Re: [regext] Benjamin Kaduk's No Objection on draft-ietf-regext-rdap-object-tag-04: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 01 August 2018 13:53 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D49128CE4; Wed, 1 Aug 2018 06:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HeqzMawZ0-WO; Wed, 1 Aug 2018 06:53:46 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2CD127148; Wed, 1 Aug 2018 06:53:45 -0700 (PDT)
X-AuditID: 1209190e-611ff700000022eb-dc-5b61ba3bed49
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 64.E5.08939.B3AB16B5; Wed, 1 Aug 2018 09:48:44 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w71DmcpM021004; Wed, 1 Aug 2018 09:48:39 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w71DmXfa009018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 1 Aug 2018 09:48:36 -0400
Date: Wed, 01 Aug 2018 08:48:33 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
Cc: "'shollenbeck=40verisign.com@dmarc.ietf.org'" <shollenbeck=40verisign.com@dmarc.ietf.org>, "'iesg@ietf.org'" <iesg@ietf.org>, "'regext-chairs@ietf.org'" <regext-chairs@ietf.org>, "'regext@ietf.org'" <regext@ietf.org>, "Gould, James" <jgould@verisign.com>, "'draft-ietf-regext-rdap-object-tag@ietf.org'" <draft-ietf-regext-rdap-object-tag@ietf.org>
Message-ID: <20180801134833.GS96369@kduck.kaduk.org>
References: <153271389685.32575.14236059863408474169.idtracker@ietfa.amsl.com> <adec3bc5daa44c4db99afd97b8d1e5a1@verisign.com> <20180731135111.GE96369@kduck.kaduk.org> <ed0f4e57eb3c496eb44b14486acbce76@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ed0f4e57eb3c496eb44b14486acbce76@verisign.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKKsWRmVeSWpSXmKPExsUixG6nomuzKzHaYGsjv8XXF4eYLWb8mchs 8XXPHmaLl11PmS2uTjjCaLF85jlGi5l33zA7sHucWHaF1WPJkp9MHrs2N7AFMEdx2aSk5mSW pRbp2yVwZZydVVrQ61LxY+4atgbG76ZdjJwcEgImEpuvNLJ1MXJxCAksZpKYdnYyM4SzgVHi Uks/O4RzhUli+52FzCAtLAIqEnOn9DGB2GxAdkP3ZbC4iICRxJfDfWDdzAI9zBIPn0xnB0kI C6RILHr+krGLkYODF2jflfWaEEPvMkosuvAQrIZXQFDi5MwnLCA2s4CWxI1/L5lA6pkFpCWW /+MACXMK2EgsPNbLCmKLCihL7O07xD6BUWAWku5ZSLpnIXQvYGRexSibklulm5uYmVOcmqxb nJyYl5dapGusl5tZopeaUrqJERTinJJ8OxgnNXgfYhTgYFTi4T1RnRAtxJpYVlyZe4hRkoNJ SZT3o19itBBfUn5KZUZicUZ8UWlOavEhRgkOZiUR3r21QDnelMTKqtSifJiUNAeLkjjvvZrw aCGB9MSS1OzU1ILUIpisDAeHkgSv3k6gRsGi1PTUirTMnBKENBMHJ8hwHqDhOSA1vMUFibnF mekQ+VOMuhx/3k+dxCzEkpeflyolztsOUiQAUpRRmgc3B5SaJLL317xiFAd6S5jXHKSKB5jW 4Ca9AlrCBLQk2xFsSUkiQkqqgVFDV4RpsX72DeUj9gatbsy+kjFnL26auUtp+9HlzL+agvsu PixXSf2k+ld7VqB3x5qzl9qyQ4VVr/quyjef99dE6mm1gIaRnUKVg6O37kq3qBJ9tpKSrf1m Fx0DviXE9+5Yefr1P66X5W8kj3JE6jzoc1tzS33vfbk3unn/uzUn3fsxw2GGsxJLcUaioRZz UXEiAKa6D/woAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/jLJrggT0SnDr_yf3r435-tV3mBM>
Subject: Re: [regext] Benjamin Kaduk's No Objection on draft-ietf-regext-rdap-object-tag-04: (with COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Aug 2018 13:53:48 -0000
On Wed, Aug 01, 2018 at 12:51:37PM +0000, Hollenbeck, Scott wrote: > > -----Original Message----- > > From: Benjamin Kaduk <kaduk@mit.edu> > > Sent: Tuesday, July 31, 2018 9:51 AM > > To: Hollenbeck, Scott <shollenbeck=40verisign.com@dmarc.ietf.org> > > Cc: 'iesg@ietf.org' <iesg@ietf.org>; 'regext-chairs@ietf.org' <regext- > > chairs@ietf.org>; 'regext@ietf.org' <regext@ietf.org>; Gould, James > > <jgould@verisign.com>; 'draft-ietf-regext-rdap-object-tag@ietf.org' > > <draft-ietf-regext-rdap-object-tag@ietf.org> > > Subject: [EXTERNAL] Re: Benjamin Kaduk's No Objection on draft-ietf- > > regext-rdap-object-tag-04: (with COMMENT) > > > > On Mon, Jul 30, 2018 at 02:29:02PM +0000, Hollenbeck, Scott wrote: > > > (My email client sometimes does unexpected things with message > > > encryption. Sending again with plaintext assured...) > > > > > > > -----Original Message----- > > > > From: Benjamin Kaduk <kaduk@mit.edu> > > > > Sent: Friday, July 27, 2018 1:52 PM > > > > To: The IESG <iesg@ietf.org> > > > > Cc: draft-ietf-regext-rdap-object-tag@ietf.org; Gould, James > > > > <jgould@verisign.com>; regext-chairs@ietf.org; Gould, James > > > > <jgould@verisign.com>; regext@ietf.org > > > > Subject: [EXTERNAL] Benjamin Kaduk's No Objection on > > > > draft-ietf-regext- > > > > rdap-object-tag-04: (with COMMENT) > > > > > > > > -------------------------------------------------------------------- > > > > -- > > > > COMMENT: > > > > -------------------------------------------------------------------- > > > > -- > > > > > > > > I was a little surprised to see that this document targets BCP > > > > status, not Proposed Standard. Was there much discussion of this > > question in the WG? > > > > > > > > Section 2 > > > > > > > > Service provider tags are concatenated to the end of RDAP query > > > > object identifiers to unambiguously identify the authoritative > > > > server > > > > > > > > It seems like it is the combination of concatenation of the service > > > > provider tag, and the use of the rdap_objectTag_level_0 > > > > rdapConformance attribute that provides the unambiguous property; I > > > > would like to see this caveat made more clear here. > > > > > > Thanks for the review, Benjamin. The rdapConformance attribute doesn't > > > do anything to identify the authoritative server. It's a clue to the > > > client that the server has implemented this particular practice. > > > > Right, it's an indication that the server has implemented this practice. > > Absent such an explicit indication, the -XXXX tag could either be a > > service provider tag, or just a regular part of the query handle. Thus, > > just the convention of an -XXXX tag by itself is *not* unambiguous. So, > > I'm asking for some text to be added that qualifies the statement as only > > applying "when the client knows that this convention is in use" (or > > similar). > > OK, so how about changing this line in Section 2? > > OLD > Service provider tags are concatenated to the end of RDAP query object identifiers to unambiguously identify the authoritative server for processing an RDAP query. > > NEW > In combination with the rdapConformance attribute described in Section 4, service provider tags are concatenated to the end of RDAP query object identifiers to unambiguously identify the authoritative server for processing an RDAP query. That helps; thanks! > > > > Also, per https://www.iab.org/2016/11/07/iab-statement-on-ipv6/, > > > > please consider using IPv6 addresses in the examples. > > > > > > The example copied into this document comes directly from Section 5.3 > > > of RFC 7483. I'd prefer to keep it as-is to maintain consistency with > > > that cited reference. > > > > I note that the IAB statement is not exactly binding, but also that at > > some point blindly propagating the same example into the future becomes > > stuck in a history that does not reflect the present. (I also note that > > my ART colleagues are generally more active on this front than I am.) > > I very much prefer to keep the example consistent with 7483 since it is included ONLY to show how addition of an object tag would change the example. I could strike other values from the example (including the IP addresses) if that would help. I won't press you to make any changes, here, for now. > > > > Section 5.1 > > > > > > > > Are all provided URLs supposed to be functionally different? If > > > > not, how do we tell which ones do what? > > > > > > Practice thus far in the RDAP bootstrap registries has been to > > > register http and https URLs. The scheme of the URL identifies the > > functional difference. > > > > Perhaps indicate that they are expected to supply the same data, but may > > differ in scheme or other components? > > OK, how about this change? > > OLD > One or more URLs that provide the RDAP service regarding this registration. > > NEW > One or more URLs that provide the RDAP service regarding this registration. The URLS are expected to supply the same data, but they can differ in scheme