To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
CC:
ietf-provreg@cafax.se
From:
Jens-Uwe Gaspar <jug@schlund.de>
Date:
Wed, 16 Jan 2002 12:47:55 +0100
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: <info> Command and authInfo
"Hollenbeck, Scott" wrote:
>
> > -----Original Message-----
> > From: Jens-Uwe Gaspar [mailto:jug@schlund.de]
> > Sent: Tuesday, January 15, 2002 1:06 PM
> > To: ietf-provreg@cafax.se
> > Subject: Re: <info> Command and authInfo
> >
> > While registering a new object (domain, contact or host), it
> > may happen,
> > that in the registry the object was registered, but
> > accidently our database
> > will fail (cause of deadlock, DB-maintenance, or whatever).
> > Because there's no transaction enclosing registry _and_
> > registrars actions,
> > we must recommence registering the object (dom/contact/host):
> >
> > <check> existence of object;
> > if existing, do <info> to get [sponsoring registrar]:
> > if [sponsoring registrar] not equal to ourselves => we're
> > sad registrar
> > and stop further action for this object
> > else: we're happy registrar and go on with further actions :)
> >
> > In practice it stands the test (.INFO/.BIZ) and we would appreciate,
> > if that's also be possible in future versions of EPP.
>
> You can achieve exactly the same results without having to determine the
> sponsoring client. Do an <info>, if you're not the sponsor you get back a
> "you're not authorized" error code => you're sad. If you are, <info> works
> and you're happy. It's also less work for the server if you're not the
> sponsor as no data has to be retrieved from a local data store to generate
> the error response.
I'm aware of that, but when i follow Bruce Tonkin's note:
BT> Bear in mind, that in future the use of EPP to talk to the
BT> registry may not be restricted to entities such as authorised
BT> registrars [...]
then there maybe
a) normal users doing an <info> -> "not authorized", maybe because
client has no access-right to do it, or
b) registrar doing an <info> -> "not authorized", because not
current sponsoring registrar,
c) registrar doing an <info> -> "not authorized", because not allowed
to do it (of whatever reason there could be: e.g. billing, etc).
I'm not sure, if it's a good idea to use the error code "not authorized"
to indicate that you're not the sponsoring registrar (b), because
then you can't differ it from case (c) stated above.
>
> With respect to current implementations, while I can appreciate the insights
> gained in writing code to the specs, we as WG can't have our focus limited
> by code written to I-Ds. We need to be able to change the specs as issues
> are found and explored, even if that means someone might have to change
> code.
Sure, i only wanted to give an example in which the <info>-data is used.
>
> > Do you want to restrict returning the object data completely, or do you
> > allow returning parts (changing minOccurs in the specs)?
> >
> > For example, reducing <info> result-data to the output the corresponding
> > whois-server list, if requested by a registrar other than the current
> > sponsoring one.
>
> This might be a reasonable compromise. My initial thought was to restrict
> it completely, but maybe there's no harm in returning a subset of the info
> if the querying client isn't the sponsor and doesn't have the authInfo.
>
> -Scott-
Best regards,
Jens-Uwe Gaspar
________________________________________________________________________
Jens-Uwe Gaspar Schlund + Partner AG
E-Mail: jug@schlund.de Erbprinzenstr. 4 - 12
Tel. +49-721-91374-50 76133 Karlsruhe, Germany
Fax +49-721-91374-20 http://www.schlund.de