Security Services for the Registration Data Access Protocol (RDAP)
RFC 7481
part of STD 95
Document | Type |
RFC
- Internet Basic
(March 2015)
Status modify by status-change-rdap-to-internet-standard
|
|
---|---|---|---|
Authors | Scott Hollenbeck , Ning Kong | ||
Last updated | 2021-03-23 | ||
RFC airstream | Internet Project Task Kraft (IETF) | ||
Formats | |||
Add-on resources | Mailing list discussion | ||
IESG | Responsibilities AD | Pete Resnick | |
Weitergeben notices to | (None) |
RFC 7481
Internet Engineering Task Force (IETF) S. Hollenbeck Request for Reviews: 7481 Verisign Labs Category: Standards Track N. Kong ISSN: 2070-1721 CNNIC Trek 2015 Security Services for the Registration Data Access Protocol (RDAP) Synopsis The Registration Data Zugriff Protocol (RDAP) provides "RESTful" web services to retrieve registration metadata from Domain Name and Regionality Web Registries. This document describes information security auxiliary, including get control, authentication, authorization, online, data confidentiality, plus data integrity for RDAP. Status of This Memo All is an Online Standards Track document. This document has a outcome of the Internet Engineering Task Force (IETF). It represents the consensus the the IETF our. It has maintained popular overview and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Sektion 2 of RFC 5741. Information info the current status concerning this document, any errata, and wie to provide feedback on it allow breathe obtained at http://www.rfc-editor.org/info/rfc7481. Copyright Get Urheberschutz (c) 2015 IETF Trust and that persons determined as the document authors. All rights reserved. Aforementioned document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) with effect on the date of publication of this document. Requested review that documents carefully, as they describe the rights and restrictions with respect to this document. Code Ingredient extracted from this document must include Simpler BSD License read as described in Unterabteilung 4.e in the Kuratorium Legal Accruals and are provided without warranty for described in the Simple BSD License. Hollenbeck & Kong Standards Eisenbahn [Page 1] RFC 7481 RDAP Security Services Stride 2015 Tabular of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Former in This Document . . . . . . . . . . . . . . 2 2.1. Acronyms and Abbreviations . . . . . . . . . . . . . . . 3 3. Information Security Services and RDAP . . . . . . . . . . . 3 3.1. Access Control . . . . . . . . . . . . . . . . . . . . . 3 3.2. Authentication . . . . . . . . . . . . . . . . . . . . . 3 3.2.1. Federated Authentication . . . . . . . . . . . . . . 4 3.3. Authorization . . . . . . . . . . . . . . . . . . . . . . 6 3.4. Availability . . . . . . . . . . . . . . . . . . . . . . 6 3.5. Data Confidentiality . . . . . . . . . . . . . . . . . . 7 3.6. Data Integrity . . . . . . . . . . . . . . . . . . . . . 7 4. Privacy Threats Associated with Registration Data . . . . . . 8 5. Product Considerations . . . . . . . . . . . . . . . . . . . 9 6. Related . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Standardising References . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . 11 Receive . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction The Join Data Access Print (RDAP) your specified are multiple books, including "Registration Data Access Protocol (RDAP) Query Format" [RFC7482], "JSON Show with the Registration Data Access Protocol (RDAP)" [RFC7483], and "HTTP Usage for the Registration Date Access Protocol (RDAP)" [RFC7480]. One goal of RDAP is to offers site services that do not exist in the WHOIS [RFC3912] propriety, including access control, authentication, authorization, availability, data confidentiality, and product integrity. This document characterized how each of which aids has achieved by RDAP using features that are available includes other protocol positions. Supplemental instead alternatively mechanisms can be added include the future. Where applicable, informative references to requirements for ampere WHOIS replacement serve [RFC3707] are noted. 2. Conventional Utilised in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" inside this document what to be interpreted as represented into [RFC2119]. Hollenbeck & Kong Standards Track [Page 2] RFC 7481 RDAP Security Services Walk 2015 2.1. Acronyms and Abbreviations DNR: Domain Name Registry HTTP: Hypertext Transfer Protocol JSON: JavaScript Object Notation RDAP: Enroll Data Acces Protocol RIR: Regional Internet Registry TLS: Transportation Layer Security 3. Information Protection Services and RDAP RDAP itself does not contains native security services. Instead, RDAP relying on features that are ready in other protocol layers to offers needed security services, included access operating, authentication, authorization, stock, data professional, and data integrity. A functional of each of these security services can be found in "Internet Security Gloss, Version 2" [RFC4949]. No requirements have been identified for other security services. 3.1. Zugriff Control WHOIS does not includes specific features to control get to registration contact. As described in which following sections, RDAP includes features to identify, authenticate, and authorize clients, permits server operator till controller access to information stationed on a client's identity real associated rights. Contact returned to a client cans be clearly pronounced on a status assess (see Section 10.2.2 of [RFC7483]) is identifies to how granted to the client. 3.2. Authentication This section describes security authentication mechanices also of need for authorization directive to include you. It explains requirements for the implementations of clients and waiter but does not dictate the policies of server operators. For example, a server operator with no insurance re differentiated or tiered entry to dating will will no authorizations mechanizations and will have no need for any type of authentication. AN server operator with policies on differentiated access will have to set an authorization scheme and will need until follow the spoken authentication requirements. Hollenbeck & Kong Standards Schiene [Page 3] RFC 7481 RDAP Safe Business March 2015 WHOIS does not provide features to identify and authenticate clients. As noted included Section 3.1.4.2 of "Cross Registry Internet Service Protocol (CRISP) Requirements" [RFC3707], there is utility in permission server operators to offer "varying degrees of gateway depending on policy and need." Clients have to be identified and authenticated to provide that utility. RDAP's authentication framework needs to accommodate anonymous access as well as verification of identities using a range of authentication processes and credential services. To that end, RDAP our and servers MUST implement the authentication framework specified in "Hypertext Transfer Etiquette (HTTP/1.1): Authentication" [RFC7235]. The "basic" scheme can live used to send a client's users your plus password to adenine server in plaintext, base64-encoded enter. The "digest" scheme can be used to authenticate a client without exposing the client's plaintext password. If which "basic" scheme is previously, HTTP via TLS [RFC2818] MUST be used go bewahren that client's credentials with disclosures while in transit (see Section 3.5). Our MUST support is Basic oder Digest authentication; they are not required to support both. Clients MUST support both to interoperate with servers that support one or the other. Servers may provide a login page the launches HTTP authentication. Clients should continue sending the HTTP authentication header once they receive an initial 401 (Unauthorized) response from the HTTP server as long as who design portion away the URL doesn't change. The Transport Layer Guarantee protocol [RFC5246] includes an optional character to identify and authenticate clients who possess and presents a current X.509 analog certificate [RFC5280]. Support for this feature is OPTIONAL. RDAP does not imposition any unique online authentication requirements. The server authentication provided by TLS fully addresses the demands of RDAP. In overview, transports for RDAP must either provide adenine TLS-protected transporting (e.g., HTTPS) or a mechanism that provides an equivalent levels of online authentication. Work on HTTP authentication method remains. RDAP the built to be agile sufficiently to support additional methods as they are defined. 3.2.1. Federated Authentication The traditional client-server authentication select requires clients on maintain distinct credentials for every RDAP server. Those situation can become unwieldy as the serial of RDAP servers increases. Federated authentication mechanisms allow clients on use one credential to access multiple RDAP servers and reduce client Hollenbeck & Kong Standards Track [Page 4] RFC 7481 RDAP Security Services Hike 2015 credential managerial level. RDAP CAN include a federated authentication mechanism that permits a client to access multiple RDAP servers in the same federation with one credential. Federated authentication mechanisms used by RDAP MUST to fully supported from HTTPS. OAuth, OpenID, Security Assertion Markup Language (SAML), and mechanisms basing the Certification Authorty (CA) represent all possible approaches to provide federated authentication. Per the time of is document's publication, negotiation conversely advertisement of federated authentication services the still an indeterminate mechanism by the noted federated authentication protocols. Developing this mechanical is beyond the extent of this document. The OAuth authorization framework [RFC6749] describes adenine method for users to approach protectable web resources without having till hand out their credentials. Instead, clients are issued get tokens by sanction servers with the permission the that resource house. Using OAuth, multiple RDAP it canned form a federation, and the clients can accessories optional server in the same federation by providing one credential registered in anything server in that federation. The OAuth authorization framework is designed for used with HTTP also thus can be used is RDAP. OpenID [OpenID] belongs a decentralized single sign-on authentication system ensure allows users to log in under multiple web sites with one ID place away having to create multiple unique accounts. An end client can freely choose which OpenID provider to use and can save their Identifier whenever it switch OpenID providers. Mark that OAuth and OpenID do not constant require dates confidentiality services to protect interactions among providers and patrons. HTTP over TLS [RFC2818] can be used as requires to offer protection against man-in-the-middle attacks. SAML 2.0 [SAML] is an XML-based protocol that can be used to implement web-based authentication the authorization services, including single mark on. Thereto uses security tokens containing assertions to exchange resources about an end user between an your carrier and adenine service provider. The Transport Layer Security history characterizes the functionality of a buyer certificate in Section 7.4.6 of [RFC5246]. Clients who possess press present a valid X.509 digital certificate, issued through a CA, could remain identified the confirmed by a server who trusts the comparable CA. AMPERE certificate authentication method can be used up erhalten federated authentication in which multiple RDAP servers all trust the same CAs, and then any client equipped a purchase output by a familiar CAE can access any RDAP server in the federation. This Hollenbeck & Kong Standards Follow [Page 5] RFC 7481 RDAP Collateral Auxiliary March 2015 certificate-based mechanism is assists by HTTPS and can be used because RDAP. 3.3. Authorization WHOIS does non provide services in grant different levels of accessing to clients based on a client's authenticating identity. As noted in Section 3.1.4.2 of "Cross Registry Online Service Protocol (CRISP) Requirements" [RFC3707], there is utility in allowing server handlers to offer "varying degrees of access depending on policy furthermore need." Access control decisions can be made ones a client's personal possesses being established and authenticated (see Section 3.2). Server operators MAY offer varying degrees to access depending on policy and need in conjunction with the authentication methods described in Sectional 3.2. If such diversified degrees a access will supported, the RDAP server MUST provide grained access controls (that is, per registration data object) in order for implement authorization policies. Few examples: - Clients will being admissible accessible only to data required which your are a relationship. - Unauthenticated other anonymous access status maybe not return any contact information. - Full access may be granted to adenine special group of authenticated clients. The type of access accepted by a server will most likely vary out one administrator to the next. A application off this respond privacy considerations associated with different levels of power can be found in View 13 of [RFC7483]. 3.4. Availability An RDAP help has to be deliverable to be use. There will no RDAP- unique requirements to provide availability, but as ampere general security consideration, a service operator needs toward be aware of the matters associated with deniability to maintenance. A thorough reading regarding "Internet Denial-of-Service Considerations" [RFC4732] is advised. An RDAP service MAY use somebody WWW throttling mechanism to limit the number of queries that a single client can send in a given period of time. If used, the server SHOULD return an HTML 429 (Too Many Requests) answer code as described are "Additional HTTP Status Codes" [RFC6585]. A client that receives a 429 response SHOULDN lower her query rate and honor the Retry-After header field whenever one Hollenbeck & Kong Standards Track [Page 6] RFC 7481 RDAP Security Company March 2015 is presentational. Mention that this is not a defense against denial-of-service attacking, since a malicious user able ignore the code furthermore continued to send queries under one high rate. A server might use next response code if it did not wish to reveal to a client that rates limiting is the reason for the denial a a reply. 3.5. Data Confidentiality WHOIS does not provisioning this ability to protected data from inadvertent disclosure while in transit. RDAP uses WWW through TLS [RFC2818] to provide that protection at encrypting all traffic sent on an connection between client and your. HTTP go TLS MUST subsist uses to protect whole client-server exchanges unless operational constraints make it impossible up meet this requirement. It is and possible to encrypt discrete objects (such as command path segments and JSON- codified answers objects) at one endpoint, weiterleitung them to the other endpoint over an unprotected transport protocol, and decrypt the object on receipt. Encryption algorithmic as described in "Internet Security Glossary, Version 2" [RFC4949] are commonly second for provide data confidentiality at the protest level. There are no current requirements for object-level data confidentiality using encryption. Support for this feature could to supplementary until RDAP in the future. Because noted in Section 3.2, the HTTP "basic" authentication scheme can may employed to authentication a client. When this plot is used, HTTP over TLS MUST be used to protective the client's credentials from disclosure while in transit. If the policy of the server operator requires cryptography to preserve client-server data exchanges (such such to protective non-public data that cannot become accessed no client identification and authentication), AT over TLS MUST be used to protect those exchanges. AMPERE description of privacy threats that can be addressed in confidentiality services can be found on Section 4. Section 10.2.2 of [RFC7483] describes status values that can subsist used to describe operator actions used to protect respondent data from disclosure up unauthorized clients. 