IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: ietf-provreg@cafax.se
From: Andrew Sullivan <andrew@ca.afilias.info>
Date: Wed, 30 Nov 2005 13:00:03 -0500
Content-Disposition: inline
In-Reply-To: <20051125181213.GG3981@libertyrms.info>
Mail-Followup-To: Andrew Sullivan <andrew@ca.afilias.info>,ietf-provreg@cafax.se
Reply-To: Andrew Sullivan <andrew@ca.afilias.info>
Sender: owner-ietf-provreg@cafax.se
User-Agent: Mutt/1.5.9i
Subject: [ietf-provreg] client A altering client B's objects

Hi folks,

Recently, I've had proposed to me some functionality having to do
with contact objects.  In particular, the idea is that under some
circumstances, we would allow some but not all fields of a contact
object to be modified by a client other than the sponsoring client,
just in case the modifying client can deliver the authentication
information to show that it has permission to perform the
modification (i.e. the modifyer MUST send the <contact:authInfo>,
irrespective of whether it is the object sponsor). 

This appears to be permitted under RFC 3733.  Even though section 2
suggests that the server or the sponsoring client can modify contact
objects, nowhere have I found an actual prohibition on non-sponsoring
clients modifying objects.  (Besides, a transfer request always in
fact performs a modification.)  Moreover, it would seem this is what
the authInfo is for.  

I know that RFC3730 says that restricting updates on an object to the
sponsor of that object is RECOMMENDED.  But in the circumstance I'm
thinking about, the idea is to ensure that certain basic contact
information is controlled by an authorising agent, who does not wish
to have much interaction with the end users (i.e. the people to whom
the contacts themselves refer).  The idea is to get _other_ people
(== registrars) to manage the contact data that is irrelevant to the
authentication, once the authentication has happened.  So it seems
like the sort of case contemplated by using RECOMMENDED in 3730
rather than the stronger MUST/REQUIRED.  Therefore as nearly as I can
tell, this is a perfectly legitimate server policy.
 
It nevertheless feels unnatural to allow this -- it seems to go
against the grain of the very idea of an object sponsor.  
I thought I would poll the community to see whether anyone else
agrees that my reading here is reasonable (or at least defensible).

Best,
Andrew

-- 
----
Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew@ca.afilias.info>                              M2P 2A8
                                        +1 416 646 3304 x4110

Prev by Date: Buy OEM Software
Prev by thread: What IS 0EM Software And Why D0 You Care?
Index(es):
- Date
- Thread

Home | Date list | Subject list