Il 14/12/2021 19:17, Patrick Mevzek ha scritto:
On Tue, Dec 14, 2021, at 09:29, Tobias Sattler wrote:
We want to spin this idea with this group because using EPP for
searching is more secure than RDAP by reducing a threat vector.
Which threat vector? Or can you explain what is not secure in RDAP?
Because it uses HTTPS so it can be "secured" by any and all well-known
mechanisms,
from shared secret, to full Oauth/WebAuthn things.
I fully agree with Patrick on this point. On the contrary, being an RDAP
server a REST service, some security features like 2-factor
authentication are provided by IdPs and can be implemented by RDAP
operators with little to no effort.
Also the exact same EPP security mechanisms (as laid out by RFC5734), namely
1) IP access lists 2) clients X509 certificates 3) login+password, can be done
exactly
as is with RDAP, if so wished.
EPP is Extensible *Provisioning* Protocol (yes, I know not fully true already).
I am into the personal position that a lot of stuff added lately/being added to
EPP would in fact have been better through RDAP, because it also for some opens
the use by other
entities than registrars.
Right.
Additionally, I would like to outline that sooner or later the
registries will be recommended to meet the requirements coming from EU
E-evidence
<https://ec.europa.eu/info/policies/justice-and-fundamental-rights/criminal-justice/e-evidence-cross-border-access-electronic-evidence_en>
directive that is to implement systems allowing cybercrime investigators
(e.g. Europol) to access the registration data quickly (the response
time should be to the tune of hours rather than days). From that
perspective, surely RDAP fits much better than EPP.
I think the authentication/authorization stuff is orthogonal to the features
provided
by the protocol.
Agreed. The security level in EPP and RDAP implementations depends on
the security policy of each registry.
Best,
Mario
--
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
