Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / 102 / 16 Jul 2018
Internet Engineering Task Force / 102 / 16 Jul 2018
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF102-REGEXT-20180716-1550

Description

REGEXT meeting session at IETF102
2018/07/16 1550

https://datatracker.ietf.org/meeting/102/proceedings/

A

I'll give you a chance to write your name on me.

B

Thank you.

A

Seriously, no, my computer scientists are always appropriate time. I.

C

Know.

A

This.

D

Okay, thanks very much as I had given a heads up before this is the registration protocols, extensions working group. This is our working session. We have three topics on the agenda. We have two hours. Each has been allocated 40 minutes to go through I want to keep the introductions here.

D

Short I'll only observe myself, I'm James Galvin I'm co-chair with Antoine Gursharan, who you should be able to see up there on the Medeco he's got his picture up there at the top and I see that we have a number of remote participants and and I think that's great I'm gonna turn this meeting over right away to Ryder who's. Gonna kick off. The first topic that he's gonna go through. I will shortly get into the jabber room.

D

Soon, as I get my machine rebooted, it has decided to go crazy here, so I'll simply help you moderate. The discussion keep an eye on the meet echo and the jabber room for people who want to make comments and have them read out and try to help manage the queue as necessary, but otherwise I'm gonna, let Roger and then James you know, take care of their meeting and their discussion themselves as we've done with interim meetings in this working group. Okay, any questions or comments from anyone, the blue sheets are working their way around.

D

Please make sure to sign in find them and, if not Roger, over cubes meeting. Do we need to do note? Well.

D

That's fine I mean, but so Roger.

E

Makes a good point you.

D

Know I mean just to be clear right, as with all ITF work, I'm treating this kind of like an interim meeting, and we haven't made a point actually in our interim meetings of putting the note well up there on the sides. I mean we'll certainly have it tomorrow. When we have our more formal working group meeting and update I, don't know I, don't think I'm breaching any protocol by not putting it up on the screen, but I'll at least point out the folks.

D

Please know well everything you say and do here you know, belongs to the IETF, and you know we do have some rules and procedures about you know what do you say what it means, what can be done with it? Appropriate behavior and code of conduct and you've seen many references to those BCPs and other working groups. You'll see it here tomorrow. Please do make sure to look at those so that we can all be respectful and honorable of what it means to be here. The idea. So, thanks for that Roger and back over to you.

F

Thanks Jim, all right so I'm here to run through registry mapping and hopefully get some conversation going. The last IETF we did this at in March was really good. We had a lot of good discussions so today I'm just going to give a brief overview of what we're talking about just in case there's some new people or some people that fell asleep last time.

F

Whatever reason I'll give a brief overview, then we'll get into some of the discussions that we had left open from the last meeting and then end up with maybe some longer discussions on some of the items they hit the mailing list since then about this. So alright registry mapping is a dream that I think at least one large registrar has that will get registries to promote all of their systems in a consistent way, and what I mean by this is is GoDaddy? Has a 30, 40, page onboarding questionnaire for every registry?

F

So if you have a new TLD starting and GoDaddy is looking to sell that we actually have 30 or 40 pages of 300 plus questions to ask every registry and I mean every registry operator. Just because your registry doesn't mean you're doing the same thing for the next TLD so, and one of the big reasons we do it is is to try to get the same questions out of every configurable option and I'll just bring up the one big one that I've been working on.

F

It's the fee document of okay, the fee document prescribes how to run the fee extension, but it doesn't make explicit statements on the shoulds, the maze and all of that those are options, and what a registrar needs to know is how you have configured your system. Is that a May? If it's a May, you actually implemented it? Then let's know that some of the other big items that we were looking at this for is consistent language.

F

Some registries call different objects by different names, even with the questionnaire that we have. We send it out and someone over your spawn back, yes to something that was supposed to have a name in it or something like that, just because their registry calls it something different.

F

So it's one of the big goals for us as a registrar is to get that naming consistent so that we're all communicating about the same things as well as, hopefully, some discussions around this getting maybe 80% of the configuration of a TLD documented in a consumable fashion, not in an SDK. Some are published on somebody's website that now that we have 200 registries that we had to go find. So those are the big goals for us anyway.

F

I'm sure that the one consistent one from back from the Registry's is not to have to explain this every time, but an easy way to explain it. So.

F

As far as the registry mapping, how I have we've got it started? Is it's broken out into three main sections, really one being the system, the generic system, level kind of things like password rules, things like that connections, any of those kind I'm that are pretty generic to an SRS, and then that also includes the zones and the zone being you know, obviously the the TLD that we are going to try to sell. So how has that zone configure? Are there any special issues with it two ways about zones?

F

You can get a list of zones from VPP and then you can also delve deeper into a byte, specifically identifying its own, that you're interested in and then the third big point I think on the three breakouts is the extendable mechanism of the registry systems to explain all those extensions that everybody's using launch phase MacPhee. All those.

F

Rfc's that everybody uses but has documented somewhere how they're using it- and this extension section actually shouldn't do that automatically saying. Yes, this is how we're using it. This is what you know. This term means for us and it's not an option for this registry, but it is for that registry. So those are the three main big sections of the registry mapping document I, don't know if anybody has any questions or comments.

F

Scott.

G

Scott Hall in that comment, in the spirit of the note well I do need to let folks know that I am aware of intellectual property associated with this particular contribution. Verisign has filed a disclosure of that fact. We have not filed a declaration yet.

F

Thanks God anyone else overview Jim, you want to add anything to the overview, yep yep again quick. If anybody has any questions, feel free to ask me a gym after, if you don't want to ask now so Jim cold, not Jim Gilman. Thank you all right. So, let's move on to discussions that we had coming out of ATF 101 last the spring.

F

There's a question about one of the items in the system: those is in system Jim, the batch names, that's jobs, the name of batch jobs, the zones, okay in the zones yeah, so the name batts jobs for some reason, was maybe a little confusing or not common enough, and maybe looking for a common terminology for batts jobs.

F

I, don't know if anybody has preference here from our standpoint as a register and Jodi can speak up. If he has a difference. Is everybody that we know it's calls it a batch job? So I'm not sure where that comes from.

F

No okay.

F

Again, it's something we can post to the list just to see where that was brought up from otherwise we'll probably continue with vas jobs for it so yeah, one of the big questions, whether the policy extensions again, the policy extensions being the description of how a registry implemented in RFC so for the fie document was this may implemented or not. So that's what the policy extension is.

F

A question came up last time was: should that be built into the original extension RFC, or should that separate right now, because this is a new concept, we think that we're gonna keep it separate and let this thing live for a while before we make suggestions to say. Okay extensions should include this as a new section or whatever so Jim.

E

Yes, Jim: go from Verisign yeah I mirror your comment as well. The fact that including the login security extension I thought about. Well, maybe it might be a good time to put the policy for the log and security extension in there that I really didn't want to tie that extension to this until it pretty much it's matured. In essence, at this point, I think separation. It makes sense until there's implementations of the registry mapping and that it's moving forward then reconsider it.

F

Good yeah I think that's a good idea. I mean let's let this get into the wild and get used before we start making those decisions.

F

One of the questions came up was how to handle future policy definitions and I. Think that what we came down to is, let's, let the future be the future, and let's get this implemented before we start making those big decisions or those open box decisions that we don't know how so questions around bootstrapping. This was actually a fairly long discussion.

F

We had at the last meeting, and maybe it's because Registrar Stephen may had a good side of this, because the goal being we want to automate this as much as possible and it's going to be an EPP. So how do we actually get to that data early enough that it makes sense? So one of the problems that our registrar has is before we bring on a TLD to sell.

F

We have to have a contractor with the registries and to get access to the system, the SRS that contract has to be in place so chicken egg problem here is. We have to have a contract to get access to the definitions of what they have, so the discussion was bootstrapping. How do we do this so that the definitions help the contracting process along? Not the reverse way and in many different ideas came up and simple ideas: simplest I'll just provide the response, output and whatever format on email.

F

However, you want to get it to the registrar's as long as it's in the format, then the registrar's know what they're looking for, if it didn't come across the epp connection, that, from our standpoint, we weren't that concerned about that I don't know if anybody else has concerns about the bootstrapping.

E

The Jim ghoul again so yeah we discussed a little bit related to different models of onboarding, one was kind of more manual. In essence, you would have a structured document in a document somewhere on that way. You might be able to get that ahead of time ahead of the contract. Take that in and load it into your configuration manually, then I would call it like semi automatic. Now, since you might be I have access to OTE, you can dynamically pull it use that and then have what we call 90% of your configuration.

E

You know, transform from what was returned and then fully automatic, which may be an absolute dream, but in essence to be able to pull from the production system dynamically what the Quixote's are and to be able to automatically configure the client-side in, in essence, at least for our systems, our monitors or tools, and that sort of thing drive off of registry mapping to be able to completely automate the configuration.

F

Yeah and some of the issues on the the different topics in the ot1. Typically, a registrar still needs to have a sighing before they get access to OTE. So we still run into that problem. I know that for full transparency, I don't like this idea, but it was brought up last time and it was maybe a rest site that you can actually just hit rest and it'll produce. This back I mean even if it's calling into the SRS on the other side, maybe just you're all out there.

F

That actually does this- that you get access to again I'm, not I, don't like the idea. It's just another point to maintain. We already have an EPP system that we are maintaining, so let's not worry about creating another endpoint that we all have to attach to maintain passwords for make sure it's alive. So the dish wanting to be clear that that was brought up I, just I personally from GoDaddy standpoint, know like that idea. So yep.

D

So Jim Galvin, can you say a little more about why you don't like that idea. I mean we're only talking about the bootstrapping phase right so having a place to go, get it for that purpose seems reasonable. I'll, give you a chance to respond. First, know that and I think that's fair question I think that's kind of what was.

F

Brought up again, it's that would be just a bootstrap mechanism, but that is a maintenance point that now you have to maintain. You're gonna have to get passwords for to get into it. You're gonna have to the registries, will have to have that spot up and running all the time, not just it's, because whenever a registrar's bought on so they're gonna have to maintain a system as forever that responds to that.

D

So Jim going again, I'm, not I, want to be careful to not suggest that I'm actually thinking about doing this, but in thinking about this bootstrapping problem a little bit I mean a couple of things occur to me. One is I certainly appreciate the idea that there, if you, if you have a different place, that you have to go to get this initial mapping, then yeah I mean as a service provider you're now adding yet another thing that you have to maintain and manage, and all of that so that's certainly a point we're thinking about.

D

But the more interesting point here is hearing about questions from other people coming from others. Would this necessarily have to be password protected? Why couldn't it be freely available? I mean in principle. You know about the registries right. Is there a reason why you wouldn't want stuff to be there just curious, yeah.

E

Mr. zoobel go again yeah. How do you another access point? Won't change the security around it. In essence, whether or not you allow anybody access ot any or you provide another portal that has the same information just to know. The protocol doesn't really add all that much to the problem set no solution.

H

Rick will home Barrow sign em as far as having that stuff, just open and out and available with no password. Typically at registries, you've got a signed paperwork about software licenses and things like that. You know sort of it's more than a click through EULA, but um but something that says that the information provided is under various non disclosures and all that other sort of stuff. So it's not like stuff that just posted out on a website publicly.

D

Yeah, so just Jim Gavin's, two quick, closing comment: I mean I, agree with you, Rick I, don't just sort of trying to think through. You know, sort of the maintenance issues or were non issues and whether they really were there and I was questioning whether everything in the mapping really is private or needs to be protected or not and I. Guess it's hard to say, but you're right there could be some particular circumstances where there's something in there.

D

You really don't want to be public unless you're part of it, but in reality it's just the operation of the registry. It should be something which you want people to know about. Maybe that's moving in a different direction. We are today, but just sort of raising that question to see what others think yeah.

H

Rick Wilhelm again um yeah again it's it's not something that once someone is part of that relationship as a registrar with the registry open to be sharing that typically registries are. But it's it's not the sort of thing you like when you post content out on your website. You know at whatever your registry website is, and it's just open for anyone in gen-pop to go see. So that's the only difference. It's part of a part.

E

Of a business relationship.

H

That you have a sorry.

F

Okay, any other comments, questions, okay. Well, let's move on to some of the items that have hit the list. Since this is was done, see published.

F

The registry mapping was published, beginning of June June, 1st, actually and one of the D policy. The first policy extension was published a few days later early June, and we had a few comments on lists.

F

Let's see, let's go through support of the host attribute model in the host element.

F

Today, it's not in there so glad Jim.

E

Yeah, one of the specific elements did not have was not defined as optional. So in essence that the registry did implement the host adder model that they wouldn't be able to use the registry mapping based on it not being optional, so I. Think fundamentally, we just need to look at how we would model it in a host ad or registry I'm, not sure how many host adder registries there are out there.

E

Maybe it would be useful for one of those registries just to take a look and find out whether or not they're able to effectively present their policy.

F

So that's a call for anybody that is doing that. Please hit the mailing list and let us know.

F

One of the bigger big ones, too, was standard statuses, and if, if registry mapping should account for non-standard statuses, specifically some of the ones called out was domain status host status. Should there are registries out there that have statuses that are not in the RFC Jim.

E

Actually, there was a message that came this morning that described just a little bit more and the example was for our GP. In essence, if the only RFC that was referenced was the domain, whether or not it would include the reference to the RTP extension which pretty much our sub statuses off the base domain, so I think there's something that we could take a look at to see whether or not we're covering all the various are seeing for statuses. But I.

E

Don't recommend us, you know open it up to custom statuses that are not fine within the RFC's.

F

Thanks for clarity, Kim.

F

C, no okay for best jobs, getting back to batch jobs in the scheduling format, suggesting to use the Java EE timer expressions, we've got I. Think three. Now Jim three proposed ways to do this: Java Crone. What was the third? Was there a? It was just the two main ones.

E

Yeah in the.

F

Draft right.

E

Now it references I would say as a weak reference to use of cron yeah.

H

I.

E

Have to admit it was it was kind of thrown in late, but yeah. There were two other options put on the list. One was the JAL Machado timer and there was another one from Patrick, so I think we fundamentally just need to look at how to best define a batch schedule, and so, if there's any suggestions or any strong feelings anyway, please weigh in on this yeah.

F

I think we don't really have any strong suggestion on this, and it was you right Jim. It was the ISO 8601 that Patrick mentioned and again I I'm, not sure that as authors, we have any specific direction. We can, you know we'll pick one and just move with it. Unless someone has strong objection to it or a strong need for one of the other ones. So.

F

All right, let's go on to the next topic, then.

F

Placing all of all the information under.

F

One element: the IMP data, so that was suggested that we don't need the extension section that all data should be able to go under just the one element and I. Don't know if you want to talk to that. Jim cuz. That was.

E

Yeah I see that Patrick is on there, so hopefully he'll.

H

Go away and on.

E

This particular item, but the idea as I understand it is that inside the registry object the ability to define all of the elements under that object. So the only question there is that, where were the extensibility plug-in in essence, would the registry object need to define a new extensibility area outside of what I defined in EPP today? So my position was just use? What sensibility is already defined, with an EPP and in the case of my experience with creating the policy extension for the launch phase?

E

That's one example, so that is a extension of a zone and then I have the log and security extension which into creating a login security policy extension that would be an extension of the system. So, if you think about the object model, you have a registry which has a system, and then it contains many zones, and so when you're defining extra attributes, you can define where the extension point is whether it be system or zone so I'm, not really exactly sure. It might be good if Patrick could describe how you would add extensibility to it.

E

If it's on the one element.

F

If Patrick's available and can speak.

F

Okay,.

F

We'll just hope that he gets on the mailing list in response to that question, then if he heard it otherwise well post it back to him all right. The next item was: oh. He not quit so.

D

Patrick did post in the in the jabber here and he says that he will try to post an example later on the mailing list, but basically something like you know: registry object, type equals RFC, 57:31 is the the leading pipe and then inside you would have the opening element and then inside you have all domain policy items. And then you have the closing slash registry object and he just puts that in the in the jabber room and also a place for a type equals quote.

D

You know draft whatever extension and then inside the elements would be policies per M for those so etc. Anyway, he says: he'll post is the mailing list and and fill that out. He also apologizes that he's here, but he can't talk. He can only here.

F

No problem thanks, Patrick all right. The next item that was brought up was deletion of unused objects, hosting contact. It was something that wasn't thought about being in there. It definitely seems like a good idea to add so we'll look at adding that I, don't know. If anybody has comments, it's definitely something that we continually working manually to do things like that, so it'd be nice to get defined.

F

All right.

F

How about separate policies based on which IP stack you using 4 or 6? Does there need to be definitions for each different stack, Jim.

E

Yeah this gym again um so when I was reviewing that comm I was thinking well. Okay, so are their registries out there that really have separate policies based on v6 versus v4, and my request is for those registries that do have separate policies. Please help in trying to capture that in this because for us we don't write so I. Don't want to speak for how to define a policy where I don't know how that policy would is defined. So I believe that Patrick is aware of this I know it's not Patrick I.

E

Think I forget who that was so I. Remember anyways. The point is, please speak up and help out and we're more than willing to accommodate it as long as it makes sense.

F

Thanks Jim No No, maybe I skipped this one I didn't want to think about it, but I skipped the a discussion that was had on a labels. You labels LG ours and if we should be actually being I, don't know more broad and using more specific and using LG ours versus just saying you label a label, support it or not.

F

It seems like that's it's a big thing to take on and I'm, not sure what use we would actually get out of that. I don't know if anybody has comments.

I

On that.

E

Yeah this is Jim Dugan, so I'm thinking about it. The intent was, was to provide a high level description to the client of what the main names are allowed right. So I'm not sure whether or not going into the complexity of LG ours is going to be way too. Heavy wait for this. So if there are registries out there where the attributes don't are cannot be used to reflect what is a valid domain name in the registry that I suggest speaking up and providing some input.

F

Okay, next similar I guess here a discussion on the use of Lok in or, as in some registries, allow both two of each to one of each it do we need to have more than just hey. Lo can't does it need to specify that next level of okay, you can have one in and you can have one Lok or you can have two ents or to Loucks or any comments, suggestions, questions.

E

Yeah, we actually I believe we had like four of them in there right, yeah.

H

It's.

E

Like in low interlope in envelope, and then the example that was brought up on the list was Intracoastal pretty much and I'm not sure. Maybe it's in op, Lok I, don't know, but.

H

The point is.

E

Is that there's only so many combinations that you can have so maybe we just need to add one more and be done with it. That's kind of what I'm thinking.

D

So Jim Calvin I, just what sort of channeling Patrick from that from the jabber room, I missed an earlier comment from his but focusing on this particular issue. He says here: no, you cannot have to in soar to Lopes but see my example on travel in the mailing list. So he gave example about that. Go ahead. Jim.

E

Yeah, you can hello Patrick in here, so it sounded like in the travel example that it was. It is required and loped it's optional, because it was I think all the combinations there. You always had to have an end so that if that covers it, hopefully it does so.

D

I'm watching for coming for him on that, but if we can go back to the LGR thing for a moment, he made a comment here: LDR, if they're not used. Why was the standard built for them? The idea was for them to replace the I ana tables at some point right.

E

I'm just saying that in general, when we're talking about registry domain-name rules of what's valid domain, name versus what code points can be used in a with a specific language or script, is something entirely different, so I'm not sure for onboarding a TLD, whether or not the registrar's need that level of detail on a per script or per language basis. In essence, you want to know whether or not ideas can be supported or whether that you can provide a utf-8 domain name or just a pure ASCII.

E

Those are the kind of rules that I think makes sense for registrar, onboarding, I'm, not sure whether or not though the LGR is needed.

F

You know this record and I'll just add: the L GRS are useful, I, don't think they're useful in this context. Does that make sense? Hopefully yeah.

D

And I guess what I'm? What I'm wrestling with in my own mind is you know, registries I feel like there's a distinction to be made here between DT, LDS and cctlds. You know, because in the gTLD world we do all tend towards wanting to do things in a similar in uniform way and in managing all of that, and the problem is see CTL.

D

These are just you know, they're out there in the wild, if you will and I'm just sort of thinking through in my mind, gee I want to be careful here that we don't obligate things that you know exclude those things exclude the operation of cctlds and make things awkward, probably not making much sense here on my point, I worry as a service provider that supports both that I can't have a specification here. That's gonna make it hard for me to support both sets of customers. That's all Rick.

H

Will haunt Verisign don't the LG ARS generate IDN tables, but so it seems like more of a meta tool than something you'd be using at this point in technology stack. If you will right yeah.

D

Yeah I had that too so and one other thing just going back a bit. Actually a patrick made a high-level comment here in the jabber room to fall out, which are also a fair comment. He says here you cannot expect all registries to be there or hear about this workgroup. So we will miss cases and I think that's kind of important.

D

We suffer from that anyway, in terminal in this group and I think we're aware of it, but I think it's worth calling that out, but he might chair hat on for a moment, is just reminding ourselves that we are a fairly small, unfortunately self-selected group huh for better or for worse and we're trying to do our part here to represent a broader community, but it ain't gonna be perfect.

D

Yeah.

H

Humber, it's not yet true in a fair point, but there is a good cross-section of the various you know. I can boring it in other groups. You know like contrary to party house, tech, ops and, and things like that, so there's a very good cross-section there we do try. He.

D

Had one, let's comment down here: l GRI, Ana tables, Patrick says yes, but not completely. There are things that you cannot encode in current I, ana tables.

F

Okay, I think to go wrong with Patrick's comment that you read right before that one nah I think way completely agreeing. It was my last thing: I was going to hit everybody up for was more participation, especially on the registry side.

F

Everybody knows how those are so and you can take GoDaddy's document and I can send it to whoever wants it and realize how how big of an impact it is to us, but from a registry standpoint I think we would like to see more registries involved in this definition.

F

Just like that see if we miss anything or something that can be, you know accounted for. So thanks Patrick for plugging that early. For me, um let's move on.

D

All right so two.

F

Quick.

D

But I'm checked so maybe only just one more item um just to be fair to everybody. We have any other time left over. We can certainly come back nope.

F

No problem at all, and then there was a few just a few quick ones here, because the agreement on general agreement on one RFP, which one is it domain 5050 371 domain, one states that domain all, as is valid for a resetting auth info code, something we didn't catch in the registry mapping. Something definitely we're going to add into there how to handle that. So moving back to.

F

Registries that are handling IDs, specifically contact IDs outside of 57:33, independently I, should say not necessarily outside, but there's some registries out there that don't use a passed in contact ID and create one on their own, and it was suggested that that may be an option.

F

Discussions are you know if it's not RFC compliant? We don't necessarily want to try to do those things, but if anybody has you know good arguments for it, I guess we'll have to look at it and see what if that makes sense or not so Jim.

E

Yeah, this is a slippery slope. I just want to tell you I mean you have registries modifying the XML schemas doing things that aren't according to the RFC and then you have a like a policy extension that is meant to define how it works and then, in essence, if it's not RFC compliant, can we really put through a standards track extension that would pretty much demonstrate violation of the RFC s right to me? That's just not a good thing to do.

F

Okay, one last one since I went quick, long end policies, there's been a draft published, you did publish that right, Jim, the login securities yeah draft and there's a discussion of what what pieces of that actually fit in maybe more of the system level of the registry, mapping and I think we're gonna have to take a look at that and see what makes sense to be and then the extension verses into the registry mapping. So definitely something we're gonna look at and see how that fits. So that was less comment. Jim cut something.

E

You know I'll just add to that so yeah I've already have a makeup of the login security policy extension so yeah we can move in some of those elements into the base. If, if that makes sense,.

F

Okay and I would just say again: please jump on board registries. Registrar's I mean I, definitely bring this up at Tech Ops and see if we can get more involvement from the people that don't attend these meetings regularly, and hopefully we can and thank you for any questions. Let us know just.

D

A couple of closing comments from Patrick just to read out here so about contact, IDs I, agree in the technical aspect, meaning not grandfathering variations, but then the other side. If any small thing it is not possible to encode in this new extension registries will not use it and you are back to the 40 pages of Excel spreadsheet, if any all think I'm not there's more missing in their small registries, not sure, and then he says, the question is really which registries want to deploy this extension. Any small thing cannot be encoded.

D

Okay, but on the other hand, if any small thing cannot be encoded in this new extension registries will not use it and you're back to the 40 pages of Excel spreadsheet. So the really important question is which registries want to deploy this extension. It would be better to see a lot or many of them do it, but at the barriers too high, no one will so I'm, not sure, really how we would answer that question. But that's an interesting question to ask. Yes,.

E

Since you know, there's an opportunity for these registries to create their own extensions as well. So if there is someone off sort of thing that somebody does, you can create an extension to communicate that to their registers. The point is: is that by pulling in something that is a went off into the base in essence that the base will get very complex, very quickly right.

D

So maybe maybe the thing to do is to take onboard a comment. We add some some clarity on this point in the document where we tell people you know this is explicitly call out. This is the base line. This is the standard if you need a deviation for whatever reason you know, go off and add your own and maybe that's a better way to deal with it.

H

Yeah Rick will embarrass on another thing: that's interesting is that adds registries start and evolve and grow. Sometimes there are people at them that do things that they don't really realize the side effects or the impacts of that which they are doing, and so, therefore, if there is a mechanism by which those sorts of things can get called out of, saying, look those don't fit into these buckets. That is the general consensus and therefore you have to go in to an extension mechanism.

H

Sometimes it can help also reduce the gratuitous variability that can sometimes creep in just because folks unwittingly, don't know what the norms are so.

D

I agree with you Rick I'm laughing up here, where you're talking more because there are people who do it because they don't really care but facilitating something better and just for the record, you know Patrick says in the Tavor room to that. He agrees with the suggestion that I was making about as long as it's possible to easily extend. You know then, and we should just clarify that that's all okay.

F

And I just like to say in this registry mapping we're not wanting we're not expecting it to be a hundred percent. You know if we can get that forty page document down to two pages or a phone call, instead of the six plus weeks that it takes today, it would be a much better process.

D

Okay, so with that we'll move over to James Gould, if you want to come up- and you can stand in the pink box if you like- or you can sit at the table here,.

J

Yep.

D

And actually, if you sit at the table, then you can move your slide so yourself here on the screen there, and that would be good too.

E

Yeah, so actually, we've had a lot of discussion on this today and what this is talking about is the unhandled namespaces scroll down huh yeah so where this originated from, as we were going through. The working group last call on the change poll extension and Martin Casanova brought up a really good point, where I really didn't have a good answer to just be honest with you, I didn't think about it.

E

The fact the matter is that, if you're creating a new extension that finds a new poll message and if the client logs in and their login services, don't support that extension. What should the server do right?

E

In essence, since it's a poll Q and it's a top message on the Q, do you not allow them to consume that message, because they're not going to support it or in essence, would you return it independent of their login services? That's where it comes down to right, so the discussion went towards really. What is the purpose of the greeting and login services in the base, EPP RFC and the end result for the change poll extension is that this is not unique to change.