or other components as required by the service operator. Sounds good. > > > > Section 7 > > > > > > > > Perhaps note that it is using IANA as a well-known central trusted > > > > authority in order to provide the property of allowing users to get > > > > RDAP data from an authoritative source? > > > > > > Sure, OK. > > > > > > > [...] The method has the same security > > > > properties as the RDAP protocols themselves. The transport used to > > > > access the IANA registries can be more secure by using TLS > > [RFC5246], > > > > which IANA supports. > > > > > > > > Well, I don't know that "the same as" is quite right, especially > > > > given the following sentence. The composed chain of "talk to iana, > > > > talk to referred RDAP server" depends both on the security of the > > > > connection to the RDAP server and that of the connection to IANA; it > > > > seems prudent to note that if TLS is used for the RDAP connection, > > > > TLS should also be used when talking to IANA, or even that TLS > > > > should always be used when talking to IANA. > > > > > > OK, how about this text? > > > > > > OLD: > > > This practice helps to ensure that end users will get RDAP data from > > > an authoritative source using a bootstrap method to find authoritative > > > RDAP servers, reducing the risk of sending queries to non-authoritative > > sources. > > > The method has the same security properties as the RDAP protocols > > themselves. > > > The transport used to access the IANA registries can be more secure by > > > using TLS [RFC5246], which IANA supports. > > > > > > NEW: > > > This practice uses IANA as a well-known, central trusted authority to > > > provide the property of allowing users to get RDAP data from an > > > authoritative source, reducing the risk of sending queries to > > > non-authoritative sources and divulging query information to > > > unintended parties. Additional privacy protection can be gained by > > > using TLS [RFC5246] to provide data confidentiality when retrieving > > registry information from IANA. > > > > I like the overall direction this is going, but have some quibbles. For > > one, TLS is not just about confidentiality protection and privacy concerns > > -- it also provides integrity protection and authentication of the data > > source. For consulting a central registry like this, the integrity > > protection and data authenticity seem to be potentially more important > > than confidentiality, at least from where I'm sitting. > > > > I also think it's fine to retain some text about "the same security > > properties as the RDAP protocols themselves", when appropriately set into > > context. Perhaps: > > > > NEWNG: > > This practice uses IANA as a well-known, central trusted authority to > > allow users to get RDAP data from an authoritative source, reducing the > > risk of sending queries to non-authoritative sources and divulging query > > information to unintended parties. Using TLS [RFC 5246] to protect the > > connection to IANA allows the server to authenticate itself as being > > operated by IANA and provides integrity protection for the resulting > > referral information, as well as providing privacy protection via data > > confidentiality. The subsequent RDAP connection is performed as usual, > > and retains the same security properties of the RDAP protocols themselves. > > OK, I'll make this change assuming that it addresses Warren's feedback as well. Thanks! -Benjamin
- Re: [regext] Benjamin Kaduk's No Objection on dra… Hollenbeck, Scott
- Re: [regext] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk
- [regext] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk
- Re: [regext] Benjamin Kaduk's No Objection on dra… Hollenbeck, Scott
- [regext] Benjamin Kaduk's No Objection on draft-i… Hollenbeck, Scott
- Re: [regext] Benjamin Kaduk's No Objection on dra… Hollenbeck, Scott
- Re: [regext] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk