JSON Responses for the Registration Data Access Protocol (RDAP)
draft-ietf-regext-rfc7483bis-05

Note: This ballot was opened for revision 04 and is now closed.

(Barry Leiba) Yes

(Deborah Brungard) No Objection

(Alissa Cooper) No Objection

Comment (2021-02-16 for -04)
The fact that this document obsoletes RFC 7483 should be indicated in the header, abstract, and introduction.

Roman Danyliw No Objection

Comment (2021-02-14 for -04)
Thank you to Rich Salz for the SECDIR review, and the discussion around it is appreciated.

** Section 3. handle.  Per “This value is a simple string”, is this making a statement about the JSON data type?  I didn’t follow what this clarification added on top of the original text in RFC7483.

** Section 3.  Editorial.
OLD
The "fn" member is required and MUST NOT be null
   according to [RFC6350], where an empty "fn" member MAY be used when
   the contact name does not exist or is redacted.

NEW
The "fn" member is required and MUST NOT be null according to [RFC6350].  An empty "fn" member MAY be used when the contact name does not exist or is redacted.

Benjamin Kaduk No Objection

Comment (2021-02-16 for -04)
Should the errata against RFC 7483 in state "reported" be verified or
otherwise processed before this document gets approved?

My understanding (based on the draft name and shepherd writeup) is that
this document is intended to Obsolete: RFC 7483.  If so, that should be
indicated in the header, abstract, and introduction, as (in my
understanding) the Gen-ART reviewer pointed out.

Thank you for keeping the diff from RFC 7483 minimal -- that made things
very easy to read!  (FWIW, I do consider converting all the links to
the "https" scheme worth the churn; thank you for that as well.)

Some of the examples have gone stale, though (or were inaccurate from
the start), particularly with respect to the cryptographic digests and
algorithms used for DNSSEC.  I do not think that we can in good
conscience publish, in 2021, an Internet Standard that shows RSA/MD5
signatures as an example!  (Specifics in the editorial
section-by-section remarks.)

Also, for Section 1.1, RFC 8174 has an updated BCP 14 boilerplate text to
use.

It's probably worth making a pass through the examples to check for
cases where the handle "XXXX" is being used for distinct entities within
a single example (as that's not really self-consistent).

It may be worth noting in the security considerations that, while these
RDAP responses allow for retrieval of DNSSEC (key) related information,
(AFAICT) the RRSIG DS from the parent zone is not conveyed alongisde it.
This means that the DNSSEC keys retrieved by RDAP are disconnected from
their containing PKI, and as such are not generally expected to be
trusted without additional information.  In particular, just the HTTPS
channel protecting the RDAP connection is not expected to be authorized
to certify the validity of the DNSSEC keys.

The rest of my remarks are basically editorial or nit level, and I don't
expect specific responses to them.

Section 3

   Contact information is defined using jCards as described in
   [RFC7095].  The "fn" member is required and MUST NOT be null
   according to [RFC6350], where an empty "fn" member MAY be used when
   the contact name does not exist or is redacted.

(editorial) The way the last sentence is written suggests that [use of
empty "fn" when the name does not exist or is redacted] is a behavior
specified in RFC 6350, but based on text searches in RFC 6350 I suspect
that this statement is actually a clarification new to this document
about how the jCard format is being used.

Section 4.1

Going from 7483 to this document we now say that "rdapConformance" MUST
appear in the topmost JSON object of a response (vs "appears only" in
it).  Is the intent to forbid "rdapConformance" from appearing anywhere
else in addition to the topmost JSON object?  If so, the current text
seems insufficient to me.

Section 4.2

   The following is an example of the link structure:

       {
         "value" : "https://example.com/context_uri",
         "rel" : "self",
         "href" : "https://example.com/target_uri",

I am prone to confusing myself about RFC 8288 links, but it surprised me
that "href" differed from "value" for a relation of type "self".

   The JSON name/values of "rel", "href", "hreflang", "title", "media",
   and "type" correspond to values found in Section 3 of [RFC8288].  The
   "value" JSON value is the context URI as described by [RFC8288].  The
   "value", "rel" and "href" JSON values MUST be specified.  [...]

Looking just at the diff from RFC 7483 makes it seem that we gain a
MUST-level requirement for the "rel" value to be specified, which would
not normally be allowed in a transition to Internet Standard.  However,
it seems that RFC 8288 itself requires the presence of "rel", so this is
not in practice a new requirement, and thus safe.

Section 4.5

I think it's vCard that has a LANGUAGE property; in jCard that would be
the "language" key.

Section 5.1

[I did not attempt to validate that the jCards contained in any of the
examples conform to RFC 7095.]

   and names of organizations and individuals.  Many of the types of
   information that can be represented with jCard have no use in RDAP,
   such as birthdays, anniversaries, and gender.

(nit) I suggest s/no use/little or no use/, just on my instinct of
avoiding absolutes when not needed.  ("Only a Sith deals in absolutes",
right?)

   The following is an elided example of an entity with embedded
   entities.

(nit) I'd suggest "abbreviated" or "condensed" instead of "elided",
which as written would seem to imply that the entire example is omitted.
This applies to more than one instance, but I will only mention it once.

Section 5.3

      -  idnTable -- the name of the Internationalized Domain Name (IDN)
         table of codepoints, such as one listed with the IANA (see IDN
         tables [IANA_IDNTABLES]).

(nit) the definite article "the" in "the [IDN] table of codepoints"
implies that the context should indicate which one we are referring to
(perhaps the one used in the variant names?), but I am failing to tell
from context which table is being indicated.

           "keyTag": 12345,
           "algorithm": 3,
           "digestType": 1,
           "digest": "49FD46E6C4B45C55D4AC"

Could we maybe use SHA-256 for the example instead of the
no-longer-safe-for-general-use SHA-1 (so, digest type 2 instead of 1,
and corresponding digest length)?  [Hmm, the existing SHA-1 example is
20 hex digits, which is only 80 bits, not the full 160-bit SHA-1
output...]
Likewise for the signature algorithm (algorithm 3 is DSA/SHA-1, and
there are lots of stronger alternatives listed at
https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml)

            "flags": 257,
            "protocol": 3,
            "algorithm": 1,
            "publicKey": "AQPJ////4Q==",

Similarly, the key data here indicates the algorithm 1, or RSA/MD5 which
is deprecated.  (The public key is also a laughably small 40-bit
modulus when decoded.  A nice strong Ed25519 key, algorithm 15, would
not expand the example unreasonably in my opinion.)

         "eventAction" : "expiration",
         "eventDate" : "2016-12-31T23:59:59Z",
         "eventActor" : "joe@example.com"

(side note) Perhaps an expiration in the future is more useful as an
example, though it is clearly not wrong to list the expiration event
even when it is in the past.

Section 5.5

   The following is an example of a JSON object representing an autnum.

   {
     "objectClassName" : "autnum",
     "handle" : "XXXX-RIR",
     "startAutnum" : 10,
     "endAutnum" : 15,

IIUC AS numbers 10 through 15 are assigned by ARIN, including AS 11 that
is assigned to Harvard University (last updated 2019-08-12) and appears
to be in current use.  Perhaps the reserved ASN 0 would make for a safer
example?

     [...]
     "links" :
     [
       {
         "value" : "https://example.net/autnum/xxxx",
         "rel" : "self",
         "href" : "https://example.net/autnum/xxxx",
         "type" : "application/rdap+json"

Hmm, my reading of 7482bis suggests that the bit after /autnum/ should
be an actual AS number, not a handle.  But it doesn't seem to give much
guidance on how to represent a block of AS numbers as opposed to a
single one within a block...

   *  type -- a string containing an RIR-specific classification of the
      autnum

(nit) is this the RIR's classification of the number itself, or the
allocation/registration?

Section 10

I think that sometimes we see "-bis" documents that just say "IANA has
updated the registrations made by RFCXXXX to refer to this document",
but I don't particularly mind repeating the registration information in
the now-primary reference document.

Section 10.1

      Published specification: RFC 7483

Presumably we want this updated to the rfc-to-be?

Section 10.2.4

      Description: The entity object instance represents a third party
      through which the registration was conducted (i.e. not the
      registry or registrar).

(nit/side-note) I am pretty sure the RFC Editor is going to add the
comma back after "i.e." (but expect that leaving it for them to do will
cause the right thing to happen).  Perhaps we should ask IANA and the
RFC Editor to get on the same page...

Section 13.1

   The default text encoding for JSON responses in RDAP is UTF-8
   [RFC3629], and all servers and clients MUST support UTF-8.

(I note that UTF-8 preference is one of the things that changed from RFC
7159 to RFC 8259, so this may be redundant now.  I didn't think about it
very hard and don't expect anyone else to, as there's no harm in leaving
it alone.)

Section A.1

   The following is an elided example of a registrant with information
   changed to reflect that of a third party.

   {
     ...
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         ...
         "roles" : [ "registrant", "administrative" ],
         "status" : [ "proxy", "private", "obscured" ]

(editorial) it might be nice to show a little more, so that we can
contrast "Joe User" with "Anonymizing Proxy Service" (or whatever).

Section A.1

             ["email",
               { "type":"work" },
               "text", "joes_fish_chips_and_domains@example.com"

I wonder if the 'example' TLD might be more apropos for this case (e.g.,
support@joes-fish-chips-domains.example).  (The link might be altered
similarly as well.)

Section D

   DNSSEC provides data integrity for DNS through the digital signing of
   resource records.  [...]

It also provides source authenticity, which is equally important.

Erik Kline No Objection

Comment (2021-02-15 for -04)
[[ comments ]]

[ section 5.4 ]

* <picorant>
  It seems a shame that the startAddress/endAddress keys are used with IPv6
  prefixes.  I do wish there could be some cidrBlock key instead.

  Oh well.
  </picorant>


[[ questions ]]

[ section 4.5 ]

* Is there a formal constraint on the format of string values of
  "eventDate"?  If so, is it called out somewhere?

  All the examples are of a very obvious, specific format...but is that
  required?

Murray Kucherawy No Objection

Comment (2021-02-18 for -04)
I concur with Alissa's observation.  This is a "bis" document, after all.

Thanks for Section 11.

Section 10.1 is an update to an existing media type registration, not a new one.  Therefore:

* Shouldn't this become the referenced document?  Or is RFC 7483 still controlling for this registration?
* If the latter, should this section be deleted?
* If the former, should the registration still mention WEIRDS, or should it be updated to REGEXT?

Warren Kumari No Objection

Comment (2021-02-17 for -04)
No email
send info
In a shocking turn of events, and which will likely come as a complete surprise at this point, this should list that it Obsoletes RFC 7483 :-)

Alvaro Retana No Objection

Éric Vyncke No Objection

Comment (2021-02-18 for -04)
Thank you for the work put into this document. Due to lack of time, I only quickly browsed through this document but I appreciate the use of many IPv6 examples.

Please find below some non-blocking COMMENT points (but replies would be appreciated).

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==

-- Section 1.1 --
As noticed by others, please use BCP14 template.

-- Section 5.4 --
Please do not use a non-example network as in "https://example.net/ip/2001:c00::/23" but rather "https://example.net/ip/2001:db8::/32"

(Magnus Westerlund) No Objection

Robert Wilton No Objection

Comment (2021-02-15 for -04)
Hi,

Thank you for this update to RFC 7483.

A couple of minor comments:

In section 5.2.  The Nameserver Object Class:  It might be helpful to warn the reader that some lines have been wrapped for display purposes.  E.g. the link value and href.  Alternative, the approach/tooling from RFC 8792 could be used.

It also wasn't clear to me whether the Appendix "Changes from RFC 7483" was going to be kept - there is no RFC editor note to suggest that it be removed.

Generally, I think that have a short section explaining how a RFC has changed from a previously published version is helpful.  But if this is kept, then I would try and condense this text down to just the list of important changes from RFC 7483.

Regards,
Rob