Re: [regext] Comments to the feedback about epp-over-http

Mario Loffredo <mario.loffredo@iit.cnr.it> Thu, 31 March 2022 18:16 UTC

Return-Path: <mario.loffredo@iit.cnr.it>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C4C03A17BD for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 11:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSsbruqGRIsA for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 11:16:35 -0700 (PDT)
Received: from smtp.iit.cnr.it (mx4.iit.cnr.it [146.48.58.11]) by ietfa.amsl.com (Postfix) with ESMTP id 611DE3A179E for <regext@ietf.org>; Thu, 31 Mar 2022 11:16:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.iit.cnr.it (Postfix) with ESMTP id 6B075B80B49; Thu, 31 Mar 2022 20:16:32 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx4.iit.cnr.it
Received: from smtp.iit.cnr.it ([127.0.0.1]) by localhost (mx4.iit.cnr.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojREyRXhoZ0W; Thu, 31 Mar 2022 20:16:29 +0200 (CEST)
Received: from [192.12.193.108] (pc-loffredo.staff.nic.it [192.12.193.108]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by smtp.iit.cnr.it (Postfix) with ESMTPSA id 344F9B80B48; Thu, 31 Mar 2022 20:16:29 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------9KRB5gi3l2awLoy7fZGRLxzY"
Message-ID: <20457027-440b-02a5-82b8-3bef4e95819a@iit.cnr.it>
Date: Thu, 31 Mar 2022 20:14:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
To: Francisco Obispo <francisco@unr.com>
Cc: Patrick Mevzek <pm@dotandco.com>, regext@ietf.org
References: <0843A6FD-79B8-45B9-BE58-0BCED21C19B0@verisign.com> <1b87995b-700b-0d16-1241-c69cf142c3f7@iit.cnr.it> <8346151e-acc1-8e9a-f8ce-ac4d2f6a8dac@knipp.de> <759658bd-4781-a9cb-b7dd-88ba596fe2b0@iit.cnr.it> <58f622e5-1548-4894-a14c-c21125972a74@www.fastmail.com> <de81a129-68a4-8759-ee00-09ef2091ec22@iit.cnr.it> <6E923AA5-4027-4188-8DA3-6A93F39A3173@unr.com>
From: Mario Loffredo <mario.loffredo@iit.cnr.it>
In-Reply-To: <6E923AA5-4027-4188-8DA3-6A93F39A3173@unr.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/jxFX-ODV8WrUiV-8DI127yTthS8>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 18:16:41 -0000

Hi Francisco,

Maybe we are complicating a bit (just to be polite) something that 
would  be very easy if the server started every EPP session only after a 
successful Login.

Anyway, just for curiosity, can you provide me with an example for NGINX?

It doesn't sound so simple according to this post 
<https://stackoverflow.com/questions/64810700/reading-client-certificate-details-with-nginx>

Best,

Mario


Il 31/03/2022 19:36, Francisco Obispo ha scritto:
>
> In a scenario where a proxy/load balancer is terminating the TLS 
> connection, it will most likely need to extract the certificate 
> information, and encode it into a HTTP header, so that the backend 
> could later tie the |clID| with the certificate in a way (i.e.: |cn|).
>
> That's what I would do, to at least guarantee that the client 
> certificate correspond to the |clID|.
>
> Best,
>
> On 31 Mar 2022, at 9:56, Mario Loffredo wrote:
>
>     Hi Patrick,
>
>     thanks for your interest.
>
>     Il 31/03/2022 17:54, Patrick Mevzek ha scritto:
>
>         On Thu, Mar 31, 2022, at 10:36, Mario Loffredo wrote:
>
>             Starting an HTTP session when receiving an EPP command
>             other than the
>             Login command is in .it experience (but I can speak on
>             behalf of .pl
>             too) very inefficient because you can't immediately lock
>             the HTTP
>             session to the Registrar.
>
>         I disagree.
>
>         If the transport is HTTPS (and not just HTTP), the server can
>         request
>         the client to send a certificate, exactly as for EPP over TLS.
>
>         In such case, for *any* HTTP request coming to the server, the
>         server
>         theoretically already knows to which client this pertains as
>         it can
>         consult the certificate given.
>
>         It can be considered a weak or partial authentication, until
>         the EPP login
>         is successfully executed.
>
>     Are you talking about a signle server or a load balancing
>     architecture where a proxy routes the requents to a pool of
>     backend servers?
>
>     In addition, it is quite simple to do at socket level. It seems to
>     me much more complicated at the servlet level.
>
>     Mario
>
>     -- 
>     Dr. Mario Loffredo
>     Technological Unit “Digital Innovation”
>     Institute of Informatics and Telematics (IIT)
>     National Research Council (CNR)
>     via G. Moruzzi 1, I-56124 PISA, Italy
>     Phone: +39.0503153497
>     Web: http://www.iit.cnr.it/mario.loffredo
>
>     _______________________________________________
>     regext mailing list
>     regext@ietf.org
>
>     https://www.ietf.org/mailman/listinfo/regext
>
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

-- 
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo