IETF Logo Mail Archive

Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 17 August 2023 15:56 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3D8C15109E; Thu, 17 Aug 2023 08:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZFbHo6itF-0; Thu, 17 Aug 2023 08:56:33 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98A8AC14F747; Thu, 17 Aug 2023 08:56:33 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-99c4e426714so179882366b.1; Thu, 17 Aug 2023 08:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692287791; x=1692892591; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SmWztiUykwtK3HBQ+7QJ+cMMxa8+sNAfZlfWn3gASm8=; b=Vr/fhY0ZFc6CTrl6zaozqyFCPrdokCaEOY6bP7/6Q4TmM4yqpvBXWnwP/hbqNhG6GD 0IuZfejDo8W5PlSXHztJbOLNwb2ycYoQ+p8h3t46v/6MJdzn3DafX3jzezbZfouwmDkf QkLC/uM+W3RSsIjCn9zoHnbgITjP3vS57871Zie3fazSgJU4pFjJp7ZsnhKQaHdDX3gp /7hb5Tk2N+HLWrXjlILpl/IrcuTcAp8fugeQPNwiCVMGScbBEzs1aPkj2FlUlLQYV10A t2dpyoMm+DG/XAex4/14TDkPtRZ1tV1y2GTH3+bjzg4p0soy9TjAFzRuNKnRqeiX9iSG e6SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692287791; x=1692892591; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SmWztiUykwtK3HBQ+7QJ+cMMxa8+sNAfZlfWn3gASm8=; b=V3Cj3vQd7ssHbfWIlTEdF4qmCNtNSGwF4WbQegiD3ARgov0c7M+P1c530by4yb7yeK P11em7YGSOd3uDDv02tcdtTruRoQAvgebujwlnAdf4D/9DDPtcbQuFV1BdDDnnpjByxl yLiilIvnfw8JWSr6E+f9YIY9hyyvGL583gTxjLY7mBTra8Y6abTq1cYNDUKtcvPIprtF zFJ6MPatvsOerSFT1Y1Ewg8BaPWM65oNAS7SPJa0QleVkAulGNuR+cWhX0lrfHNHUgRw 1lCcSNnQzLnaNPzMahnLYbnD2lUYtNtOYSV38i33zf/qGO2Jp+MDQ2VlOjlL2kp4fDHX aMEg==
X-Gm-Message-State: AOJu0YxjJgD4VBq8U5che03HxJ7krRxYQRy3/gxMlU8L5Fib3OgykL1a /niOFF1dcpwmyVyeM/n9S7vTDlpWepgZ6yIcGKOEIsuB
X-Google-Smtp-Source: AGHT+IEzQZjXoy3edKNVf5eK7i9/B3KPMNYe7X9/RdyZDJ+UyBhQXWI1pZ7hzH4sAF3a8fcf0E527eo+T3valltQ7DU=
X-Received: by 2002:a17:906:5d:b0:99c:22e9:fbe4 with SMTP id 29-20020a170906005d00b0099c22e9fbe4mr3913273ejg.1.1692287791022; Thu, 17 Aug 2023 08:56:31 -0700 (PDT)
MIME-Version: 1.0
References: <169141539729.16856.3286991888155976046@ietfa.amsl.com> <CAL0qLwZ6TOUS-PgNbVN3xatsTtQppzROou4AbgMSNCKnaFf8Fg@mail.gmail.com> <6b39bd1ebabd4135b3c54a404409ccb8@verisign.com> <CAL0qLwZS7NcJGOr4PNaENb-hZzOq_oYQHZ_3_2FxXwgY1HMCag@mail.gmail.com> <b2ef6a44ad584a439126e3df56ec9167@verisign.com>
In-Reply-To: <b2ef6a44ad584a439126e3df56ec9167@verisign.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 17 Aug 2023 08:56:18 -0700
Message-ID: <CAL0qLwZtEU7r+JWdf4MZJ-MY9jjA=SRUGiUVYrSN-0juy3smMw@mail.gmail.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
Cc: "regext@ietf.org" <regext@ietf.org>, "AlBanna, Zaid" <zalbanna@verisign.com>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a445d10603207443"
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/sI-6nT3JgooNMHHfF55bVfz3vkA>
Subject: Re: [regext] Publication has been requested for draft-ietf-regext-rdap-openid-23
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2023 15:56:34 -0000

On Wed, Aug 16, 2023 at 6:48 AM Hollenbeck, Scott <shollenbeck@verisign.com>
wrote:

> *From:* Murray S. Kucherawy <superuser@gmail.com>
> *Sent:* Monday, August 14, 2023 6:23 PM
> *To:* Hollenbeck, Scott <shollenbeck@verisign.com>
> *Cc:* regext@ietf.org; AlBanna, Zaid <zalbanna@verisign.com>;
> regext-chairs@ietf.org
> *Subject:* [EXTERNAL] Re: [regext] Publication has been requested for
> draft-ietf-regext-rdap-openid-23
>
>
>
> *Caution:* This email originated from outside the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> Hey Scott,
>
>
>
>
>
> On Mon, Aug 14, 2023 at 5:54 AM Hollenbeck, Scott <
> shollenbeck@verisign.com> wrote:
>
> Thanks for the review, Murray. Notes below.
>
>
>
> Scott
>
>
>
> *From:* regext <regext-bounces@ietf.org> *On Behalf Of *Murray S.
> Kucherawy
> *Sent:* Saturday, August 12, 2023 7:58 PM
> *To:* regext@ietf.org
> *Cc:* AlBanna, Zaid <zalbanna@verisign.com>; regext-chairs@ietf.org
> *Subject:* [EXTERNAL] Re: [regext] Publication has been requested for
> draft-ietf-regext-rdap-openid-23
>
>
>
> *Caution:* This email originated from outside the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> AD review:
>
>
>
> I note that the shepherd writeup's last question points out the creation
> of a registry using Specification Required rules, and thus doesn't need a
> designated expert, referencing RFC 8126 Section 4.6.  However, that section
> of that RFC says:
>
>
>
>    This policy is the same as Expert Review, with the additional
>
>    requirement of a formal public specification.  In addition to the
>
>    normal review of such a request, the designated expert will review
>
>    the public specification and evaluate whether it is sufficiently
>
>    stable and permanent, and sufficiently clear and technically sound to
>
>    allow interoperable implementations.
>
>
>
> So yes, we do need to appoint designated expert(s) and this document needs
> to include any advice that they should have when reviewing specifications.
> Such advice is missing here.  Do you want to add any?
>
> *[SAH] Yes, that’s my mistake, confusing “specification required” with
> “RFC required”. I need to add text that instructs the expert to review
> specifications to ensure that any request to register a value meets the
> requirements described in Section 3.1.5.1.*
>
>
>
> "Revised I-D Needed".  :-)
>
>
>
>
>
> I also note from the writeup that you attempted to get OAUTH WG input but
> were not successful.  I will raise this to the SEC ADs and ask them for
> advice as soon as I've sent this.  For that matter, you might want to
> trigger an early SECDIR review, although there's going to be one as part of
> Last Call anyway.
>
>
>
> In Section 3.1.2, what is a "given period of interaction"?
>
> *[SAH] The intention here is to use encourage clients to use one form of
> interaction or the other consistently in the course of sending RDAP queries
> and receiving RDAP responses over a given period of time. For example,
> don’t mix in token-oriented actions while in the middle of a
> session-oriented interaction.*
>
>
>
> OK, I thought you might have actually been trying to say "session".  But
> the same text could legitimately mean, say, "month", or "before an
> unspecified timeout expires"; in the latter case, I'd be wondering what
> timeout you mean.
>
> *[SAH] Yes, I was trying to say “session” without using that word because
> token-oriented clients don’t establish sessions in the way the term is used
> in the document. On the other hand, would it be clearer to say something
> like “within an exchange of requests and responses over a period of time”?*
>

What's the advice to an implementer of token-oriented clients?  It feels
like we're trying to describe a time boundary beyond which you can
establish a new pattern.  What might that be for non-session situations?
It's fine if there's no good answer, but I wanted to tease out any
opportunity to be more crisp here.


