Re: [regext] RDAP reverse search draft feedback

Jasdip Singh <jasdips@arin.net> Mon, 03 August 2020 23:47 UTC

Return-Path: <jasdips@arin.net>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 812553A1173 for <regext@ietfa.amsl.com>; Mon, 3 Aug 2020 16:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwG6YOLdFT9c for <regext@ietfa.amsl.com>; Mon, 3 Aug 2020 16:47:29 -0700 (PDT)
Received: from smtp2.arin.net (smtp2.arin.net [IPv6:2001:500:110:201::52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58C883A1172 for <regext@ietf.org>; Mon, 3 Aug 2020 16:47:29 -0700 (PDT)
Received: from CAS01CHA.corp.arin.net (cas01cha.corp.arin.net [10.1.30.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp2.arin.net (Postfix) with ESMTPS id 0EAF61075744; Mon, 3 Aug 2020 19:47:26 -0400 (EDT)
Received: from CAS01CHA.corp.arin.net (10.1.30.62) by CAS01CHA.corp.arin.net (10.1.30.62) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 3 Aug 2020 19:47:30 -0400
Received: from CAS01CHA.corp.arin.net ([fe80::51fb:9cc2:1f9a:288b]) by CAS01CHA.corp.arin.net ([fe80::988:2227:cf44:809%17]) with mapi id 15.00.1104.000; Mon, 3 Aug 2020 19:47:30 -0400
From: Jasdip Singh <jasdips@arin.net>
To: Mario Loffredo <mario.loffredo@iit.cnr.it>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] RDAP reverse search draft feedback
Thread-Index: AQHWZ2z2IsAPkisUaUCLaDf8XI2kXqkmar2AgACnSAA=
Date: Mon, 3 Aug 2020 23:47:30 +0000
Message-ID: <4143E7B2-E6AB-42A2-95E1-378A90E20551@arin.net>
References: <FAA3B04A-8EAB-4947-BC8C-1AF6B315D94B@arin.net> <83bfe792-0697-1eb4-b3d9-e78556a5f239@iit.cnr.it>
In-Reply-To: <83bfe792-0697-1eb4-b3d9-e78556a5f239@iit.cnr.it>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.136.136.37]
Content-Type: multipart/alternative; boundary="_000_4143E7B2E6AB42A295E1378A90E20551arinnet_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/yPH6CqCnd2AoXZWmW6ni-LNmwSA>
Subject: Re: [regext] RDAP reverse search draft feedback
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 23:47:31 -0000

Thanks for explaining various options, Mario. That’s a reasonable justification for a role to be in the path segment, especially for access control and search efficiency.

Jasdip

From: Mario Loffredo <mario.loffredo@iit.cnr.it>
Date: Monday, August 3, 2020 at 5:51 AM
To: Jasdip Singh <jasdips@arin.net>et>, "regext@ietf.org" <regext@ietf.org>
Subject: Re: [regext] RDAP reverse search draft feedback


  1.  Why introduce the keyword “reverse” in the search path? Is it to distinguish from the related reverse search scenarios (e.g. domains by nsIp) defined in 7843bis? In light of introducing a new extension for this draft, the “reverse” keyword may be redundant.
[ML] The main reason is to clearly identify the paths dedicated to reverse search so RDAP providers can more easily control the access to reverse search services on a per-path basis. Moreover, maybe in the next future, RDAP servers might implement additional services and having different paths make the mapping between the services and the users more manageable at the implementation level. In the REST context, resources can be easily protected according to their path.


  1.  Instead of defining the generic reverse search path {resource-type}/reverse/{role}?{property}=<search pattern>, would it be better to take a specific search path, say domains versus nameservers versus entities, and define the new query parameters (that fill the current search gaps) for each of them section-by-section? Please ignore this comment if the intent here is to pivot around the roles defined in the IANA RDAP JSON Values registry.

[ML] I'm deeply convinced that specifying the entity role is fundamental for an effective implementation of a reverse search feature. For two reasons:

1. to furtherly map the reverse search services against the user profiles: searching domains for a technical contact might be allowed to more users than searching domains for a registrant

2. to restrict the scope of a reverse search query: a reverse search without specifying a role usually takes longer and involves much more objects than doing the same for a specific role and I think that rarely a reverse search would be requested without considering a role.

Anyway, the draft takes all the scenarios.

I report as a response to the following comment the reasons why I have opted for defining the role in the path rather than as a query parameter.

  1.  Knowing that it gets more complex but is it possible that folks may need to pass multiple query parameters for conjunctive criteria? If so, {resource-type}/reverse/{role}?{property}=<search pattern> may need to evolve to account for multiple query parameters.

[ML] Provided that we agree that specifying the role in a reverse search query would be useful, I reported here in the following some possible solutions with the related pros and cons:

1. replicating the properties used for reverse searching for the possible roles in the query parameters (e.g. registrantFn, technicalHandle)

  Pros: very compact in itself and in a conjunctive criteria (e.g. registrantFn=XXXXX&technicalHandle=YYYYY)

  Cons: not very effective because there would be a proliferation of query parameters, and, as I wrote above,  the role specification in the path might help the implementers' burden in controlling the access to the reverse search services. In my opinion, not very neat from the conceptual point of view as well.

2. letting role be a query parameter (e.g. fn=XXXXX&role=registrant).

  Pros: simple solution (it was the first solution I proposed)

  Cons: unusable in building conjuntive criteria and, like the soluion aforementioned, unpractical for controlling the accesses.

3. specifying the role in the query path:

 Pros: the most effective solution for controlling the accesses and very flexible and conceptually neat.

 Cons: unusable in conjunctive criteria, at least in those mentioning two reverse search properties.

  Anyway, this is true if we think that GET must be the only HTTP method available in RDAP. It is well known that GET allows to specify a query where parameters are joined solely in AND. It would be desireable that all boolean operators should be allowed and, in my opinion, this could be done only if the query is submitted via POST . I have already implemented a draft version of this feature. I don't wanna go into much detail on this service here but the key aspects are:

  a. a POST can be submitted on the specific path "/query" (e.g. domains/query)

 b. the request body is a JSON map including the parameters normally used in a GET query like count, sort, fieldSet plus a parameter named "query"  to deliver a complex search predicate as a JSON object. All the boolean operators are allowed, likewise predicates at different nesting level. Search properties related to RDAP contents are reported as strings: "nsLdhName", "reverse/registrant/fn"

 4. any other solution not listed before.