Re: [Gen-art] Genart last call review of draft-ietf-regext-login-security-05
"Gould, James" <jgould@verisign.com> Tue, 05 November 2019 18:59 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B4031209D9; Tue, 5 Nov 2019 10:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jW-NsbwiNxPO; Tue, 5 Nov 2019 10:59:16 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE5C1209C6; Tue, 5 Nov 2019 10:58:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=21869; q=dns/txt; s=VRSN; t=1572980338; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=JDiivOj7R4rESzUKgXFZGPfgJqf2cHeQb7HTikD0ws8=; b=etZWhd+PuF/VA8AjqhnlqTDBHJLItWGKEpoIOr3hn6JpeWxLHXNY66e5 2qIrFl8YShBU/8nrjiWyZEGvph5/EjqG3QVyPZbxb6Yd39pAnsYeYtWgH D7ICX/AziwrZ3tzIN4+suKBTsWKQdGRVcwJi1zP8Dp2FfIpnf5MvHYC8d FIe616czZzXd4y7dNahyvN4z0iw30YC2UbnLFlX1FVptAquguTJ5YgILn tBqAQPgVTw4HuFO/qf80gl67NghNNAcqorzvZtk9KGvrjVKlNKM4FuiuK K2DzsDRjOG2iQSGUfUgOJev52SHxxoDNR6kqlUo9ErzvVpiE1C+50c1Sv Q==;
X-IronPort-AV: E=Sophos;i="5.68,271,1569283200"; d="scan'208,217";a="9561203"
IronPort-PHdr: 9a23:nCLlORddN7Pf/ysLcrWpNktllGMj4u6mDksu8pMizoh2WeGdxc24YhGN2/xhgRfzUJnB7Loc0qyK6vumADVdqs/Y4DgrS99lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal9IRmrowjdrNQajZZiJ6o+1xfFv3hFcPlKyG11Il6egwzy7dqq8p559CRQtfMh98peXqj/Yq81U79WAik4Pm4s/MHkugXNQgWJ5nsHT2UZiQFIDBTf7BH7RZj+rC33vfdg1SaAPM32Sbc0WSm+76puVRTlhjsLOyI//WrKkcF7kr5Vrwy9qBx+247UYZ+aNPxifqPGYNgWQXNNUttNWyBdB4+xaZYEAegcMuZCt4Tzp0UAowaiBQeiB+3vxD1HiXH33aIm3OssChvJ0BAlH98UrHjZttf4OaEPWu611qnIyjDDYutY1Tn874jIbxQhruyUUbltdcTe00wvGB3ejlmetIfoODGV1usKs2iG6+pvSPmii3A5pAFroziv3cYsiobPho4P1l/E8iB5zZ8zKNalRkB7ZtukH4FRtyGcL4Z2XN0tQ3tpuCYhy70Gtpi7fCkMyJs73RLQd/uHc42Q7hLiSumRPTl4iGhieLKliBa/91WrxO7kVsSszVpGsjBJnsTOu30DzRDf98iKR/Vn8kqu3TuDzx3f5v1eLUwpl6fXN4QtzqM/m5cQq0jPAyz7lF34jKCIdUgo5u2l5uH9bbjlopKTLIp5hw/gPqszm8GyBP83PwwPUmWZ/Omx2rPu8E/kT7hMk/Y4iLPWsIrAKsQevqO5BghV3Zs95BunFDem1cgYnWEALFJYZBKLl4jpNE/KIPD/Ffqynkiini92y//GJrPvDZTCImTdnLv7Y7Zy90lcyBArzdxF/Z1bF6sNIOzpWk/qstzUFAM2Mwuxw+r/CdV90J0RWX6XD6OELK/eq0KE6+AhLuWWeYMYuDjwJ+Iq6vPqlXM5nEUSfait3ZsZcnC4GfFmLl2bYXrjhdcBDGMKsRclQez0llKCSz9TZ22zX6Iz4DE3Ep6pDYDGRoy1mryOwD+7HoFKZmBBEl2DCm3od4SeVPcKci6dPNVtnSAeWri7U48uyxeutBPkxLp9NefU9SgYuoji1Nhx/eHciRYy9TlsBcSHz26NV310nn8PRzIu06Bwv0p9xk6Z3qhin/xVDt1T6O1VUgc0L5LcyPZ6C9/qUALbYtiJUEqmQsmhATwpStI+2cQOY1pkF9q+lB/D2y6qDqQUl7OVGJw0/LjQ33/rJ8Zy03zGzrUuj0E6QstTMm2rnrNw9xLJCI7Hj0WVjqeqeroA3C7D7WuD13SBvE5GXw9/TaXJRHQfZkzZrdT44EPOVqSuBqo7PQtc086CK7dKa93zgVpcQPfjPM/TY2OvlGesCxaE3LSMbJDle28FxiXSFFAEkxwP/XaBLQU+HDmuo23AAz1hCVLieELs/vdiqHO1VEM0yBuKb0Iyn4ayrzQPhPWaA9gaxKoJvjsssX0gFky81tSQBpyLrhB5caNAbMkV71JO1GafvAt4aNjoZa9vgBsXaRhfvk7y2VNwEIoK2ZwloXVvxRBuAaOVzF0HcCmXi8PeILrSfyPd+w2rZ+qe+Fjb3c3csvMN5/Mlr1nLogyzF1Ej/HMh2N5QhSjPrq7WBRYfBMqiGn088AJ38vSDOnEw
X-IPAS-Result: A2FbAACzxcFd/zGZrQpjAxoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBfoEcgXCBMQqEH45hgh0lg2qXARclCQEBAQEBAQEBAQcBExAMAQEChD4CF4QcOBMCDgEBAQQBAQEBAQUDAQEBAoYgDII7KQFiLwkBMgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQUCCAc0GQc1EgEfBiMKTBACAQgUGgEBEgICAjAlAgQBDQWDIgGBeYENsTqBMopCgTaMLIFBPoERJwwTgkw+glcLAQECAYFILQkBHQkBAgWCQTKCLASNFi2COYU8l1ZoAweCJIcVhR+ECnGEKII8coZphDGLIY5DgUCFb3+RLgIEAgQFAhWBaYF7cBU7KgGCQQlHERSGeYUUhT90AQwkjyMCDRUGgQeBDgEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 5 Nov 2019 13:58:54 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Tue, 5 Nov 2019 13:58:54 -0500
From: "Gould, James" <jgould@verisign.com>
To: Brian Carpenter <brian.e.carpenter@gmail.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-regext-login-security.all@ietf.org" <draft-ietf-regext-login-security.all@ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Genart last call review of draft-ietf-regext-login-security-05
Thread-Index: AQHVkfmvgW7sC0z2Uk2ANQz3n3VeHKd88jAA
Date: Tue, 05 Nov 2019 18:58:54 +0000
Message-ID: <BFA88E7F-61E0-4100-8008-2FD4F5673C2F@verisign.com>
References: <157275296078.5986.16873647589469042217@ietfa.amsl.com>
In-Reply-To: <157275296078.5986.16873647589469042217@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.f.191014
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_BFA88E7F61E0410080082FD4F5673C2Fverisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/tvxAqNrICjzAi3vOxF6G8cxQk9w>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-regext-login-security-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 18:59:19 -0000
Brian, Thank you for your review and feedback. My responses are embedded below. I will include updates based on your feedback in draft-ietf-regext-login-security-06 at the conclusion of the last call. -- JG James Gould Distinguished Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 11/2/19, 11:49 PM, "Brian Carpenter via Datatracker" <noreply@ietf.org> wrote: Reviewer: Brian Carpenter Review result: Ready with Issues Gen-ART Last Call review of draft-ietf-regext-login-security-05 I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Document: draft-ietf-regext-login-security-05.txt Reviewer: Brian Carpenter Review Date: 2019-11-03 IETF LC End Date: 2019-11-12 IESG Telechat date: Summary: Ready with minor issues -------- Minor issues: ------------- I found section 2 "Migrating to Newer Versions of This Extension" a little hard to follow. Firstly, am I correct in assuming that "a new version" means a version number higher than 1.0, e.g. "loginSec-1.1"? That is probably the intended meaning, but I think it needs to be explicit. Maybe state that this document defines "loginSec-1.0" and future documents can define other minor and major versions such as "loginSec-1.1" or "loginSec-2.0". JG - The "Migration to Newer Versions of This Extension" section was originally meant to address point version updates (e.g., loginSec-0.2, loginSec-0.3) prior to version loginSec-1.0, but Barry Leiba's review feedback recommended leaving it in the draft. This section is applicable to any version change, including migrating from a pre-loginSec-1.0 version to loginSec-1.0 or a future update of loginSec-1.0 to loginSec-1.1. I believe the language needs to remain generic to apply to both cases. Then "(for a temporary migration period)" is a bit vague. I think it would be useful to suggest the order of magnitude of the overlap period: days?, months?; hopefully not years. JG - The migration period is up to server policy. It could be made more explicit by changing it to read "(for a temporary migration period up to server policy)". Do you agree with this change? I also think a short discussion of adding & removing versions is version needed in the Security Considerations, since the reason for a new version might be the discovery of a vulnerability in the current version. That's when a short migration period is desirable. JG – I don’t see the linkage of adding & removing versions to the Security Considerations, since a version change may be due to multiple reasons (functional issue, functional enhancement, and security). The length of time for the migration is up to server policy based on many factors outside of the protocol. FYI, there are some other extension design considerations in https://tools.ietf.org/html/rfc6709#section-4 . JG – Thank you, I’ll be sure to review https://tools.ietf.org/html/rfc6709#section-4. Nits: ----- "1. Introduction This document describes an Extensible Provisioning Protocol (EPP) extension for enhancing the security of the EPP login command in EPP RFC 5730. The enhancements include supporting longer passwords (or passphrases) than the 16-character maximum and providing a list of security events in the login response. The password (current and new) in EPP RFC 5730 can be overridden..." "RFC 5730" should either be in parenthesis as "(RFC 5730)" or a reference "[RFC5730]" (twice). JG – I will change the RFC 5730 references in the Introduction to use links (xrefs).
- [Gen-art] Genart last call review of draft-ietf-r… Brian Carpenter via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Gould, James
- Re: [Gen-art] Genart last call review of draft-ie… Brian E Carpenter
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper