rdap-openid-23
>
>
>
> *[SAH] [snip]*
>
>  In Section 3.1.2, what is a "given period of interaction"?
>
> *[SAH] The intention here is to use encourage clients to use one form of
> interaction or the other consistently in the course of sending RDAP queries
> and receiving RDAP responses over a given period of time. For example,
> don’t mix in token-oriented actions while in the middle of a
> session-oriented interaction.*
>
>
>
> OK, I thought you might have actually been trying to say "session".  But
> the same text could legitimately mean, say, "month", or "before an
> unspecified timeout expires"; in the latter case, I'd be wondering what
> timeout you mean.
>
> *[SAH] Yes, I was trying to say “session” without using that word because
> token-oriented clients don’t establish sessions in the way the term is used
> in the document. On the other hand, would it be clearer to say something
> like “within an exchange of requests and responses over a period of time”?*
>
>
>
> What's the advice to an implementer of token-oriented clients?  It feels
> like we're trying to describe a time boundary beyond which you can
> establish a new pattern.  What might that be for non-session situations?
> It's fine if there's no good answer, but I wanted to tease out any
> opportunity to be more crisp here.
>
> *[SAH] What I’m trying to say here is that a client shouldn’t mix
> token-oriented requests in between session-oriented login and logout
> requests. Maybe that’s the best way to say it: “Clients MAY operate as
> either session-oriented or token-oriented clients, but they MUST do so
> consistently by not mixing token-oriented and session-oriented requests
> while interacting with an OP.” Does that work?*
>

That seems way better to me.


>
>
>
>
> *[SAH] [snip]*
>
>
>
>
>
>
>
> In Section 3.1.4.1, same question.
>
> *[SAH] This SHOULD exists because other methods exist to discover the
> provider. The server might not support the query parameter because it can
> determine the issuer from the given credential (Gmail maps to Google, for
> example), or it may only support a single identity provider.*
>
>
>
> But if I use one of those other methods, is there any degradation to
> interoperability or security?
>
> *[SAH] Not that we’re aware of. At least one implementer has confirmed
> that it’s more common not explicitly receive anything that identifies the
> provider. The alternatives are described in 3.1.4.*
>
>
>
> OK so this seems like a good candidate for another SHOULD-unless
> construction as you did above.  Thanks for clarifying.
>
> *[SAH] OK, how about this: “Alternatively, if mapping of an End-User's
> identifier is not possible, or not supported by the RDAP server, the RDAP
> server SHOULD support explicit specification of a remote OP by the RDAP
> client in the form of a query parameter as described in Section 5.2.2
> unless the remote OP has been identified using an out-of-band mechanism.”?*
>

Works for me.


>
>
>
>
>
>
> In Section 5.1.1, the entire object is OPTIONAL.  This doesn't seem
> right.  Would there be any practical use to such a thing?
>
> *[SAH] A token-oriented client won’t ever establish a session.*
>
>
>
> Does that mean at least one of the object's attributes will always be
> set?  If so, a MUST at the bottom indicating such would tighten this up
> (e.g., "X is OPTIONAL, Y is OPTIONAL, Z is OPTIONAL, but you MUST set at
> least one of them").
>
> *[SAH] Mario helpfully reminded me that Section 5.2.3 describes the
> objects to be returned in a response based on success or failure. How about
> adding this to 5.1.1 right before the example: “Note that all of the
> members of the "farv1_session" data structure are OPTIONAL. See Section
> 5.2.3 for instructions describing when to return the minimum set of
> members.”*
>
>
>
> Thanks, I hadn't connected the two.  So the normative prose around this
> does indeed say an empty object is syntactically legal, but 5.2.3 provides
> guidance that it should really never happen.  Do we need to protect
> consumers against the possibility of a syntactically valid but semantically
> nonsense empty reply by giving them guidance about how to handle such a
> thing?  I'm fine if the answer is "no", but I wanted to ask the question.
>
> *[SAH] I think we’re safe with not saying any more that’s already in RDAP
> itself: if a client sees something it doesn’t expect, it can safely be
> ignored.*
>

Sounds good.  Thanks for working through all this with me.  I'll send this
to Last Call when the new version goes up.

-MSK

v2.23.0 | Report a Bug | By Email