draft-ietf-regext-rdap-reverse-search-05.txt   draft-ietf-regext-rdap-reverse-search-06.txt 
Registration Protocols Extensions M. Loffredo Registration Protocols Extensions M. Loffredo
Internet-Draft M. Martinelli Internet-Draft M. Martinelli
Intended status: Standards Track IIT-CNR/Registro.it Intended status: Standards Track IIT-CNR/Registro.it
Expires: April 29, 2021 October 26, 2020 Expires: October 11, 2021 April 9, 2021
Registration Data Access Protocol (RDAP) Reverse search capabilities Registration Data Access Protocol (RDAP) Reverse search capabilities
draft-ietf-regext-rdap-reverse-search-05 draft-ietf-regext-rdap-reverse-search-06
Abstract Abstract
The Registration Data Access Protocol (RDAP) does not include query The Registration Data Access Protocol (RDAP) does not include query
capabilities to find the list of domains related to a set of entities capabilities to find the list of domains related to a set of entities
matching a given search pattern. In the RDAP context, an entity can matching a given search pattern. In the RDAP context, an entity can
be associated to any defined object class. Therefore, a reverse be associated to any defined object class. Therefore, a reverse
search can be applied to other use cases than the classic domain- search can be applied to other use cases than the classic domain-
entity scenario. This document describes RDAP query extensions that entity scenario. This document describes RDAP query extensions that
allow servers to provide a reverse search feature based on the allow servers to provide a reverse search feature based on the
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 29, 2021. This Internet-Draft will expire on October 11, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 23 skipping to change at page 2, line 23
3. RDAP Conformance . . . . . . . . . . . . . . . . . . . . . . 5 3. RDAP Conformance . . . . . . . . . . . . . . . . . . . . . . 5
4. Implementation Considerations . . . . . . . . . . . . . . . . 5 4. Implementation Considerations . . . . . . . . . . . . . . . . 5
5. Implementation Status . . . . . . . . . . . . . . . . . . . . 5 5. Implementation Status . . . . . . . . . . . . . . . . . . . . 5
5.1. IIT-CNR/Registro.it . . . . . . . . . . . . . . . . . . . 6 5.1. IIT-CNR/Registro.it . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 7 10.1. Normative References . . . . . . . . . . . . . . . . . . 7
10.2. Informative References . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Paradigms to Enforce Access Control on Reverse
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Search in RDAP . . . . . . . . . . . . . . . . . . . 9
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
Reverse Whois is a service provided by many web applications that Reverse Whois is a service provided by many web applications that
allow users to find domain names owned by an individual or a company allow users to find domain names owned by an individual or a company
starting from the owner's details, such as name and email. Even if starting from the owner's details, such as name and email. Even if
it has been considered useful for some legal purposes (e.g. it has been considered useful for some legal purposes (e.g.
uncovering trademark infringements, detecting cybercrime cases), its uncovering trademark infringements, detecting cybercrime cases), its
availability as a standardized Whois capability has been objected for availability as a standardized Whois capability has been objected for
two main reasons, which now don't seem to conflict with an RDAP two main reasons, which now don't seem to conflict with an RDAP
skipping to change at page 6, line 23 skipping to change at page 6, line 23
It is up to the individual working groups to use this information as It is up to the individual working groups to use this information as
they see fit". they see fit".
5.1. IIT-CNR/Registro.it 5.1. IIT-CNR/Registro.it
Responsible Organization: Institute of Informatics and Telematics Responsible Organization: Institute of Informatics and Telematics
of National Research Council (IIT-CNR)/Registro.it of National Research Council (IIT-CNR)/Registro.it
Location: https://rdap.pubtest.nic.it/ Location: https://rdap.pubtest.nic.it/
Description: This implementation includes support for RDAP queries Description: This implementation includes support for RDAP queries
using data from the public test environment of .it ccTLD. using data from the public test environment of .it ccTLD.
Level of Maturity: This is a "proof of concept" research Level of Maturity: This is an "alpha" test implementation.
implementation.
Coverage: This implementation includes all of the features Coverage: This implementation includes all of the features
described in this specification. described in this specification.
Contact Information: Mario Loffredo, mario.loffredo@iit.cnr.it Contact Information: Mario Loffredo, mario.loffredo@iit.cnr.it
6. IANA Considerations 6. IANA Considerations
IANA is requested to register the following value in the RDAP IANA is requested to register the following value in the RDAP
Extensions Registry: Extensions Registry:
Extension identifier: reverse_search Extension identifier: reverse_search
skipping to change at page 6, line 46 skipping to change at page 6, line 45
Published specification: This document. Published specification: This document.
Contact: IETF <iesg@ietf.org> Contact: IETF <iesg@ietf.org>
Intended usage: This extension describes reverse search query Intended usage: This extension describes reverse search query
patterns for RDAP. patterns for RDAP.