E

Pool extension, this exists in other extensions as well, and so we wanted to have a broader discussion around this problem and not hold up to change, pool extension because of this. So as a working group, you really have three options. One is we agree that there is no problem with the server returning back services that are not included in the login services of the client. In essence, you don't have to do anything.

E

The second is, we agree, there's a problem, but it's not a big enough problem for us to come up with a common solution and then the third is, you know, there's a problem and we should fix it. So let's come up with some common approach to address it. You just okay, so let me do is they're going to jump into the language in the RFC's, because this is what we're kind of living by here.

E

So if you look at the definition of the epp, greeting pretty much, it says identifies the services supported by the server. That's pretty basic. If you look at the login services for the client, it identifies the object. You are eyes being managed during the session and it may contain the extension of your eyes that may that would be used during the session right now. It doesn't say that you can't include other things, but I think that's kind of implied, so in essence it the server saying this is what I support and the client says.

E

This is what I support. How strongly do we enforce that? So really what it comes down to is that should the server accept objects or extensions provided by a client that is not included in the serve and the greeting services, an example of this would be what if the client sends an extension to a domain command, that's not included in the green services. I can tell you from our perspective. We would fail it right and there's an error code to represent that today, but there may be registries out there. That would ignore it.

E

That may be valid as well, but if you interpret the definition within the RFC what should occur and then, if you look at the last one, should the server return objects or extensions to the client that are not included in the login services.

E

So what to do is I'm going to jump down here and I had said that there are other extensions that that have this same issue. We cover the change poll. There's a poll message in the launch page. There's a poll message in the key relay right: there's been discussion around the DNS SEC extension as well. There's language in that RFC associated with transitioning from Venus equiano to 1.1.

E

There's language in the registry fee extension related to whether what to do if the client does not support the registry fee extension and there's also language within the bundling extension. So the point is is that this is not unique to the change poll. It's not unique to poll messaging and there's been discussion even today, related to the desire for clients potentially to get information to know that before they mean they may not even support it.

E

So we're going to do here is going to pop down to revisiting these options, and I really want to hear from you on this. So the first option is that there's no problem in essence, the RFC supports servers returning back services that are not included in the login services of the client. The other is there is a problem, but it's just not important enough. Nobody has really gotten hurt from this and then the third is it's a problem. We should come up with a solution for it. So are there any opinions on this.

G

Scot Hollenbeck here so Jimmer when you first started, you asked about intent at least I heard that word mentioned, and as the guy that wrote that text I can tell you what the intent was. This is intended to be handshake right where the server says I do these things. The expectation would be that the client would then come back and say that's great. You do those things.

G

I wish to take advantage of either this subset of those things or the entire set all right, and so it's kind of similar to the server saying: hey, I, speak English in French the clients saying I, speak English and German. Well. If the client then tries to talk to the server in German, the server doesn't understand that right and generally you're not going to get a response.

G

So in the case here, I think well, III think there would be a problem if the server says I do XY and Z or Zed I'm. Sorry we're in Canada and if the client says I do you know X, Y, Z and a well at that point the server should say: well, that's great I! Don't do a so we aren't going to have a session.

E

And actually, let me jump in on that Scott. So some of the scenario, as well as the fact that if the client specified a subset or what the server provides and the server must return back, something that the client does not support what should occur. Yeah.

G

Interesting scenario there again I was originally thinking when I did. This was if, for example, the if the client said well, hey, look I, don't do contacts, for example. Let's just take an extreme example right.

G

My thought there was that the server would then not attempt to push contacts on to the client right, because the client has already told you hey I, don't speak that language I, don't understand it, so don't give me something: I can't consume now. This gets a little bit more interesting when you're talking about extensions, but but having said that, I think in that that was the spirit.

G

Initially right, it's a it's a handshake, it's a negotiation where you, you know I do this I do that and the idea was that a successful login would mean we have agreement on the set of services that we both understand and consume, and.

E

Both should honor that, yes,.

K

Hi this is Alicia, um yes, I'm, not actually sure that this is a problem at all, and so at our registry we have I posted.

L

On the mailing list, this.

K

Product, just you know so I'm for the benefit of everybody in the room. We have basically registrar's who fall into two categories. One is we never Paul, just not care and the other group is we pull, but we don't care. What's in the message we just throw it away so.

K

The very few that actually care about the messages they are able to validate these messages and they support all the extensions and we don't have a problem and I'm not really sure that the registrar's that actually do validating will have a problem because they, you know they doing this, but on purpose they have thought about all this and not just you know all we do a P P because we have to so I.

K

Don't really I'm, not really sure that we need. There is a problem we need to fix.

E

Well, I think that what's interesting is that if Paul messaging is being used more, for example, change poll I can see a lot of uses for that particular extension. Also, if there's more useful information in the pool, cue.

K

All right, I'm totally with you, I'm. I think that these messages are really important and just saying that our registrar's don't agree with this view. So I have registrar's who ignore Paul messages, but will do domain and contact info for all their objects several times a month.

K

Why.

I

That is.

K

A good idea, X, is beyond me, but what can I say? Let.

E

Me ask you from a protocol perspective, what do you think do you think there's a problem from protocol perspective.

K

Independent.

E

Of what the registers are actually doing today, yes,.

K

Of course I mean of course I mean so you may.

H

Be you may be like you know,.

K

It's called scepter I. Think the wording in the RFC is quite sure that the that this, that the login and greeting are a kind of negotiation about what are we going to use, and so so.

E

You are like number, two said where you feel you may be. There may be a problem, but it's not important not to fix yeah. So fair, yes, okay, cool.

F

This writer and I guess I'll have to kind of agree with that. I mean I, think that there's probably technically our problem or could be a problem, but as a registrar that does process these, we don't have a problem if things got on there that weren't supposed to be there, because we have code that handles that. So I think I had another point and I'm trying to remember what it was now.

F

Outside of poll messages, though, is just a problem. Well,.

E

On the list it was communicated such like, for example, I think it was Patrick that was saying well if the DNS extension was not including the login services and the domain was Dean ASEC enabled. Should the registry returned back, the extension and I would say no that's based on the protocol? No, but they may did there's language in there related to transition between the earlier version of the Deena sec extension and the newer one.

E

But there's no explicit language, because it's kind of assumed, based on the base RFC's, that the server should not return services that the client owns doesn't support.

E

So we got two votes for three I'm, not sure what Scott is but I'm. Assuming he's three.

G

Scot Hollenbeck no I, wouldn't say that I I tend to fall into the camp of you know. If you get something that you don't understand, that's not a reason to go. Kaboom right and I, see, I, see, I, see one place where implementations might not agree with that I mean if you're doing a you know, schema validation, for example, and if your code is implemented in such a way that you get something that you don't account for and your schema validator goes kaboom. You know that might be enough to bring you down. I think.

G

If that, if it happens, that's a bad implementation. You know you should write your code in such a way that you know that type of a data formatting or data consistency, error, gets caught and is addressed appropriately, so I think I tend to fall more into the the camp to arbitrate camp number two here and that what we might want to consider doing is simply writing some text some place. That gives guidance to implementers that you know. If this is the situation in which you find yourself right, don't don't go kaboom.

G

You know follow the Postell principle right be now. I might have this backwards. You know liberal in what you accept conservative and what you send right. Just.

E

That's interesting I come from a different perspective and it might be because I'm one of the primary authors of a client-side SDK that does happen to validate so in thinking through the basic assumption. I know the assumptions a bad word, but in essence was that the server's would honor the login services.

E

So therefore, for example, in the client, it will merge all of the supported services with what its returning the green to ensure that not more services are returned back in the login services and in fact it if all sudden the server starts returning things that that that's not supported, then it will go. Kaboom, mm-hm I know for a fact that a little bit kaboom and there might be other clients I may go kaboom.

E

So if you can't rely on the server's honoring, what's in.

G

The protocol then yes, yeah and truthfully, you know there might be a distinction here between what we expect from servers and what we expect from clients right. So that might be something to consider as well right. You.

D

Want to go back, yeah Jim can I go back to something that you commented on early up here.

D

So I think this is that you were what happens if yeah, if the, if the client starts consuming things that it's not supposed to and I want to just sort of understand that statement a little bit. So if it's consuming things it's not supposed to, is that because the server is giving it to it? Yes,.

E

Right.

D

So.

E

It was like.

D

That it's not supposed.

E

To is the fact that it's receiving things that it won't is not expecting right.

E

Answers returning more than it said, it's supported right right.

D

But what it means is, it would stay in the queue it would just sit there because it's never asked for it. Then it sits there in the queue I mean that's the alternative right. If you're gonna do a strict adherence to what we think actually.

E

I cover that in a later slide, we'll cover through okay, some.

C

Of those and.

E

Cover this one, just from my experience in doing client-side SDK, if option wanted so.

D

Let me just add a message from Patrick to read out from the queue and you could take this on board to real life experience. He says registries happen to send messages not conforming to their own extension. Xml schema sad, but it exists. I can't.

E

Do much about that one all right! That's.

D

The other guy right, it's.

E

Not me all right, so anyways the if we went with option one or two: these are the side effects for potential or potential client issues. The first is and Scott pointed out. If you have a validating XML parser, it will go kaboom. It will not find the schema based on a URI and it will fail. Then you have a Poisson pull message right now. The client could disable the XML schema, validation and our client-side SDK allows for that. Then it'll get to the next one.

E

So next one is that typically clients aren't using Dom directly right. They are going to marshal it to domain specific objects and then that's where I'll go kaboom at that point. So generally will one of happens. That will be a factory per namespace it won't. It will look for the factory won't find it in a local boom.

E

Now the client-side software could make a decision I'm going to ignore that right, I'm gonna see I didn't find a factory I'm just going to allow to go through, but then you may have downstream impacts on not fully providing the information through that layer. So I.

E

My main concern is that the foundation itself is not solid and, if all of a sudden were accepting the fact that the service can return, this information that the clients need to do defensive programming, you can't prot, you have to account for this right, so all right, so what I'm gonna do is I'm. Gonna jump no go ahead.

E

This is.

K

Alice again, I totally agree with the technical problem here, but how often times really client on board at registry and not on border dissensions, I.

K

Don't know sure, that's I think that is just a problem that is not really there. So.

D

Jeff Gallen I mean I, guess, building on that and kind of agreeing with you, I actually don't know for sure what we do in our ot any environment. One of the things that occurred to me as well- well, gee, you know I mean we would put an example of all the poll messages out there and they should be doing that and in OTE right shouldn't, they I mean I, actually, don't know for certain we do. I would presume that we do so I agree with you. In that sense, this should never happen.

D

I mean unless, as a as a register, you're really not doing your job. I don't know, but.

E

Isn't that you know from a protocol perspective, there's no good answer to this. Somebody throws it out there and, in essence, as a good server. What should the server do right, I.

K

Agree on the protocol perspective, but in the end I mean we all have only limited time in this life, so it should.

E

Be invested.

K

In this problem that only exists for very very few cases and.

D

I will channel Martin cousin over here in the in the chat room. He says that I, don't think creating a poisons message is a good option. Only alternative I see is to not send any extension, an old message that was not specified at all. You know. Both message of both cases are heed for registrar's, but um yeah anyway.

E

Well well, this is what if there was interest in option three and to come up with a common solution, these were the four items discussed on the list. The first one is really not an option just want to point out, but just to complete it serve returns, an error that will create a poison message. The second one is that you would create a specific extension of an unsupported extension which is kind of a chicken in the egg, so create an extension to say that you don't support an extension yeah.

E

Okay, number three was the first I would say real option presented, which was to leverage the message. Queue message element to include the namespaces that are not supported. We've been asked, since you would filter them. You would put the namespace in the message, queue message element and then that way, it's protocol compliant and the clients received the information. That's what what's not supported the issue with this one is the fact that that element is meant for human, readable messages and not machine personal, and then Martin came up with a great eye.

E

I really like this idea was use the existing EXT value, an element which has two out the two sub elements to it. One is a value and the other is a reason they eat. The value is mmm contains XML and the fact that matters that there can be many of these. So there could be one purl, unsupported namespace, so I'm going to cover these real, quick, we'll go through these. The first one was example of okay, good.

M

Mullah Frieda from naughty registry. Sorry, but I'll, understand the. Why do you say you say that if the server returns an error or this stops the processing of the pork you? Why.

E

Because we're one of happiness that they can't acknowledge it. So if it would turn back an error, they can't get the message ID to acknowledge it. So if it doesn't return back the message itself and you can.

M

Okay,.

E

You.

M

Can kill a message without having previously made the no? The acknowledgment requires message. Id. Yes, it is in the message view element. It is optional. It's also in are.

E

You saying return back an error with the message queue element in it. Yes, they're.

M

Saying every response, both of them a in every response, can include the message queue very.

E

Element.

M

The first message in the polycube you.

E

Are right, you could return back the an error response with the message queue element in there, which includes the message: ID right.

E

Or could you for.

M

These are right.

E

Yeah.

M

For me, it is possible because it is not. It is not written in the in the in the protocol that if you return an error, you cannot include the message view element in the response. Yeah.

E

Because I think was a 1330, no one related to whether or not our messages or not messages necessary.

M

You're saying return, you can you can return an arrow and specify that you can the cue the message anyway, but.

E

You just wouldn't return the energy.

M

We have a realistic case, that is, that the NSA implementation, because we are starting known and we have the nsx neighbor registrar and not dns, actionable registers, and we we are choosing to to remove the dns, a crustacean element from the domain name for response for it, for example, the real problem in the whole message, I think, is that the response can contain only extension element. Only this tension element.

E

So no.

M

I you.

E

Know that I think that's technically feasible to do that. I think that you couldn't return an air with the message queue element in the response: technically, that that would work, I, believe: okay, yes,.

G

Let's cut Hollande back again, so I need to go back as something Jim said a little while ago, generally implementations that follow the protocol are not going to have this problem right. So we have implementations to follow the protocol, implementations that don't. Why do we think that adding elements to the protocol are going to address issues with implementations that aren't implementing the protocol correctly?

G

Well,.

E

I think they, the client, is implementing the protocol correctly right and if the server returns back information to pull queue, that's generated by the server in this instance right that it does not know the services that the client supports when they eventually log in correct. So if you have a change pol based on change to a domain, let's say, and then the client logs in and does not support the change pol extension so their work. The question is: is that what should the server do with that poll message?

E

Alright,.

G

So but this would be something that a protocol conformant implementation does right. I mean.

E

A.

G

Protocol that implements whatever this proposal becomes no.

E

No, the.

G

Point is.

E

Is that this, it's not clear what the what the server should do in essence, if you said that the client doesn't support that extension, so therefore the server should return an error. Okay. So what.

G

Do you think.

E

It should do so.

G

The idea here is provide guidance to server implementers to yes to protect themselves. Yes, okay, and the idea is that if there are server implementers who are not protocol conformant, they are going to continue to be a problem correct, okay, so this would be a partial solution.

G

Well,.

E

This would get them in line if they, if.

G

They decide to implement yes, but we already know they're not implementing the protocol as written. So why would we have any sense that they would do this? Well, we haven't.

E

Discussed the approach that is recommended for them to implement right so.

D

Comment from that regulation and I also.

E

Have some questions that are coming.

D

In from my mind, let's do Patrick first, he says not agree completely. If, on day, X a registry starts to add a new URI to the greeting and the client does not use it and the login is authorized. Hence this extension is not mandatory. Then the client is conforming, but there could still be the problem of the server having a message with a namespace, not understood by the client, which is it, which is good. I mean that what I'm struggling with here when I think about this is maybe to refrain I.

D

Think the point that you are making Scot is: what problem are we solving? Who are we trying to protect here because, as I think what Patrick's going down the path of here is? Yes, implementations change over time.

D

So while you might be completely synchronized when you first roll out at some point, there's an opportunity for registries and registrar's to get a little out of sync here in terms of who supports what and the question is what's the appropriate response, when you run into something that you don't support, I, what I was starting to get to before and then you said, you're gonna come later on was okay.

D

So if I decide as a server, if I decide to hold back the poll messages, because the client didn't want to take them, um what do I really do with them? I'm gonna have to deal with that issue right.

G

And I do believe that 5730 says that the server can purge poll messages after some servers specified period of time, so that can be a local implementation right issue and okay I mean so what I'm thinking there, as you mentioned, German I realize this would complicate things from the server perspective, but if the server is queuing, let's just use that word generically right now poll messages that cannot be consumed by the client when that session is established.

G

If the client basically says I, don't speak that language and they attempt to poll the queue they should not expect to see a message in that queue that they cannot digest right, which means that the server should be filtering the messages that are available based on the successful negotiation of that handshake.

G

Now, indeed, as you said, what that means, that is, that the server may be holding back messages that never get polled, because the client never says I'm willing to accept them, and the logical conclusion of that is that at some point well, there may be valuable information. They're not getting okay, but they've said they don't want it. The expectation should be that the server has every right to purge those messages from the queue at whatever point they feel is appropriate, but.

E

Are you think there would be like a priority queue of some sort where, in essence, let's say that you had a change poll message at the top of queue? Then you had a transfer poll message and that since the client didn't support change poll that the server would go, you had a top one. Let's.

G

Go to the next.

E

One exactly is that the deal, but then at some point what one app happen is that you'd have a set of messages that are not supported by the client, which will send.

G

They're going to sit there and.

E

They.

G

You know, as I said at some point, then the server has to take responsibility for defending itself and if they feel that hey look, you got, you know, 2000 messages you haven't consumed and they've been here for a while I'm gonna wipe off okay. Well, while you're there. So.

E

Let's assume that all messages are left are not supported. What's your return and they do pull request you to come back or return in response to what I pull request they did. Well, you don't have any. Also when we do is you would remove it virtually remove the messages in the queue yep.

E

How would the client know that there are messages in the queue.

