On Thu, Mar 1, 2018 at 10:58 PM, Martin Thomson <martin.thom...@gmail.com> wrote: > We've had a number of discussions in the captive portals group about > fixing RFC 7710. >
As one of the original authors of RFC 7710, I fully support this! > Erik and I would like to propose a plan for that work. We would keep > this to addressing the issues that we have identified thus far. > Namely: > > 1. The purpose of the URI is not well defined. We would reference the > capport architecture and API documents for that. The group would need > to decide between: > a. point to the API > b. point to a login page > > 2. There isn't a clear way to signal that there is no captive portal > in the network. It has been suggested that we use a special URL - > e.g., urn:ietf:params:capport:unrestricted. Alternatively, we could > privilege the empty string, but that doesn't have as clear a signal of > intent. Oooh, I like the special URL idea -- initially the thought was a combination of: 1: Until this is ubiquitously deployed (ha!), devices will need to do CP heuristics, and so will discover the lack of CP through that. 2: If there is no CP, no-one is likely to include the option. 3: Since the vast majority of networks don't use CPs, is this an undue burden on them? > > 3. RFC 7710 states that the URL SHOULD use an address literal. This > works at odds with the idea of using HTTPS. Yeah, there was a significant amount of discussion on this at the time of the original document -- I can probably dredge it up if needed, but IIRC, it focused around the fact that 1: many clients behind a CP would not have enough working connectivity to be able to do the DNS stuff required to be able to validate the cert, and 2: a lack of clarity on what exactly would be authenticated. I'm at Washington Dulles airport, connect to the IAD_Free_WiFi SSID and get a URL of https://www.your-preferred-internet-provider.com 1: The cert is likely to filled with such guff as: URI:http://cdp.rapidssl.com/RapidSSLRSACA2018.crl CPS: https://www.digicert.com/CPS OCSP - URI:http://status.rapidssl.com CA Issuers - URI:http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt Many clients have static / corporate DNS servers configured -- does the CP operator simply allow any port 53 traffic so that the user can resolve these? If so (fairly obviously), people who want to bypass the CP will simply DNS tunnel all traffic. Also, does the CP operator know which IPs cdp.rapidssl.com and status.rapidssl.com will live behind on e.g Thursday? Or do they need to constantly resolve URLs in the cert and dynamically allow access to OSCP / CRL servers? Or does the CP also need to OSCP stale? 2: How does the client know that your-preferred-internet-provider.com is the identity which *should* be providing Internets? Having the client accept that /might/ give the impression that there is some *reason* to believe this, and was viewed as a usability concern -- training users / developers to make a leap of trust that "you should trust this identity is the right one" was viewed as a dangerous pattern. Somehow this turned into "Just ship http://192.168.1.1/foo and then that, um, someone else's problem" -- before everyone jumps down my throat, I'm not arguing for or against the positions, rather trying to provide some background on how we ended up here. :-P > > Is there anyone who is willing to take on this work? We aim to start > and complete this work in <1 meeting cycle, starting in London. I don't have the time to be the only / primary author, but I'd be more than happy to help co-author (if that would be useful), contribute, review, fold, spindle or mutilate -- whatever would be helpful. > > For the authors of RFC 7710, let us know if you have any concerns. Speaking for myself: Good -- I'd like it if this became more useful - my only concern would be the work *not* being done (I'm obviously perfect in every way, including having the modesty to know my work could be improved upon :-P ) W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals