To:
ietf-provreg@cafax.se
From:
Andrew Sullivan <andrew@ca.afilias.info>
Date:
Wed, 30 Nov 2005 13:00:03 -0500
Content-Disposition:
inline
In-Reply-To:
<20051125181213.GG3981@libertyrms.info>
Mail-Followup-To:
Andrew Sullivan <andrew@ca.afilias.info>,ietf-provreg@cafax.se
Reply-To:
Andrew Sullivan <andrew@ca.afilias.info>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mutt/1.5.9i
Subject:
[ietf-provreg] client A altering client B's objects
Hi folks, Recently, I've had proposed to me some functionality having to do with contact objects. In particular, the idea is that under some circumstances, we would allow some but not all fields of a contact object to be modified by a client other than the sponsoring client, just in case the modifying client can deliver the authentication information to show that it has permission to perform the modification (i.e. the modifyer MUST send the <contact:authInfo>, irrespective of whether it is the object sponsor). This appears to be permitted under RFC 3733. Even though section 2 suggests that the server or the sponsoring client can modify contact objects, nowhere have I found an actual prohibition on non-sponsoring clients modifying objects. (Besides, a transfer request always in fact performs a modification.) Moreover, it would seem this is what the authInfo is for. I know that RFC3730 says that restricting updates on an object to the sponsor of that object is RECOMMENDED. But in the circumstance I'm thinking about, the idea is to ensure that certain basic contact information is controlled by an authorising agent, who does not wish to have much interaction with the end users (i.e. the people to whom the contacts themselves refer). The idea is to get _other_ people (== registrars) to manage the contact data that is irrelevant to the authentication, once the authentication has happened. So it seems like the sort of case contemplated by using RECOMMENDED in 3730 rather than the stronger MUST/REQUIRED. Therefore as nearly as I can tell, this is a perfectly legitimate server policy. It nevertheless feels unnatural to allow this -- it seems to go against the grain of the very idea of an object sponsor. I thought I would poll the community to see whether anyone else agrees that my reading here is reasonable (or at least defensible). Best, Andrew -- ---- Andrew Sullivan 204-4141 Yonge Street Afilias Canada Toronto, Ontario Canada <andrew@ca.afilias.info> M2P 2A8 +1 416 646 3304 x4110