Re: [Captive-portals] Fixing RFC 7710

Subject: Re: [Captive-portals] Fixing RFC 7710

From: Ólafur Guðmundsson <[email protected]>

Date: Fri, 2 Mar 2018 16:58:57 -0500

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/FhTqWlKvhUITqcY7vYQEGoW9puA>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com

Cc: [email protected], Warren Kumari <[email protected]>, Paul Ebersman <[email protected]>, Steve Sheng <[email protected]>

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=D7sXX8fwC3m94BE7e+NUt8Lx8gbXoMFf1Gn/LPbp20w=; b=s98aXvjpS9WTO5pEd46Xl19iFMY0+YivsQj+YBBVe5A2WXIv2P8tRWYqRpYpAT7nut vR8w/nxXOZhhi20GNGUa/6To9TcL3M9CIrPDV4jbVEZ9O06hVQxWKZXG9585c8FTsGsj 7a+Oa2f3Vxa+/dVTyuwdLpcm9I1GQvJnLn4xE=

In-reply-to: <CABkgnnWJMipRtG-p0EoUXmK3u1c2ab-v4xN3WZfm3XL8s08aZA@mail.gmail.com>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CABkgnnWJMipRtG-p0EoUXmK3u1c2ab-v4xN3WZfm3XL8s08aZA@mail.gmail.com>

On Thu, Mar 1, 2018 at 10:58 PM, Martin Thomson <[email protected]> wrote:

We've had a number of discussions in the captive portals group about
fixing RFC 7710.

Fixing or make RFC7710 more useful ?

Erik and I would like to propose a plan for that work. We would keep
this to addressing the issues that we have identified thus far.
Namely:

1. The purpose of the URI is not well defined. We would reference the
capport architecture and API documents for that. The group would need
to decide between:
a. point to the API
b. point to a login page

Our (or at least my thought) was in the beginning,

just send the device to the location of the portal, as I hate having connections intercepted.

Then the USER could just see that page and decide what to do.

Now you are taking that basic idea forward to allow a handshake between device and portal ; this is good

Happy to help with that anything that allows [semi/fully]-automated sign-on is great.

2. There isn't a clear way to signal that there is no captive portal
in the network. It has been suggested that we use a special URL -
e.g., urn:ietf:params:capport:unrestricted. Alternatively, we could
privilege the empty string, but that doesn't have as clear a signal of
intent.

This seems to be a standard problem in DHCP i.e. there is no way to issue a denial or list available options

3. RFC 7710 states that the URL SHOULD use an address literal. This
works at odds with the idea of using HTTPS.

If there is a better way then this is the reason to do an RFC7710-bis,

the items above only need to CITE RFC7711, and there could be more than one API proposed/documented.

Is there anyone who is willing to take on this work? We aim to start
and complete this work in <1 meeting cycle, starting in London.

This is a great goal, willing to review

For the authors of RFC 7710, let us know if you have any concerns.

not really, thanks for pushing the idea forward.

Olafur