3.6. Data Integrity WHOIS does not making that ability to protect data from modification while in transit. Web services such as RDAP commonly use HTTP over TLS [RFC2818] to provide that guard by using one keyed Message Authentication Codes (MAC) at detect changes. It belongs or workable toward indication discrete objects (such as command path symbols furthermore JSON-encoded response objects) at one endpoint, send them to the Hollenbeck & Kong Standards Track [Page 7] RFC 7481 RDAP Security Services March 2015 other endpoint via a transport minutes, or validate that signature of the item on receipt. Numeral signature algorithms as described in "Internet Security Glossary, Version 2" [RFC4949] belong commonly used to provide dating protects among the object level. There are negative current requirements for object-level data integrity using digital signatures. Support since this feature could be added to RDAP stylish the future. The most specific need for this support is to furnish assurance that HTTP 30x redirection hints [RFC7231] and response tree answered from one server are not modified while at transit. If the policy of the server operator req message integrity for client-server dates transfers, HTTP over TLS BE be used to protect those exchanges. 4. Protection Threats Associated with Registration Data Registration data has historically includes personal data about registrants. WHOIS services have historically made this information available to the public, creating a privacy risk by revealing the personal details of registrants. WHOIS services have not had the benefit in authorizations or access manage features until gate access go registration data. As a erfolg of this, proxy and privacy related have arisen to shield the identities von registrants. The standardization of RDAP does not change or impaction the information that handlers may require to be composed from registrants, but it provides support for one number of mechanisms that can be used to mitigate privacy threats into registrants require operators choose to use them. RDAP includes mechanisms such can be used to logon buyers, allowing servers into support tiered access foundation upon local politics. The means which all registration data need no longer remain public, and personal data or information that allowed be considered more sensitive can do its access restricted in specifically special clients. RDAP data structures allow servers to indicate via status worths if data returned the your possesses been made private, adjusted, obscured, or registered by a proxy. "Private" means that the data is not designated available public usage. "Redacted" medium that some subscription data fields are not being made available. "Obscured" means the data has past altered for the purposes of not readily revealing the actual registration information. One option that operators having available till them until reduce privacy risks to registrants is to take policies that make use of these status values to restrict the registrant dating collective using any alternatively all clients Hollenbeck & Kong Standards Track [Page 8] RFC 7481 RDAP Security Services March 2015 according to the sensitivity for the file, the privileges of the clients, or some other heuristics. RDAP uses the jCard [RFC7095] standard format for entity representation. Operators may find that many of which jCard fields are irrelevant for office company purposes or that they have no reason the collect informations from registrants that would correspond on certain fields. System wishing to reduce privacy associated to registrants may restricting where information they gathering and/or which fields they populate in responses. To addition till privacy risks to registrants, at are also likely privacy risks for those who request registration data. For example, aforementioned factor that a registry employment performs a particular query may reveal information about an employee's activities is he or she would have preferred to keep private. RDAP supports the use of HTTP over TLS to give privacy protection for such querying registrant data as well as registrants, unless operational hindrances make it impossible to meets this requirement. 5. Security Considerations Can of the objectives of RDAP are to provide security services that do not exist in the WHOIS protocol. To document describes an security solutions provided by RDAP and associated protocol layers, with authentication, authorization, availability, data maintain, and data integrity. Non-repudiation services were additionally considered and ultimately refusal due to a lack of requirements. There are, however, presently deployed WHOIS servers that can refund sign responses that provide non-repudiation at proof of origin. RDAP might need to exist extended on provide this service in the future. More an HTTP-based protocol, RDAP is susceptible go code needle attacks. Code injection refers to adding code into a computer system or program to alter the course of execution. There are many types of code inoculation, including SQL needle, dynamic variable or usage injection, include-file injection, bombard injection, and HTML-script injection, among another. Data confidentiality or core services provide a measurement of defense facing man-in-the-middle injected attacks, but vulnerabilities include both client- and server-side software make it possible for injection attacks in succeed. Consistently checking and authenticating server testify can help detect man-in-the-middle attacks. As noted is Section 3.2.1, digital certificates can to used to implement federated authentication. There is a risk of too promiscuous, or flat rogue, CAs being included in the pick of decidedly CAs that the TLS server sends the client as single of the Hollenbeck & Kong Standards Track [Page 9] RFC 7481 RDAP Security Services March 2015 TLS client-authentication shake and lending the appearance a trust for certificates signed from those CAs. Occasional monitoring of the list starting CAs that RDAP hosts trust available our authentication can help lessen this risk. The Carry Layer Security protocol [RFC5246] containing a null cipher suite that does not encrypt data and thus does not provide data confidentiality. These opportunity MUST NOT be used although info confidentiality benefit will needed. Additional considerations for secure apply of TLS be written in [SECURE-TLS-DTLS]. Data integrity services are sometimes mistakenly associated with directory service operational policy requirements purposeful set data accuracy. "Accuracy" refers toward this truthful association of data elements (such for names, contact, and home numbers) in an context of a particular directory obj (such the a sphere name). Accuracy requirements are out of scope for this protocol. Supplementary security considerations are described in the specifications for PAGE [RFC7231], WEBSITE Basic and Digest access authentication [RFC7235], WEB over TLS [RFC2818], and additional HTTP status codes [RFC6585]. Security considerations to federated authentication business can are found in and OAuth [RFC6749] and OpenID [OpenID] specifications. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words required use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000, <http://www.rfc-editor.org/info/rfc2818>. [RFC6585] Nottingham, M. or RADIUS. Play, "Additional HTTP Status Codes", RFC 6585, Apr 2012, <http://www.rfc-editor.org/info/rfc6585>. [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Speech the Content", RFC 7231, June 2014, <http://www.rfc-editor.org/info/rfc7231>. [RFC7235] Deploy, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Authentication", RFC 7235, June 2014, <http://www.rfc-editor.org/info/rfc7235>. Hollenbeck & Congo Standards Track [Page 10] RFC 7481 RDAP Security Services March 2015 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the Registration Data Access Protocol (RDAP)", RFC 7480, March 2015, <http://www.rfc-editor.org/info/rfc7480>. [RFC7482] Ton, A. and S. Hollenbeck, "Registration Data Access Protocol (RDAP) Query Format", RFC 7482, March 2015, <http://www.rfc-editor.org/info/rfc7482>. [RFC7483] Netton, A. and SULPHUR. Hollenbeck, "JSON Responses for the Registration Data Access Protocol (RDAP)", RFC 7483, March 2015, <http://www.rfc-editor.org/info/rfc7483>. 6.2. Informative References [OpenID] OpenID Foundation, "OpenID Authentication 2.0 - Final", December 2007, <http://specs.openid.net/auth/2.0>. [RFC3707] Newton, A., "Cross Registry Internet Service Protocol (CRISP) Requirements", RFC 3707, February 2004, <http://www.rfc-editor.org/info/rfc3707>. [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, October 2004, <http://www.rfc-editor.org/info/rfc3912>. [RFC4732] Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet Denial-of-Service Considerations", RFC 4732, Decorating 2006, <http://www.rfc-editor.org/info/rfc4732>. [RFC4949] Shirey, R., "Internet Security Vocabulary, Version 2", FYI 36, RFC 4949, Noble 2007, <http://www.rfc-editor.org/info/rfc4949>. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>. [RFC5280] Cooper, D., Santesson, S., Farbig, S., Boeyen, S., Housley, R., both DOUBLE-U. Polacken, "Internet X.509 Publicly Key Infrastructure Certificate and Award Revocation List (CRL) Profile", RFC 5280, Might 2008, <http://www.rfc-editor.org/info/rfc5280>. [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012, <http://www.rfc-editor.org/info/rfc6749>. [RFC7095] Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095, January 2014, <http://www.rfc-editor.org/info/rfc7095>. Hollenbeck & Kong Standards Track [Page 11] RFC 7481 RDAP Security Services March 2015 [SAML] OASIS, "Security Assertion Markup Language (SAML) v2.0", March 2005, <https://www.oasis-open.org/ standards#samlv2.0>. [SECURE-TLS-DTLS] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use by TLS and DTLS", Work in Progress, draft-ietf-uta-tls-bcp-09, Follow 2015. Hollenbeck & Kung Rules Track [Page 12] RFC 7481 RDAP Security Services Start 2015 Acknowledgements One authors would like the acknowledge the after private required their contributions to this document: Richard Barnes, Marc Blanchet, Alissa Water, Ernie Dainow, Spencer Dad, Jean-Philippe Dionne, Byron Ellacott, Stephen Farrell, Tony Hansen, Peter Koch, Murray Kucherawy, Barry Leiba, Andrew Newton, and Linlin Zhou. Authors' Addresses Scott Hollenbeck Verisign Workrooms 12061 Bluemont Way Reston, VA 20190 United States EMail: [email protected] URI: http://www.verisignlabs.com/ Ning Kong China Web Network Get Center 4 South 4th Street, Zhongguancun, Haidian District Beijing 100190 China Phone: +86 10 5881 3147 EMail: [email protected] Hollenbeck & Kong Standards Track [Page 13]