Re: [regext] Comments to the feedback about epp-over-http

[Mario Loffredo <mario.loffredo@iit.cnr.it>]

Hi Thomas,

Il 31/03/2022 19:17, Thomas Corte (TANGO support) ha scritto:
> Hello Mario,
>
> On 3/31/22 17:36, Mario Loffredo wrote:
>
>> Starting an HTTP session when receiving an EPP command other than the 
>> Login command is in .it experience (but I can speak on behalf of .pl 
>> too) very inefficient because you can't immediately lock the HTTP 
>> session to the Registrar.
>
> Ok, but plain TCP implementations have the same problem. Unless the 
> registry requires that no two registrars have the same IP address 
> whitelisted, the server always has to wait for the <login> until it 
> knows which registrar has connected. That is, unless client 
> certificates are also in play, as suggested by Patrick, but that's not 
> a requirement in EPP, even if many registries are now requiring them.
>
>> In addition, while TCP client needs to establish a connection before 
>> sending the EPP Login command since the transport protocol is 
>> connection-oriented, an HTTP client doesn't need to do because the 
>> protocol is not connection-oriented (even if it uses connections). So 
>> why should an HTTP client be required to send a useless HTTP request? 
>> Just to operate in the same way of EPP over TCP? It's a nonsense.
>>
>> With regard to the compliance with RFC5730, the only difference with 
>> the proposed approach is that a client MAY send an Hello via POST 
>> before sending a Login. Anyway, the EPP session starts after a 
>> successful Login as defined in RFC5730 itself.
>
> Obtaining the <greeting> (which, in case of connection-less operation, 
> is actually supposed to be triggered by the client's <hello>) before 
> <login> isn't useless – the greeting contains information like 
> object/extension URIs that can be used by the client to select a 
> proper supported object/extension implementation before sending the 
> <login> (in which that support is declared). So, for HTTP, it makes 
> sense to require the client's <hello> so that the server's <greeting> 
> can be sent as the response to a proper initial request (rather than, 
> say, an awkward empty POST, or a GET request).

The point is that sending an hello before a Login is optional. If you 
are already perfectly aware of the services provided by the server, why 
should you submit an Hello to discover them?

>
> In fact, it memory serves, ITNIC's *current* EPP-over-HTTP 
> implementation *requires* a <hello> as the start of any EPP session.

Not at all.

For sure, .it implementation have never required to send an Hello before 
a Login. EPP sessions have always been started after a Login.

Trust me ;-)


Mario


> Best regards,
>
> Thomas
>
-- 
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web: http://www.iit.cnr.it/mario.loffredo