IETF Logo Mail Archive

Re: [regext] Comments to the feedback about epp-over-http

Francisco Obispo <francisco@unr.com> Thu, 31 March 2022 17:36 UTC

Return-Path: <francisco@unr.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9D53A1AEB for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 10:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=unr.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8WfQna5D_bE for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 10:36:38 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA7E3A18E3 for <regext@ietf.org>; Thu, 31 Mar 2022 10:36:38 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id z16so264145pfh.3 for <regext@ietf.org>; Thu, 31 Mar 2022 10:36:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unr.com; s=echo; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bJjfl9+HFPZCkXo99dX0O1hVRHgAf3RGL1mQb0ssaZM=; b=SdpmLBW5SIOl4jpzzzBWV8DRBPQ8BHNCE0nwxhBNMzTAnGg6uBXKYAYsoMrHkVxTo7 bqWcXicGZBVOWr08AkJKisawGW7+XdzQ0VL0WmsmJCFuMm03/3w7YsKKVjkeMG2K+G14 ZZr/3en3lR+IOF+JzvfsR1v8MaYsurh9JUvCZggV8BetmeiRxGlm+2g6XiHsQV4VCf/S AfrZoKRcbgYRLDFAynQQzWUvCqCg49/Bb2hEW7+3zwALqi6hl8BvxFKj5RNIIUrKAUtJ TF2/fm7z+VeJkrTakmiRyt0RoIuiqAUyJtMXr4suVnbmEbIB90aWWJsmHpV9O0P/Mvat 5ubg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bJjfl9+HFPZCkXo99dX0O1hVRHgAf3RGL1mQb0ssaZM=; b=7LohmP/4wKKWlfFNlMw80hIs0PqyryMo7qh0zy5Nh2tYWX256sm2RbAZof2Ro8MR+p xNeIC/Jw+BIEDFTw7Qveebl836KIqfM0rtLQW+3e7nUydR6BageUU/ST0WgGSTxS5yZg rXDrdGzsAV23JDcax2AyTI29LWK1ITJmCHRio1+WrdKlhFsj5SZdA4KzQo+m1zu0loX+ RHMlFRH7hNtw0GJo63lBouZcWhRSgtM6D7OYwHWWhV4rE1pgH8buw/OVHJEvUsDhmPJJ SvqSLt7nNRN9bteA15x7t2p+D6877jXhBB6fQ1kZKcIW1FI2e5nPs3oMG1lpi6qRnFCi 6tkw==
X-Gm-Message-State: AOAM5329VqsUhhbGqQG5f5vcKxTDbDiaJdRwG0iNrHpq7HC/JsSiLCcG ifq9zxmmNJ3uTZ/FGCF019hQkLvSumzZ4w==
X-Google-Smtp-Source: ABdhPJxTkxOmCK20KNBZ/f8WgfEOnu/pYdul2hvJoNBSJUvN4/6AAB/lfOLE2S9/f8N5+qvG0FI9bQ==
X-Received: by 2002:a63:d13:0:b0:381:f043:c627 with SMTP id c19-20020a630d13000000b00381f043c627mr11803209pgl.168.1648748196973; Thu, 31 Mar 2022 10:36:36 -0700 (PDT)
Received: from [192.168.6.85] (ip70-187-179-142.oc.oc.cox.net. [70.187.179.142]) by smtp.gmail.com with ESMTPSA id oc10-20020a17090b1c0a00b001c7510ed0c8sm11263155pjb.49.2022.03.31.10.36.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 31 Mar 2022 10:36:36 -0700 (PDT)
From: Francisco Obispo <francisco@unr.com>
To: Mario Loffredo <mario.loffredo@iit.cnr.it>
Cc: Patrick Mevzek <pm@dotandco.com>, regext@ietf.org
Date: Thu, 31 Mar 2022 10:36:34 -0700
X-Mailer: MailMate (1.14r5852)
Message-ID: <6E923AA5-4027-4188-8DA3-6A93F39A3173@unr.com>
In-Reply-To: <de81a129-68a4-8759-ee00-09ef2091ec22@iit.cnr.it>
References: <0843A6FD-79B8-45B9-BE58-0BCED21C19B0@verisign.com> <1b87995b-700b-0d16-1241-c69cf142c3f7@iit.cnr.it> <8346151e-acc1-8e9a-f8ce-ac4d2f6a8dac@knipp.de> <759658bd-4781-a9cb-b7dd-88ba596fe2b0@iit.cnr.it> <58f622e5-1548-4894-a14c-c21125972a74@www.fastmail.com> <de81a129-68a4-8759-ee00-09ef2091ec22@iit.cnr.it>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_8C4A52CF-67B7-44F8-9EA5-AF5DB9243C13_="
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/v2m2QCyQDoHwWfVsvmqsDbyMw6o>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 17:36:45 -0000

In a scenario where a proxy/load balancer is terminating the TLS 
connection, it will most likely need to extract the certificate 
information, and encode it into a HTTP header, so that the backend could 
later tie the `clID` with the certificate in a way (i.e.: `cn`).

That's what I would do, to at least guarantee that the client 
certificate correspond to the `clID`.

Best,


On 31 Mar 2022, at 9:56, Mario Loffredo wrote:

> Hi Patrick,
>
> thanks for your interest.
>
> Il 31/03/2022 17:54, Patrick Mevzek ha scritto:
>> On Thu, Mar 31, 2022, at 10:36, Mario Loffredo wrote:
>>> Starting an HTTP session when receiving an EPP command other than 
>>> the
>>> Login command is in .it experience (but I can speak on behalf of .pl
>>> too) very inefficient because you can't immediately lock the HTTP
>>> session to the Registrar.
>> I disagree.
>>
>> If the transport is HTTPS (and not just HTTP), the server can request
>> the client to send a certificate, exactly as for EPP over TLS.
>>
>> In such case, for *any* HTTP request coming to the server, the server
>> theoretically already knows to which client this pertains as it can
>> consult the certificate given.
>>
>> It can be considered a weak or partial authentication, until the EPP 
>> login
>> is successfully executed.
>
> Are you talking about a signle server or a load balancing architecture 
> where a proxy routes the requents to a pool of backend servers?
>
> In addition, it is quite simple to do at socket level. It seems to me 
> much more complicated at the servlet level.
>
>
> Mario
>
>>
> -- 
> Dr. Mario Loffredo
> Technological Unit “Digital Innovation”
> Institute of Informatics and Telematics (IIT)
> National Research Council (CNR)
> via G. Moruzzi 1, I-56124 PISA, Italy
> Phone: +39.0503153497
> Web: http://www.iit.cnr.it/mario.loffredo
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

v2.8.7 | Report a Bug | By Email