G

That they can't consume because they were given that information when they received the greeting from the server the service that look I can process these Qi. This other type of messages now they're not getting an indication that they're actually are in queued messages there, but the assumption is if that extension is supported by the server. The client should expect that they may have messages queued that I'm sorry extension messages queued for that particular extension. Does that.

E

Make sense, yeah I'm just trying to think that it would be some not very transparent, right, there's nothing in the protocol. That would define that you'd, probably be better to say there are actually messages in the queue and return back, an error that you can't get it because you don't support it right.

G

That's also a possibility right. Yes, if they say hey give me what's in the queue instead of saying nothing, it could be like something, but you didn't accept them right. That may actually be more effective and that's a clue. Then maybe I should go back and rethink what I did on the login right. So.

E

Yeah, so in essence, if I jump down, I'm gonna shut down pass to the one, that's the preferred one. So.

D

Well, just to read out while you're scrolling there, what patrick says in the room here agree with James I assume he means you you've been doing most of the talking recently. This is not transparent. The registry can start in queueing new messages with new URI and the Registrar is already in an EPP session.

D

Now you wouldn't know yeah I, I, guess I, don't know what the right answer is here. I mean I, agree, there's a problem and I'm sort of thinking through is. This is a problem that we need to solve or not I, don't know. It depends to some extent what you're actually putting in the queue, and the significance of that is poll messages I think to some extent are I'm.

D

Gonna use a particular term to put a particular spin on it or just informational, so they're not transactional, like PPP is so where you actually have to deal with everything, and in that respect it should be okay to just delete them. But that also means that, as you create extensions for poll messages, you have to be careful that you don't overstate the value of that message, because if you do, then we need a mechanism for dealing with the fact that.

E

Is are in queues not only that you need to deal with what should the server return that we talked about? Yeah, they'll, filtering it and return an error, and you know there's a there's different things that you could choose from I'm, just going to point out, one of them and I think this will work. This is from Martin and in this particular age that doesn't show up there.

E

Kicked it.

E

Other is we got it? Okay just went to sleep all right, so in this example, one of the ideas is the fact that the server can't filter right. In essence, if based on the login services, let's say the change poll, the change poll is not supported. So, instead of returning an error, if it turns back to the message with the message ID, so they can add it and there's one modification on this- is that the fact that the x value element that value M is actually XML.

E

You can include the full block of XML of the unsupported extension in there and the beauty of what's got defined in the XML schema the base RFC's the fact that the parser will not parse that validated. So the idea is the fact that the client truly does not support the change pull message. They can still get the message: it's not going to be in the the appropriate place that would make it go kaboom by the XML, parser it'll be there.

E

They could process it later and if they get this message, that can it's an indication then that they need to fix something on their end right. The idea here is that, and the beauty of this as well is that there is one ext value. That's a list. So therefore, if you had multiple extensions, you could have one per extension, so this is not hard to do. I've actually implemented it in a stub server.

E

I have it I can demo it to you if you'd like, but the idea is the fact that, based on the login services of the client, the server can easily filter these put them in the ext value element and then in essence ensure that we're honoring the client login services.

D

Okay, so Jim Galvin and I guess I'll just speak in comment. I mean I, won't object to this kind of thing, but I think I'm, just gonna go back to the question that great before I mean what problem are we solving and and I? Just you know, I just don't see the value in this I. Don't see myself wanting to do this. You know if the poll messages really are informational. In that sense, the Registrar is: are they going to keep up or they're?

D

Not it's it's on them to do the comparison of the login greeting and and see if there's something there that they are not supporting and take note of that and it's just my responsibility as a as a server to you know not put anything in the poll queue that I think is important. I guess I'm not even sure, quite sure how to say that that is non informational, but I think we do that anyway in the standards process, as we create the poll messages right, so we, but then what you're doing in the process.

E

Is that you're gonna be returning back extensions that are not in or logging services right.

D

Yeah I mean I'm, just gonna delete them if they don't consume them. I'm, eventually just gonna delete them, but you're not gonna return back an error. That's right right, so you are going to return back, but that's right, I'm trying to figure out if there's a problem that I'm solving that benefits me right, I mean that's a bet.

D

It's a problem to the registrar because they're not consuming the messages and they should be I'm trying to decide if this is a problem that I need to solve and I think that's the discussion that we're having here, right and and so far I'm not held that this is a problem that I need to solve as a registry and, to that extent I mean I, don't know that I would I would want to do this or need to do this because it gets back to what Scott was saying earlier, if they're not implementing the standards anyway, who's to say, they're gonna implement this.

D

This is just a sneaky way to get it in there and they're not likely to see it anyway. Although you're saying they, it's.

E

Actually,.

D

I'm, sorry, to be more precise, actually.

E

You right so in essence, you were not following the RFC, if you're returning back there, services that are not, who is they you, the client to the server the server the server? If the server's returning back a change, pull on the clients that they don't support in the login services, they are doing everything according to the RFC. You are not so. The question is: is that part of this.

D

Embrace it relieves me: do it yeah differently, I think the question there is yes, the client is not implementing something that the server is expecting them to write, and so the question now is you know how much do I care about that as a server okay, I mean if I care enough about it, then presumably I'm gonna do something to make sure that all of my registrar's support all of the things that I want them to have, and you know that's that's an external right meta issue. That's going on!

D

That's a whole oat, Eenie kind of thing: I'm, gonna, roll out a new feature, I'm gonna find a way to make sure our all the registrar's know about it as clients know about it as a server but other than that, if you're a client that didn't implement it and I'm giving it to you if you're not interested in consuming it. The question is to me as to how important it is that you consume it.

D

If I want you to consume it, then I should have gone through some kind of process to make sure that you did it, but I. Don't think that doing this is the way I'm gonna make it happen. There should have been something external outside of all of this. To make sure you implemented.

G

It it's got home, but yeah and Jim into your point. If you are publishing the fact that you support a B and C and as part of the log game, the client says I'm only going to do a and B us server can say. Well, that's great get out of here: I'm, not gonna. Let you log in yes, I'm! Sorry! If those of you couldn't see the raspberry I just demonstrated okay and and that's the end of it right, I.

D

Think so you know I so I mean I I. Don't think that this is necessary because I think going back to the thing, maybe there's a problem here but I, don't think the problem needs to be solved in the standard I. Think it's a it's a higher-level problem and and I you know I just think it's not something to do least I haven't been convinced yet I'm open, but he's got some thoughts. Scott.

E

Has a point there that you could fail, the login, yeah I think.

M

I was only doing a proactive.

E

Way to address it, not that it might be fun for the Registrar negates their login rejected and then, if you're not willing to reject the log into some login services, then something like this would be a way to approach it right.

D

Which is why I said I mean just speaking as a registry. I wouldn't object to this. If it existed, but I'll say the other side of which is I, can't imagine that I would implement it because yeah, you know. If I want you to implement it, then I will make sure that you do and otherwise I'll just delete the old messages you know, according to whatever my policy is gonna, be you know I, because just going back to the whole thing, what problem my solving here? What would what benefit am I getting from this anyway?.

D

Other thoughts, anyone else have a view.

F

About what the right thing to do, yeah, let's hear from a registrar, so it sort of be clear, got to you're, saying the RFC states. The registry should not be putting messages in the poll queue for what the client did not ask for you're saying the RFC state, no.

E

It's not the.

F

Pole Q, it is any response right right. Okay, specifically, so, if that's the case, then there is no poisoned records on the queue or else the registry is doing something wrong right. Right.

E

No poison messages.

F

There's not there's nothing that registry, our registrar shouldn't be able to process because they agreed to process it on the queue because you because the registry, the server, is handling it correctly on their side. That's what you're saying right.

D

This could spec to the other. The earlier comment way back in the beginning, about it's not possible for a registrar to consume things that they didn't expect. If the registry is, if the server is doing its job, the Registrar would not be able to consume something it didn't expect, and so you wouldn't have a poison poison bill.

I

Watson from affiliates, so just a purified original problem that you're staying that is direct just straw is not going to understand. Wow this concept, they're, not improving, something that a registry will already define to do. That's.

E

The poor little return to them I mean the perfect example is the changeable message. In essence, the registry made a change of the main name, resulted in a change pool message and then the client logs, and they don't support it. Okay, what do we do so.

I

The fact back to understanding is, if we will, you want to have the Registrar implement something to opt ot, any and stuff. So in this situation, I know this is a problem, because we'll do as much as possible our communication to make sure that registra implemented that and then, if they log in the saying that we haven't done what you told us, and that is not a problem, because we will not create any message that anyone will not consume before we actually communicate that ever.

E

The thing is out of out of out of band communication: that's not a guarantee from a technical perspective that you're not going to be returning things that are not complying with the.

I

Rfc so basically.

E

I'm saying.

I

That we will not return anything that we have not communicate to the register before, and that is not a problem for us myself. It did not know knowing the problem they have, so you don't see that technically you need to do anything since you communicated it in a notice, because the technical solution proposing is to to accommodate people, don't listen to you, okay and and that.

C

Is gossiped area that.

I

Okay, yes,.

