Hello Scott,
> 1.2: "It can also provide the ability to collect additional user
> identification
> information, and that information can be shared with the consent of the
> user."
> ... Not clear who that information could be shared with.
[SAH] "shared with the RDAP server operator with the consent of the user in
order to help the server operator make access control decisions" is the
intent.
[JS] Got it. Perhaps we can further clarify as above.
> 4.1.1: "An OPTIONAL "userClaims" object that contains the set of claims
> associated with the End-User's identity as used/requested by the RDAP
server
> to make access control decisions." ... For consistency with other field
> definitions, should we mention that it is an array of strings?
[SAH] It's not necessarily an array of strings (see the example where the
set
of claims includes a URL, for example) , so I don't think so. I'd prefer to
leave that description as-is, noting that "The set of possible values is
determined by OP policy".
[JS] Aha, you are right!
> 4.7: "RDAP servers MUST reject queries that include identification
> information
> that is not associated with a supported OP by returning an HTTP 501 (Not
> Implemented) response." ... Should this not be a 401 (Unauthorized)
instead?
> ...
> I know Andy suggested a 400 (Bad Request). :)
[SAH] I prefer 401. "Unauthorized" would imply that an attempt was made to
authorize the user, but that can't be done because the OP isn't supported.
[JS] I think you meant to say 400? :) Yes, that rationale makes sense.
> 4.8: "If a client sends any request that includes an unknown HTTP cookie,
> the
> server MUST return an HTTP 409 (Conflict) error." ... Should this not be
a
> 401
> (Unauthorized) instead?
[SAH] I think that 400 that Andy suggested is the better response for the
same
reason noted above.
[JS] OK.
Thanks,
Jasdip
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
