Hi Gavin,
please find my comments below.
Il 02/03/2022 15:29, Gavin Brown ha scritto:
Hi Jim and Mario,
On 2 Mar 2022, at 13:01, Gould, James <jgo...@verisign.com> wrote:
Mario,
Thank you for sharing the draft. We implemented EPP/HTTPS in parallel with EPP/TLS a while back for many years. In the end, there were very few registrars that chose to use EPP/HTTPS, so it was shutdown. I’m not sure at this point whether there is hunger from the registrars to implement EPP/HTTPS.
At least one registrar (DNSimple) had a go at writing an EPP over HTTPS spec a
few years ago, regrettably it didn't get very far (for which I am partly to
blame):
https://github.com/aeden/epp-over-http
I provided my feedback about that proposal. My main concern was about
the fact that every EPP command required the registrar to be previously
authenticated. It appeared to me inefficient iin general and
particularly when a massive amount of request are sent to the server in
a very short time.
In addition, it didn't seem to me in line with the trend in REST
services to allow for work sessions consequent to a user authentication
phase (see rdap-openid ).
I think now is a good time to reassess the appetite for EPP over HTTPS. As we
all move to the cloud, where almost everything uses HTTP as a substrate, it
becomes harder to deploy protocols that aren't based on HTTP in a cloud-native
way, both on the client side and the server side.
From the security point of view, while EPP has a relatively small attack
surface, if you're a registry, you're somewhat limited in terms of the
third-party security services you can deploy to protect it. The same is true of
whois, but at least we know that whois will one day be replaced by RDAP, which
is HTTP based. I look forward to one day putting my entire infrastructure
behind $YOUR_CLOUD_BASED_REVERSE_PROXY_OF_CHOICE - which necessitates retiring
(or at least deprecating) ports 43 and 700.
Thanks a lot for the hint about deploying EPP on a cloud environment.
Both the registries implementing the draft haven't considered this
scenario. I'll include it in section 2 ;-)
Best,
Mario
G.
--
Gavin Brown
Head of Registry Services
CentralNic Group plc (LSE:CNIC)
https://centralnicregistry.com
Cal: http://cnic.link/gbcalendar
CentralNic Group plc is a company registered in England and Wales with company
number 8576358. Registered Offices: Saddlers House, Gutter Lane, London EC2V
6BR.
https://www.centralnic.com
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
--
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web: http://www.iit.cnr.it/mario.loffredo
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
