[weirds] Verisign Labs Experimental Implementation of RDAP with Federated Authentication

"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 03 February 2016 17:08 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: weirds@ietfa.amsl.com
Delivered-To: weirds@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id B15901B2A7B for <weirds@ietfa.amsl.com>; Wed, 3 Feb 2016 09:08:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id siTf7l8sWlGZ for <weirds@ietfa.amsl.com>; Wed, 3 Feb 2016 09:07:56 -0800 (PST)
Received: from mail-qg0-x264.google.com (mail-qg0-x264.google.com [IPv6:2607:f8b0:400d:c04::264]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED831B2A91 for <weirds@ietf.org>; Wed, 3 Feb 2016 09:07:56 -0800 (PST)
Received: by mail-qg0-x264.google.com with SMTP id b35so3033305qge.0 for <weirds@ietf.org>; Wed, 03 Feb 2016 09:07:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:content-type :content-transfer-encoding:mime-version; bh=V/ow0BjpAj2//ssI+J7+FiwggP2qIN5Ad/Qhws4Z3fY=; b=DRiAR1W6RbWHO3qzQSOMeku5ArBFI/G6z34M5nVM4klFVO0w/zE18Bxz7d2hFFZb+P jSjtM3MxD57YoLbjtbvdDnWG7f/hHKPjb5XnSGmmk0uzxcJTQTlqcaF2l/sVrtmS2FOB R9Xke64+LrzqJR2QewKc1j7YKzD2WucUPeXUOhvgp6Iq5RGvKSnW15gpag+BTVvEYBM9 T2Ig9OkNLRXPsoKLdoGaqodGstjpIXRMSDWq8RLvGQMj0sKKdYQkLSxhEURjMZaEWHPP quP1863TYfuLVYQf+vnR4pabBEj4Z4/Ch9yjj44fmPDHXR84E81rF8WCznADy5X1u7lQ gfmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:content-type :content-transfer-encoding:mime-version; bh=V/ow0BjpAj2//ssI+J7+FiwggP2qIN5Ad/Qhws4Z3fY=; b=U6qZDUA9gwVa0NSNr/rt/vA0AFyVt6QJvPIB2LVkykXlL3+8TiYYefbz2/ElSFN8VE HZ4lURVe9apZQQcmXsR+lPIL8TT8oODCrygp8CpSXkFjjpYF/oOT2HZMHjmu+AS1ESlO 78KBZM14FTsguLy2tzo+8FGdxcmSno8BN0S7cgkuBqycSfDJ0cWc6ruN9nT6eNo9Y3Rw Fp9VD+eDEMVJEhoOmazdesxY7AwRreEkOQP9U/bFGX+LnMCAvifla85sSd1RI/duI31P ND9pzyyrLKx1q9Ykczv9VQhb8UpogDkgUvFKLpaJjdxVz1dXy0X7boLEvDcAmsybvJwP r7Aw==
X-Gm-Message-State: AG10YOSwQLJG6F/hS+uwiu/76KHd7OJc61cutQv96PhoDtXSZyO9shQ6kZrOBjxcftBfm1lyXRClrmywnh/G4YTSbbvkuMdV
X-Received: by with SMTP id c36mr2903187qkh.54.1454519275294; Wed, 03 Feb 2016 09:07:55 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. []) by smtp-relay.gmail.com with ESMTPS id x75sm1057465qkx.7.2016. for <weirds@ietf.org> (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 03 Feb 2016 09:07:55 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 []) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u13H7sEw025741 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <weirds@ietf.org>; Wed, 3 Feb 2016 12:07:54 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 3 Feb 2016 12:07:52 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "weirds@ietf.org" <weirds@ietf.org>
Thread-Topic: Verisign Labs Experimental Implementation of RDAP with Federated Authentication
Thread-Index: AdFepWnlu2PjQmTdQe2V2rhQu7LOpQ==
Date: Wed, 3 Feb 2016 17:07:50 +0000
Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A1516A4@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/weirds/wD-GlMqmWrioLczkAq7MFBkY87M>
Subject: [weirds] Verisign Labs Experimental Implementation of RDAP with Federated Authentication
X-BeenThere: weirds@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "WHOIS-based Extensible Internet Registration Data Service \(WEIRDS\)" <weirds.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/weirds>, <mailto:weirds-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/weirds/>
List-Post: <mailto:weirds@ietf.org>
List-Help: <mailto:weirds-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/weirds>, <mailto:weirds-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2016 17:08:02 -0000

I'd like to invite the members of this list to participate in an experiment that's focused on evaluating how well RDAP can be implemented with support for federated authentication using OpenID Connect. The details of the protocol specification and implementation approach are described in an Internet-Draft that I'm developing:


The I-D might be a little too much detail for someone who just wants to try out the service, though. The easiest way to participate is to use a web browser pointed here:


Please read the Internet-Draft if you're not interested in using a web browser. It describes the proposed protocol parameters and interactions with non-browser clients. The I-D isn't (yet?) a working group document, but we can certainly discuss it on this list as necessary.

Our web interface can be used to submit RDAP queries for domains, name servers, and entities registered in the .cc and .tv ccTLDs. The web form contains two elements: 1) a drop-down menu that allows you to select the type of object you wish to look up, and 2) the name of the object you wish to look up, such as "nic.tv" (with no quotes).

You'll see two command buttons on the form. The "Don't Authenticate" button will submit an RDAP query without client authentication. The "Authenticate" button will start the process of submitting an authenticated RDAP query by prompting you to enter an OpenID identifier. We currently accept identifiers issued by Google (in the form of Gmail addresses) and Microsoft (in the form of Hotmail addresses).

"Don't Authenticate" will return an RDAP response that contains very limited information to demonstrate how the amount of returned information can be controlled based on client identity and authorization. Successful client authentication using "Authenticate" will return more, but still not complete, information. We plan to add support for additional Identity Providers that will be authorized to return full information in the future as the experiment evolves. I'm especially interested in working with implementers who may be interested in setting up an Identity Provider and participating in the experiment.

I've set up an email address that you can use to communicate with the development team. Please send questions and/or feedback to rdap-exp@verisign.com.

The experiment's terms of use can be found here:


The experiment will run until June 3, 2016. We will evaluate the results at that time and we will decide if the experiment will be extended or come to an end. We reserve the right to end the experiment at any time before then.

Thank you, and please feel free to contact me directly with any questions.