>
>
>
> In Section 3.1.3, bullet 1, "OpenID OpenID Providers".
>
> *[SAH] Will fix.*
>
>
>
> In Section 3.1.3, bullet 1, why is that only a SHOULD?  Why might I not do
> this?
>
> *[SAH] A client might have received that information from some other
> source, such as published documentation provided by a server operator, and
> it may hard-code certain preferences. The SHOULD exists to encourage
> dynamic processing of the returned information, but it’s not an absolute
> requirement.*
>
>
>
> So this isn't an interoperability requirement?
>
>
>
> I suggest making it clear why I might implement something deviating from
> this advice, and why that's okay.
>
> *[SAH] How about this: “If one or more remote OpenID Providers are
> supported, the RDAP client SHOULD evaluate the additional information
> described in Section 4.1 in order to discover the capabilities of the RDAP
> server and optionally obtain the set of supported OPs unless that
> information is available from a trusted out-of-band source and has already
> been processed.”*
>

Perfect.


>
>
>
>
> In Section 3.1.4, why is that only a SHOULD?  Why might I not do this?
>
> *[SAH] This SHOULD exists because it’s possible to make identification,
> authentication, and authorization decisions without the additional RDAP
> information described in Section 3.1.5. An end-user who presents an
> identifier like a Gmail address, for example, will find that their
> credential “works”, but their access to information can be limited due to
> the lack of finer-grained authorization information.*
>
>
>
> OK, same sort of outcome then, I think.
>
> *[SAH] OK, how about this: “An OP SHOULD include support for the claims
> described in Section 3.1.5 to provide additional information needed for
> RDAP End-User authorization; in the absence of these claims clients and
> servers MAY make authorization and access control decisions as appropriate
> given any other information returned from the OP.”*
>

Also perfect.


>
>
>
>
> In Section 3.1.4.1, same question.
>
> *[SAH] This SHOULD exists because other methods exist to discover the
> provider. The server might not support the query parameter because it can
> determine the issuer from the given credential (Gmail maps to Google, for
> example), or it may only support a single identity provider.*
>
>
>
> But if I use one of those other methods, is there any degradation to
> interoperability or security?
>
> *[SAH] Not that we’re aware of. At least one implementer has confirmed
> that it’s more common not explicitly receive anything that identifies the
> provider. The alternatives are described in 3.1.4.*
>

OK so this seems like a good candidate for another SHOULD-unless
construction as you did above.  Thanks for clarifying.


>
>
>
>
> In Section 5.1.1, the entire object is OPTIONAL.  This doesn't seem
> right.  Would there be any practical use to such a thing?
>
> *[SAH] A token-oriented client won’t ever establish a session.*
>
>
>
> Does that mean at least one of the object's attributes will always be
> set?  If so, a MUST at the bottom indicating such would tighten this up
> (e.g., "X is OPTIONAL, Y is OPTIONAL, Z is OPTIONAL, but you MUST set at
> least one of them").
>
> *[SAH] Mario helpfully reminded me that Section 5.2.3 describes the
> objects to be returned in a response based on success or failure. How about
> adding this to 5.1.1 right before the example: “Note that all of the
> members of the "farv1_session" data structure are OPTIONAL. See Section
> 5.2.3 for instructions describing when to return the minimum set of
> members.”*
>

Thanks, I hadn't connected the two.  So the normative prose around this
does indeed say an empty object is syntactically legal, but 5.2.3 provides
guidance that it should really never happen.  Do we need to protect
consumers against the possibility of a syntactically valid but semantically
nonsense empty reply by giving them guidance about how to handle such a
thing?  I'm fine if the answer is "no", but I wanted to ask the question.


>
>  In Section 5.5, why is that SHOULD not a MUST?
>
> *[SAH] There are two SHOULDs in 5.5. They’re not MUSTs because the cookies
> will eventually time out and become invalid without any specific client or
> server actions. MUSTs would be stronger, though, and I’m open to making
> that change if you think it’s a better approach.*
>
>
>
> Oops, I missed the first one.  I think the first one is fine because the
> consequences of deviation are made clear.
>
>
>
> It's the second one that caught my attention.  But you mentioning the
> timeout changes things a bit.  Is it the case that you SHOULD invalidate
> the cookie to prevent its possible abuse before the timeout comes?  If so,
> then just saying that satisfies my issue.  Otherwise, and without thinking
> about timeouts, I was thinking "Why would you not invalidate a cookie you
> don't need anymore?" and the answer may well be "Because it'll time out
> soon anyway."
>
> *[SAH] I’ll make this change: “In any case, an RDAP server SHOULD
> invalidate the HTTP cookie associated with the session to prevent its
> possible abuse before the cookie times out as part of terminating the
> session.”*
>

(thumbs-up emoji)

-MSK

v2.23.0 | Report a Bug | By Email