To:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Mon, 14 Jan 2002 11:33:56 -0500
Sender:
owner-ietf-provreg@cafax.se
Subject:
<info> Command and authInfo
Those of you familiar with the NSI RRP, the protocol's STATUS command, and the way it's been implemented in the com|net|org registry are probably aware that RRP clients can only do a STATUS command on domains that they've registered. A client who attempts to get status on a domain registered by a different client gets an error response. The EPP specification is a bit more flexible in this regard, saying this about the essentially similar <info> command: "This action SHOULD be limited to authorized clients; restricting this action to the sponsoring client is RECOMMENDED." VeriSign often gets registrar requests to open up the RRP STATUS command completely so that any client can obtain information about any registered domain. The usual argument to support this request relates to transfers: the potential gaining client wants to be able to see what they're getting in to before requesting the transfer. Opening the command up completely introduces a data mining risk, so that's why the EPP text is written as it is, but without allowing some cross-vision the gaining client has to go to an out-of-band mechanism (like whois) to obtain info. I think we can do better with EPP without opening a significant data mining risk. I'm wondering how people feel about adding an optional <authInfo> element to the domain <info> command. Sponsoring clients wouldn't have to use it; they can continue to "see" all of the domains they sponsor. Clients who need to see something in the context of a transfer can provide the <authInfo> to see domain object info via the protocol, eliminating the need to go out-of-band. Data mining protections are still in place because non-sponsoring clients who don't have the <authInfo> can't see domains sponsored by other clients. This sort of change would let us tighten up the EPP spec a bit, which should help with interoperability. I know we finished a WG last call, but I'm in the docs now working on wrapping up the changes based on last-call comments and would like to know how folks feel about this change given their operational experience with RRP. -Scott-