[gnso-rds-pdp-wg] Possible Requirements from RFC 7481: Security Services for the Registration Data Access Protocol (RDAP)
Hollenbeck, Scott
shollenbeck at verisign.com
Mon Jun 6 16:58:51 UTC 2016
Farrell Folly started work on this review of RFC 7481. I've collected his findings and completed the review.
Section 3.1, Access Control:
"Information returned to a client can be clearly marked with a status value (see Section 10.2.2 of [RFC7483]) that identifies the access granted to the client."
Possible requirement: An RDDS must be able to return information that identifies the access granted to the client.
Associated charter question(s): Users/Purposes: Who should have access to gTLD registration data and why? Gated Access: What steps should be taken to control data access for each user/purpose?
Section 3.2, Authentication:
"RDAP clients and servers MUST implement the authentication framework specified in "Hypertext Transfer Protocol (HTTP/1.1): Authentication" [RFC7235]."
"If the "basic" scheme is used, HTTP over TLS [RFC2818] MUST be used to protect the client's credentials from disclosure while in transit..."
"Servers MUST support either Basic or Digest authentication; they are not required to support both. Clients MUST support both to interoperate with servers that support one or the other."
"transports for RDAP must either provide a TLS-protected transport (e.g., HTTPS) or a mechanism that provides an equivalent level of server authentication"
Possible requirement: An RDDS must be able to support client authentication using HTTP Basic and Digest authentication.
Possible requirement: Connections between RDDS clients and RDDS servers must be encrypted to prevent inadvertent disclosure of information to passive eavesdropping attacks.
Possible requirement: RDDS servers must be able to authenticate themselves to clients using HTTPS or a mechanism that provides an equivalent level of server authentication.
Associated charter question(s): Gated Access: What steps should be taken to control data access for each user/purpose? Privacy: What steps are needed to protect data and privacy?
Section 3.2.1, Federated Authentication:
"Federated authentication mechanisms used by RDAP MUST be fully supported by HTTP"
Possible requirement: Federated authentication systems used by an RDDS must be fully supported by HTTP.
Associated charter question(s): Gated Access: What steps should be taken to control data access for each user/purpose? Privacy: What steps are needed to protect data and privacy?
Section 3.3, Authorization:
"If such varying degrees of access are supported, an RDAP server MUST provide granular access controls (that is, per registration data object) in order to implement authorization policies."
Possible requirement: An RDDS must provide granular access controls in order to implement authorization policies.
Associated charter question(s): Gated Access: What steps should be taken to control data access for each user/purpose? Privacy: What steps are needed to protect data and privacy?
Section 3.5, Data Confidentiality
"HTTP over TLS MUST be used to protect all client-server exchanges unless operational constraints make it impossible to meet this requirement."
Possible requirement: An RDDS must use HTTP over TLS to protect all client-server exchanges.
Section 3.6, Data Integrity:
"If the policy of the server operator requires message integrity for client-server data exchanges, HTTP over TLS MUST be used to protect those exchanges."
Possible requirement: An RDDS must be able to provide message integrity for client-server data exchanges using HTTP over TLS.
Associated charter question(s): Privacy: What steps are needed to protect data and privacy? Data Accuracy: What steps should be taken to improve data accuracy?
Section 4, Privacy Threats Associated with Registration Data:
"RDAP data structures allow servers to indicate via status values when data returned to clients has been made private, redacted, obscured, or registered by a proxy."
Possible requirement: An RDDS must be able to identify data elements that has been made private, redacted, obscured, or registered by a proxy.
Associated charter question(s): Privacy: What steps are needed to protect data and privacy?
Scott
More information about the gnso-rds-pdp-wg
mailing list