On Wed, 2 Jan 2019, Adam Roach wrote:
I don't understand why. The code is a signed token. Imagine the registry
goes back to the signer asks about token 123-foo666 and the answer is
"We're the Ministry, we signed it, of course it's valid. The details are
secret."
While that would not be my favorite way to work, and I can easily imagine
other scenarios with auditing and transparency business requirements, why
wouldn't that interoperate?
If we're concerned merely with interoperation, the same is true of most --
if not all -- normative keywords used in "Security Considerations" sections.
Your position might (or might not) be correct, but the logic of "2119
language is only used for interoperabilty reasons" simply isn't true.
I think there's a difference -- in security sections the goal is usually
to prevent leakage or spoofing or something else that would allow a
malicious party to interoperate with a victim. One part of good interop
is not to interoperate with attackers. But that's not what's going on
here. The signature shows that the token is valid, and unless I'm missing
something, whatever you might learn from the thing the token represents is
outside the scope of EPP.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