E

And just a note it since we were talking about the registry mapping, one of the elements in their zone definition is well not a particular URI is required. Just let you know so in essence, something like change pool would be marked as true. Okay,.

D

And I'm sorry I since I got involved in this conversation, I'ma Gluck t'do the time queue time management here, but we're eating into the last we're down to having only half an hour as opposed to his 40 minutes for Francisco. Are you? Are you done there? You're.

E

Done: okay, alright.

D

It's been an awesome discussion, very good thing, so Francisco is going to come up here and I. Have his slides here. Also I will get them up.

D

And folks remotely it is true that we did just put these up while we were in this room, so you need to. If you don't have them, you can just you can go get them now. I had loaded them up as this meeting got started so Francisco over to you. Thank.

C

You Jim so hello, roan. This francisco is from icon, so I was asked to talk about and potential new stream of work regarding our top search capabilities, and so let me see how this oh, okay, I see. So the current our dub search capabilities as specified in RFC 74 82 I, took the liberty to highlight Oh today. The the items there that I think are of interest for this discussion is one is you can do partial string searching using the asterisk as the sort of the Walker I?

C

Guess too much C or more trail a meet or trailing characters and the another important thing discussion is that he, the way you understand- FCM, maybe I'm wrong here and maybe I would be happy to be corrected. But it seems like if you have multiple query matching parameters. A there is an implicit or to join the the sets.

C

Now on the gTLD side of things. As some of you may know, there is recent developments made using may a pass. May there was a new specification pass for detailed erases and registers regarding the GDP, our compliance and one of the things that that specific specification included was that searchability, which was previously something specified only for web, who is. It is now also required to be over in our the for those that committed to offer that service.

C

Not all the detail is committed to offer that service, but most of them committed to to offer this service, and so, if they are offering that service now the temp spec says they had offered R&R that once our dub becomes unavailable service and as soon as you may know, our dub is something that is coming in the to the Italy spec.

C

There is some work that is happening right now to finalize what we call the the profile, which is a specific set of requirements regarding an are definitely spec and a space, and after that, a I can book acquired implementation of our dub for both Italy racism registrar's. So once that happens and other piece of equipment to be implemented, those races and racers that are offering such ability will have to offer it over. Our dub to a couple other things that come from from the spec regarding sociability. You will find this.

C

This is an aspect of was not including the time spec is referenced by the times back in a sense. Respect for the rest of the the elements that are not highlighted here are in the register remain the 2017 based ready, remain. Second bullet I thing is simple, and it's already called by the core inspectors.

C

The search results are domain names that match the search criteria, so easy to bullet is exact, match capabilities on the following fields: I think it's at match capabilities our ignore an issue and our I'm not sure how we do regarding the the search in on a specific, using a specific fields to search a domain name by looking at the artsy's I forgot, the number 774 82 acres and the it's not clear to me.

C

If they are see only the search parameters that are defined, there are the only ones you can use or if you can use others, but if that, if it's a second, then I, don't know how we have interoperability, but maybe I'm missing something and also a very impartial match capabilities. The term spec.

C

Sorry, the register, women by reference from ten spec I, guess defines a set of fields that need to be supported, which is basically everything and, and we I believe we're currently missing the capability, for example, to do searches on the my names based on an entity that has a role in my name. So, for example, looking the domain names are linked to a domain name by the, because the contact with a specific name has the role of say admin contact.

C

This is by the way, something that the draft by by mario addresses, so that that's interesting to see how that works, and what else and the last part and last bullet is the spec also talks about supporting the need to support search capabilities with the logical operators to join the sets with those three operators and or not like set in my reading of the RFC, is that there is an implicit or- and there is no nothing about an and not in the in the search capabilities.

C

So with that in mind, potential search improvements that may be of interest for italy's and maybe some disabilities, even if they are not, of course, bound by the contract with ICANN. There may still be interested in offering these capabilities, and so maybe we need to add some capabilities for supporting a leading, welker I'm, not sure if that's the correct reading of. If my reading of the the spec is correct, but then the register agreement does not specify where the walcker can can be.

C

My reading of the RFC seems to be that it does imply that it cannot be at the beginning.

C

It can be in the middle and at the end and the another potential searching program will be to support multiple occurrences of the the worker character and t1 will be supporting the the logical operators and or not to join the set based on the search criteria at the client requests of the point, and specifically said what are the telecom operators to be applied to different search criteria and also- and of course, the subject to to my understanding of the the the RCL as I said before, I would like to hear what what you think I mean I understand.

C

There is no explicit definition of what are the search patterns that can be used with each object type search. So perhaps we need to define those so that we can have interoperability in the searches. And finally, this is not really coming from the the temp spec but I sort of remember that I think Scott of maybe others mentioned, and also this may be. Given the the recent discussion about internationalization just before this session.

C

Maybe we need to check that we have proper a covering of the internationalization in regards to search since this these searches could happen in, for example, entity names. Then we're talking about Unicode, so we may need to look into this I'm, certainly not an expert on and not that's. Why I put a question mark? Maybe we need to look at this and not sure about it and I think that's that's! It I had another slide about the the privacy requirements, but I don't think these are really important for these discussions.

C

So I guess I will leave it with this slide.

G

It's got Hollenback folks have heard me say this before, but what's in 74 82 right now is a complete hack and as the guy that wrote that text I am not ashamed at all. To admit that remember this was about that. We have been doing this I think for three years.

G

At the point, this was some of the last stuff that actually made it into the document and I think we were all looking more to just kind of declare a victory and move on, knowing that what was there was a hack and that we would need to get back at it and look at it at some point in the future. I would not be a fan of trying to add text that says hey.

G

We can also put this asterisk at the beginning of a string right now and by the way- and you can also just do logical operators, because we're now moving towards a need for a more general approach to searching- and it's just so happens, I'm a co-author on an individual submission that describes how regular expressions can be used to perform searching in our doubt.

G

Any of you who are familiar with you know: unix-like operating systems understand how regular expressions work and they get us everything there in terms of those first, three bullets and more now, the syntax is a little bit more complicated. You know for the novice who doesn't understand what regular expressions are, but this is where software interfaces can be very helpful right. It's some of the right code that abstracts away some of that complexity and makes it easier for humans to construct search patterns.

G

So I would suggest that anyone who cares you know to think about this. A little bit. Take a look. I think it's I'm, just throwing out some words here: draft fregula fregley, our dap regex. Please go look for that: okay, Oh!

G

The problem with bullet number four is that 74 82 does not give us any type of query paths that let us dig deeper into like the sub-elements of contacts. If there truly is a requirement to be able to do things like searches based on zip code or reverse searches, like you know, hey here's, a contact, ID tell me all the domain names associated with it. We need another specification for that. It's it's just not there, and neither of those are included in that regex draft that I just described a moment ago, internationalization improvements.

G

Definitely this is definitely something we need to think about, and it I mean, maybe not even us, think about it, but like those of you who are in the internationalization review Boff a little while ago, what I was thinking while they were asking for volunteers. Look I'm no expert here, but I'm expert enough to know when I don't know what I'm talking about and when to ask for help.

G

This may be a place where we ask for help and remember now: John cleansin, you know one of the folks that was in that room did help us a bit as we were looking at. You know some of these concepts, the internationalization stuff, that's in 74 82 is largely there with the input of folks like John, Paul, Hoffman, Patrick, falserum and other clue, 'full people, but still, if we need to think about this, we need to leverage that expertise.

H

Coquetry hi brick Wilhelm Verisign. um There was a statement in one of the earlier slides about search requirements being in the temporary specification and my search doesn't no pun intended. My.

H

Ctrl-F now I certainly didn't have enough coffee to handle reg X's this hour of the day, so I don't see anything in the temp spec that requires searching based on all the reading in the temp spec that I've done I've been through it like four hundred thousand five hundred ninety two point seven times so this may be a topic.

C

For or type of discussion rather than here, but I just quickly on the RADS, appendix I, think that's where you will find there is a section regarding search ability that can be says that are the pieces are common if you are doing searches, if you're permitted, cetera.

H

So in it yeah, but there's a statement in the earlier slide that says that the temporary specification requires a bunch of search criteria. 1.2 says that if search capability, where search capabilities are permitted and offered the Registrar, the the provider must ensure that the search is in compliance with applicable privacy laws and only permit searches on data otherwise available to the user, and so there's nothing that talks about binary operators or and/or or what wildcards or anything like that.

H

So they will need to cross up because I, just don't I'm, not saying because the implication here. Sorry, because the implication in the in the slides leading up to this was that oh there's requirements that are coming from a policy body. This is we have to do search ergo. We need to standardize something here, but that's not the I'm stating that that I'm not seeing the policy lever. That's driving that technical standardization.

D

So Jim, Galvin and I guess in response to your Rick I, guess the way that I had interpreted what's there. So this becomes a point of discussion. This is not the right group for this continued discussion is I interpret us to say that if you're currently doing search and who is then you now have to do the same thing in our DAP and they simply added a couple of extra requirements there. But you know that's something to a different interpretation, and this is not the right forum for all of that and I.

