Hi Marteen,
stateful interactions over HTTP are not only possible but well defined.
HTTP explicitly supports maintaining application state through
standardized mechanisms such as cookies (RFC6265). The ongoing work on
RFC6265bis does not suggest that this model is going away anytime soon.
In addition, the EoH work has already incorporated feedback from the
authors of RFC6265bis.
More importantly, EPP over HTTP has already been deployed in production
for nearly two decades by some registries. In practice, this approach
has proven to be clean, maintainable, and far from the brittle solution
suggested in the previous message.
Could you provide concrete operational scenarios that support the claim
that layering EPP over HTTP would inevitably lead to fragile
implementations?
On the other hand, there are practical scenarios — for example
high-throughput situations such as drop time — where authenticating
every request using HTTP Basic authentication may be less efficient than
leveraging a previously negotiated shared secret such as a session
identifier.
Finally, from a deployment perspective, EPP over HTTP appears
significantly less disruptive for existing registries and registrars
than introducing an entirely new protocol stack such as RPP. If
authentication were to move toward OAuth2/JWT token management rather
than HTTP Basic authentication, the operational and implementation gap
would likely become even larger.
Best,
Mario
Il 09/03/2026 15:06, Maarten Wullink ha scritto:
Hi,
I agree with much of the feedback provided by the OP (Mark), standardizing EPP
over HTTP will force implementers to effectively hack a stateful protocol onto
a stateless transport. EPP relies on persistent sessions for login, command
ordering, and session lifecycle. HTTP provides none of these guarantees.
Attempting to layer state on top of it will inevitably lead to (brittle)
solutions that require additional mechanisms, session management, cookies,
routing, etc. In order to emulate what the current EPP TCP transport already
provides.
In practice, this is unlikely to result in a clean, maintainable solution. It
will almost certainly spawn further WG documents to try to standardize session
management, login flows, and command ordering and more potential issues,
increasing the complexity and scope of EPP and the workload for this WG.
For these reasons, I think the WG should carefully consider whether EPP over
HTTP is a good path forward.
-
Maarten
_______________________________________________
regext mailing list -- [email protected]
To unsubscribe send an email to [email protected]
--
Dott. Mario Loffredo
Senior Technologist
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
Address: Via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web: http://www.iit.cnr.it/mario.loffredo
_______________________________________________
regext mailing list -- [email protected]
To unsubscribe send an email to [email protected]