7. Privacy Considerations 7. Privacy Considerations
The use of the capability described in this document MUST be The use of the capability described in this document MUST be
compliant with the rules about privacy protection each RDAP provider compliant with the rules about privacy protection each RDAP provider
is subject to. Sensitive registration data MUST be protected and is subject to. Sensitive registration data MUST be protected and
accessible for permissible purposes only. Therefore, RDAP servers accessible for permissible purposes only. This functionality SHOULD
MUST provide reverse search only to those requestors who are be only accessible to authorized users and only for a specified use
authorized according to a lawful basis. Some potential users of this case.
capability include registrars searching for their own domains and
operators in the exercise of an official authority or performing a
specific task in the public interest that is set out in a law.
Another scenario consists of permitting reverse searches, which take Already the request for this functionality could contain Personal
into account only those entities that have previously given the Identifiable Information and SHOULD therefore only be available over
explicit consent for publishing and processing their personal data. HTTPS.
Providing reverse search in RDAP carries the following threats as
described in [RFC6973]:
o Correlation
o Disclosure
o Misuse of information
Therefore, RDAP providers are REQUIRED to mitigate the risk of those
threats by implementing appropriate measures supported by security
services (see Section 8).
8. Security Considerations 8. Security Considerations
Security services required to provide controlled access to the Security services required to provide controlled access to the
operations specified in this document are described in [RFC7481]. operations specified in this document are described in [RFC7481]. A
non exhaustive list of access control paradigms an RDAP provider can
implement is presented in Appendix A.
The specification of the entity role within the reverse search path The specification of the entity role within the reverse search path
allows the RDAP servers to implement different authorization policies allows the RDAP servers to implement different authorization policies
on a per-role basis. on a per-role basis.
9. Acknowledgements 9. Acknowledgements
The authors would like to acknowledge Tom Harrison, Scott Hollenbeck, The authors would like to acknowledge the following individuals for
Francisco Arias, Gustavo Lozano and Eduardo Alvarez for their their contributions to this document: Tom Harrison, Scott Hollenbeck,
contribution to this document. Francisco Arias, Gustavo Lozano, Eduardo Alvarez and Ulrich Wisser.
10. References 10. References
10.1. Normative References 10.1. Normative References
[OIDCC] OpenID Foundation, "OpenID Connect Core incorporating
errata set 1", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
DOI 10.17487/RFC3912, September 2004, DOI 10.17487/RFC3912, September 2004,
<https://www.rfc-editor.org/info/rfc3912>. <https://www.rfc-editor.org/info/rfc3912>.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
<https://www.rfc-editor.org/info/rfc5730>. <https://www.rfc-editor.org/info/rfc5730>.
[RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350,
DOI 10.17487/RFC6350, August 2011, DOI 10.17487/RFC6350, August 2011,
<https://www.rfc-editor.org/info/rfc6350>. <https://www.rfc-editor.org/info/rfc6350>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, July 2013,
<https://www.rfc-editor.org/info/rfc6973>.
[RFC7095] Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095, [RFC7095] Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095,
DOI 10.17487/RFC7095, January 2014, DOI 10.17487/RFC7095, January 2014,
<https://www.rfc-editor.org/info/rfc7095>. <https://www.rfc-editor.org/info/rfc7095>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
Registration Data Access Protocol (RDAP)", RFC 7480, Registration Data Access Protocol (RDAP)", STD 95,
DOI 10.17487/RFC7480, March 2015, RFC 7480, DOI 10.17487/RFC7480, March 2015,
<https://www.rfc-editor.org/info/rfc7480>. <https://www.rfc-editor.org/info/rfc7480>.
[RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
Registration Data Access Protocol (RDAP)", RFC 7481, Registration Data Access Protocol (RDAP)", STD 95,
DOI 10.17487/RFC7481, March 2015, RFC 7481, DOI 10.17487/RFC7481, March 2015,
<https://www.rfc-editor.org/info/rfc7481>. <https://www.rfc-editor.org/info/rfc7481>.
[RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access
Protocol (RDAP) Query Format", RFC 7482, Protocol (RDAP) Query Format", RFC 7482,
DOI 10.17487/RFC7482, March 2015, DOI 10.17487/RFC7482, March 2015,
<https://www.rfc-editor.org/info/rfc7482>. <https://www.rfc-editor.org/info/rfc7482>.
[RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the
Registration Data Access Protocol (RDAP)", RFC 7483, Registration Data Access Protocol (RDAP)", RFC 7483,
DOI 10.17487/RFC7483, March 2015, DOI 10.17487/RFC7483, March 2015,
skipping to change at page 8, line 41 skipping to change at page 9, line 12
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8605] Hollenbeck, S. and R. Carney, "vCard Format Extensions: [RFC8605] Hollenbeck, S. and R. Carney, "vCard Format Extensions:
ICANN Extensions for the Registration Data Access Protocol ICANN Extensions for the Registration Data Access Protocol
(RDAP)", RFC 8605, DOI 10.17487/RFC8605, May 2019, (RDAP)", RFC 8605, DOI 10.17487/RFC8605, May 2019,
<https://www.rfc-editor.org/info/rfc8605>. <https://www.rfc-editor.org/info/rfc8605>.
10.2. Informative References 10.2. Informative References
[draft-ietf-regext-rdap-openid]
Hollenbeck, S., "Federated Authentication for the
Registration Data Access Protocol (RDAP) using OpenID
Connect", <https://datatracker.ietf.org/doc/draft-ietf-
regext-rdap-openid/>.
[ICANN-RA] [ICANN-RA]
Internet Corporation For Assigned Names and Numbers, Internet Corporation For Assigned Names and Numbers,
"Registry Agreement", July 2017, "Registry Agreement", July 2017,
<https://newgtlds.icann.org/sites/default/files/ <https://newgtlds.icann.org/sites/default/files/
agreements/agreement-approved-31jul17-en.pdf>. agreements/agreement-approved-31jul17-en.pdf>.
[ICANN-RDS1] [ICANN-RDS1]
Internet Corporation For Assigned Names and Numbers, Internet Corporation For Assigned Names and Numbers,
"Final Report from the Expert Working Group on gTLD "Final Report from the Expert Working Group on gTLD
Directory Services: A Next-Generation Registration Directory Services: A Next-Generation Registration
skipping to change at page 9, line 25 skipping to change at page 9, line 44
"Final Issue Report on a Next-Generation gTLD RDS to "Final Issue Report on a Next-Generation gTLD RDS to
Replace WHOIS", October 2015, Replace WHOIS", October 2015,
<http://whois.icann.org/sites/default/files/files/final- <http://whois.icann.org/sites/default/files/files/final-
issue-report-next-generation-rds-07oct15-en.pdf>. issue-report-next-generation-rds-07oct15-en.pdf>.
[REST] Fielding, R., "Architectural Styles and the Design of [REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", 2000, Network-based Software Architectures", 2000,
<http://www.ics.uci.edu/~fielding/pubs/dissertation/ <http://www.ics.uci.edu/~fielding/pubs/dissertation/
fielding_dissertation.pdf>. fielding_dissertation.pdf>.
Appendix A. Change Log Appendix A. Paradigms to Enforce Access Control on Reverse Search in
RDAP
Access control can be implemented according to different paradigms
introducing increasingly stringent rules. The paradigms reported
here in the following leverage the capabilities either supported
natively or provided as extensions by the OpenID Connect [OIDCC]:
o Role-Based Access Control: access rights are granted depending on
roles. Generally, this is done by grouping users into fixed
categories and assigning each category with static grants. A more
dynamic approach can be implemented by using the OpenID Connect
"scope" claim;
o Purpose-Based Access Control: access rules are based on the notion
of purpose which means the intended usage of some data by a user.
It can be implemented by tagging a request with the usage purpose
and making the RDAP server check the compliance between the given
purpose and the control rules applied to data to be returned. The
purpose can be stated within an out-of-band process by setting the
OpenID Connect RDAP specific "purpose" claim as defined in
[draft-ietf-regext-rdap-openid];
o Attribute-Based Access Control: rules to manage access rights are
evaluated and applied according to specific attributes describing
the context within which data are requested. It can be
implemented by setting within an out-of-band process additional
OpenID Connect claims describing the request context and making
the RDAP server check the compliance between the given context and
the control rules applied to data to be returned;
o Time-Based Access Control: data access is allowed for limited time
only. It can be implemented by assigning the users with temporary
credentials linked to access grants whose scope is limited.
Appendix B. Change Log
00: Initial working group version ported from draft-loffredo-regext- 00: Initial working group version ported from draft-loffredo-regext-
rdap-reverse-search-04 rdap-reverse-search-04
01: Updated "Privacy Considerations" section. 01: Updated "Privacy Considerations" section.
02: Revised the text. 02: Revised the text.
03: Refactored the query model. 03: Refactored the query model.
04: Keepalive refresh. 04: Keepalive refresh.
05: Reorganized "Abstract". Corrected "Conventions Used in This 05: Reorganized "Abstract". Corrected "Conventions Used in This
Document" section. Added "RDAP Conformance" section. Changed Document" section. Added "RDAP Conformance" section. Changed
"IANA Considerations" section. Added references to RFC7095 and "IANA Considerations" section. Added references to RFC7095 and
RFC8174. Other minor edits. RFC8174. Other minor edits.
06: Updated "Privacy Considerations", "Security Considerations" and
"Acknowledgements" sections. Added some normative and informative
references. Added Appendix A.
Authors' Addresses Authors' Addresses
Mario Loffredo Mario Loffredo
IIT-CNR/Registro.it IIT-CNR/Registro.it
Via Moruzzi,1 Via Moruzzi,1
Pisa 56124 Pisa 56124
IT IT
Email: mario.loffredo@iit.cnr.it Email: mario.loffredo@iit.cnr.it
URI: http://www.iit.cnr.it URI: http://www.iit.cnr.it
Maurizio Martinelli Maurizio Martinelli
IIT-CNR/Registro.it IIT-CNR/Registro.it
Via Moruzzi,1 Via Moruzzi,1
Pisa 56124 Pisa 56124
IT IT
Email: maurizio.martinelli@iit.cnr.it Email: maurizio.martinelli@iit.cnr.it
URI: http://www.iit.cnr.it URI: http://www.iit.cnr.it
 End of changes. 19 change blocks. 
28 lines changed or deleted 93 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/