D

Think that's where Francisco's coming from in this in, in that temporary specification that if you are already doing it, you have to.

H

Continue to do it yeah! That's it's quite a leap from that statement via 1.2 to the prior slides that we saw that we're citing the temporary spec as a lever, because I don't think that's accurate candidly, okay, but.

D

No I know I understand I.

H

Understand Jim what you're saying yeah right some partially so and.

D

I wanted to put myself in the queue after Andy as an individual, but since I'm trying to watch other things up here, I can't stand there in front of you. Roger.

N

Any new Naren, so we have kind of a form of this in our who is art of US service, which kind of predates our debt, but we still have it and has it every time I've ever seen it used when I look at what people are doing there. It's about data mining people are trying to mine. Our data using these facilities, so I would I would caution that that's maybe one of the avenues that this thing will get abused for not trying to dissuade anyone from working on this by all means.

N

If you think this is a good idea, go ahead and go for it, but you may want to consider also looking at some sort of authentication mechanisms. Scott puppy has a draft on it. That goes along with this. The other thing I would like to say is this is very complex, and so, if this working group is going to proceed with something like this I think that we need to think about some sort of structure where we can do rapid iteration on implementations before trying to get an RFC.

N

The IETF is generally not good at that, but a working group can certainly come up with some process to kind of help with that, because what.

M

You're.

N

Gonna do is you're gonna, have people implement multiple things and you're gonna find out pretty quickly that there was a difference between people, read documents differently and they're going to come up with some very interesting ways of interpreting that and they're not going to be compatible. So you want some rapid iteration when it comes to implementations before trying to get final ink on an RFC.

N

The other thing is I actually would like to see what the privacy considerations are that slide that you didn't want to show us all right thanks. So.

C

It's not that I didn't want this Francisco by the way, but actually you just made it on point for for given the way the common you were making and as you can see here, it says that resource should only include data, that you will that you, as a user, will otherwise have access to, and that also applies to the coding parameters if you're a, for example, search in domain names that are owned by certain but have a certain name as they admin contact for a given domain name.

C

Given the recent changes in in the utility space, anonymous user will not be able to do that because they will otherwise don't have will not have access to that data. Well, I should not say no cases in in many cases, and let's leave it at that. The point is you will only get access to the data that you will otherwise get access to and a you can only use a data for quayne that you, you will otherwise have access to in.

N

Other words, the privacy considerations that apply now but apply it to this right. That's what you're saying yes.

D

Okay,.

D

So um Jim Galvin, no hats, you know I I guess when we started talking about searching I, think had all kinds of things that I wanted to say, but maybe I'll just frame it in the following way, which is I, really want to understand what problem we're solving by doing this I think Andy started to touch on this too. You know.

D

One of the reasons why you you have searching is because people are just trying to get access to things for all kinds of bulk access reasons and and other kind of obscure things and and I just generally have the view that there are better solutions to that problem than providing searching. I've, always thought. So, let's see separating technical discussions from policy discussions, I've always thought that, from a policy point of view, the requirements for searching we're not quite right and without getting into details here.

D

The other side of it is getting back to what Scott and others have said here along the way. You know the searching capabilities, the stuff gets really complicated. I mean I, get that there are tools that help some of this. But you know once you throw internationalization into the mix all kinds of interesting things happen to you when it comes to fuzzy matching. You know when you've got multi code point characters and how you match them or don't match them, and I'm really kind of nervous about all that.

D

So I see us having a lot of discussion about what problem we're solving before we decide what we technically want to propose for searching and I just wanted to put that out there for people to think about I'd rather see us shrink and and bit further constrain. What searching is allowed then tried to expand it personally. Thanks.

F

This Roger and I'll just add not just complicated but resource intensive. When you start searching the amount of resources it takes is insane, but along that to answer Rick's question I didn't catch it, but then I kind of pulled it back. In my mind what francisco said on those list of requirements, number one was in the temp spec and the rest of them were in the contract and it does I think going back to what Jim said it's based on. If you have to do searching, then those rules apply.

F

The one part I didn't get out of that was no registrar's. I've ever been required to do that, and the temp spec doesn't change that. So registrar's still don't have to provide any searching, just exact match. So yeah.

D

If I may just just build on that, that's that's actually a really good point, especially as we move in a new direction here, if maybe our depth with registrar's, we're gonna have an inconsistency here, but that's a policy issue, not a technical issue. So we've got to be careful that separate that discussion in this room, so swatch.

I

Sense implement fillets on Edition under piracy, I think my view. If you have piracy issue you only not only you have to have access right for the data that you can access and you can only to do accept what you're looking for. So my opponent will providing any searching while sort of whatever matching is is violating the piracy, because if you know what you're looking for you should just look for exact match and having any search, meaning that you are just taking into other people piracy.

I

So.

C

This is Francisco Reyes on that River for those interested in in Italy policy. There is four that is, and you probably know already what's on the EPD P that is going to work on reviewing this. This temporary suspect it's probably a good place to trace these issues so that, if you have some concerns about this type of service, I think that's the the right place to where you can feed those. So they can take it into account to limit what can be done in in searches.

D

So and Jim wanting to channel Jody from the jabber room here he said Jody Coker, he says I have concerns with how many domains will be returned if a search is for the street address that is used for privacy, millions of domains would be returned. That will be. That will add to the complication of this implementation and and I think you know now reverting to myself and speaking personally and building on this. This really is the question that I have.

D

What problem are we solving before we get into talking about what kind of searching we think ought to be supported and ought to be? There I really want to step back and ask ourselves what problem are we solving, and what are we trying to achieve here? Because there are just so many issues and with the new privacy requirements it just I'm challenged by trying to imagine how searching is valuable, because if you're really looking for bulk access, there's better ways to do that, we should be talking about something different, not not searching anyway, thanks Scott.

G

Hollenbeck now ignoring the meta question, you just raised Jim, okay, that that's a long topic, but the question of how to control what gets returned. Mari hola, Fredo, Mauricio and I have authored a draft that just that gives clients some capability for requesting that the server you know, sort and page responses.

G

Yeah I mean it's still, not something I'd necessarily want to implement in terms of returning 10 million results back to a client, but the technology certainly exists, and if we are inclined to apply that to solve a particular problem, you know getting back to your. What problem are we solving question? We do have some options to consider.

N

And engineering, so so I just want to clarify the the I can't actually imagine there are legitimate uses to the for this I I can think of a lot of I. Just think that it's also ripe for abuse and that's why I made that comment like I said: if people want to do this, I think they should be allowed to do this, but I think the question. It is a very good, very good thing to ask the question: what exactly are we trying to do here, because there may be better ways?

N

It may actually be that the searching that we're being asked to do isn't the appropriate thing for the problem trying to be solved so I do think it's an important question: I'm not trying to I. Don't I, don't think it's meant as a stalling tactic, but it's like maybe there's a better mechanism so.

D

No their comments or questions. Let me look again in the jabber room here: Dimitri.

L

Just a quick comment: you know when you're first temporary specification, I'm sure everybody knows that the ugly four letters, but you know the the things may roll over time. So we must be ready for you know. What's coming next, because the post temporary the post, gdpr I, can approach to the data and I don't want to bring this up just what just to know that mentally. We should be pretty for that down the road thinking, yeah.

D

No thank you for that. um A comment on that more complete. Let me just see if your you're done. Okay, so maybe we'll come back and close the session here in the large yeah.

D

Even the mention of temporary specification down here and in some of this stuff is, is really a gTLD thing, not a ccTLD thing, and so you know it's interesting that although we try to focus here on technical work, you know policy does come to bear on us and- and we always have to keep that in mind and mention that to ourselves and as Dimitri was just saying, the the data model and things about it, even in the ICANN world that GT of the world is, is subject to some change at this point, as we move through the temporary specification and it's it's moving into a new PDP process, and I can for those that know what it is that'll, you know convert it to a consensus policy.

D

So there's there's a lot of moving parts going on right now, I think what we do need to think about and I guess. Maybe the question is to you Francisco on this particular point here is: are you interested in bringing to this group a desire to to make this a work item talking about searching the work item? And you don't have to answer that right now, because we're gonna have a working group meeting tomorrow and so well.

D

You'll have an opportunity to get the the two minute update on what happened here and and then we can make that and ask of the working group as to whether or not it should be on our list and see what we want to do.

D

Alright, there's no other question about anything. The other guy, James or Roger I mean you had your two presentations, any closing comments from you on on your work or documents Burke right now and anybody else have anything they want to add. Then we'll just declare this particular working session adjourned. I very much appreciate the three guys who came quite prepared and we had a really good discussion. I think that's excellent! Tomorrow we have just a one-hour meeting, but it is a full. You know. Relatively formal working group meeting will walk through status of documents.

D

Talk about next steps where we are are things the Charter and stuff like that, and you know, do our plans for what's to come here in the near term in the long term. So with that have a good night. Everybody see you tomorrow, Oh blue sheets. Where are they I see the one up front, where's the one in the back, just hold it up, please, and if you haven't signed it, please find one: oh I see them now. Okay, thanks very much thanks for the remote attendees.

O

You had.

E

No idea.