On Thu, Mar 31, 2022, at 10:36, Mario Loffredo wrote: > Starting an HTTP session when receiving an EPP command other than the > Login command is in .it experience (but I can speak on behalf of .pl > too) very inefficient because you can't immediately lock the HTTP > session to the Registrar.
I disagree. If the transport is HTTPS (and not just HTTP), the server can request the client to send a certificate, exactly as for EPP over TLS. In such case, for *any* HTTP request coming to the server, the server theoretically already knows to which client this pertains as it can consult the certificate given. It can be considered a weak or partial authentication, until the EPP login is successfully executed. -- Patrick Mevzek [email protected] _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
