Security Services for the Registration Data Access Protocol (RDAP)
RFC 7481
Internet Engineering Task Force (IETF) S. Hollenbeck
Request for Comments: 7481 Verisign Labs
Category: Standards Track N. Kong
ISSN: 2070-1721 CNNIC
March 2015
Security Services for the Registration Data Access Protocol (RDAP)
Abstract
The Registration Data Access Protocol (RDAP) provides "RESTful" web
services to retrieve registration metadata from Domain Name and
Regional Internet Registries. This document describes information
security services, including access control, authentication,
authorization, availability, data confidentiality, and data integrity
for RDAP.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7481.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Hollenbeck & Kong Standards Track [Page 1]
RFC 7481 RDAP Security Services March 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2
2.1. Acronyms and Abbreviations . . . . . . . . . . . . . . . 3
3. Information Security Services and RDAP . . . . . . . . . . . 3
3.1. Access Control . . . . . . . . . . . . . . . . . . . . . 3
3.2. Authentication . . . . . . . . . . . . . . . . . . . . . 3
3.2.1. Federated Authentication . . . . . . . . . . . . . . 4
3.3. Authorization . . . . . . . . . . . . . . . . . . . . . . 6
3.4. Availability . . . . . . . . . . . . . . . . . . . . . . 6
3.5. Data Confidentiality . . . . . . . . . . . . . . . . . . 7
3.6. Data Integrity . . . . . . . . . . . . . . . . . . . . . 7
4. Privacy Threats Associated with Registration Data . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Normative References . . . . . . . . . . . . . . . . . . 10
6.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
The Registration Data Access Protocol (RDAP) is specified in multiple
documents, including "Registration Data Access Protocol (RDAP) Query
Format" [RFC7482], "JSON Responses for the Registration Data Access
Protocol (RDAP)" [RFC7483], and "HTTP Usage in the Registration Data
Access Protocol (RDAP)" [RFC7480].
One goal of RDAP is to provide security services that do not exist in
the WHOIS [RFC3912] protocol, including access control,
authentication, authorization, availability, data confidentiality,
and data integrity. This document describes how each of these
services is achieved by RDAP using features that are available in
other protocol layers. Additional or alternative mechanisms can be
added in the future. Where applicable, informative references to
requirements for a WHOIS replacement service [RFC3707] are noted.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Hollenbeck & Kong Standards Track [Page 2]
RFC 7481 RDAP Security Services March 2015
2.1. Acronyms and Abbreviations
DNR: Domain Name Registry
HTTP: Hypertext Transfer Protocol
JSON: JavaScript Object Notation
Show full document text