[TSG-Access-RD] Useful resource on OAuth2/OpenID Connect
Tomofumi Okubo
tomofumi.okubo at digicert.com
Mon Dec 17 18:36:40 UTC 2018
As long as each query is vetted for non-public data, it sounds good to me.
Cheers,
Tomofumi
On 12/17/18, 10:19 AM, "Hollenbeck, Scott" <shollenbeck at verisign.com> wrote:
> On Dec 17, 2018, at 1:07 PM, Tomofumi Okubo <tomofumi.okubo at digicert.com> wrote:
>
> I think it is a good starting point.
>
>> 7. The RDAP server validates the ID and/or access token and returns the
>> response to the client. Subsequent requests would bypass steps 2-6.
>
> For non-public data, this would be an issue as data requester can freely query whatever once the connection is established. I believe there needs to be some sanity check per query for non-public data especially as RDAP allows regex-ish searches.
>
Tokens are still used to validate requests once they’ve been negotiated. There are no “free” queries that bypass the authentication mechanism unless the client chooses to send a query without the parameters - and if they do that the query is processed without authentication.
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4508 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/tsg-access-rd/attachments/20181217/3acbac06/smime.p7s>
More information about the TSG-Access-RD
mailing list