IETF Logo Mail Archive

Re: [ire] New version (4) of the spec and new draft on DNRD (1)

Francisco Obispo <fobispo@isc.org> Thu, 13 December 2012 17:25 UTC

Return-Path: <fobispo@isc.org>
X-Original-To: ire@ietfa.amsl.com
Delivered-To: ire@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCCB21F8B1B for <ire@ietfa.amsl.com>; Thu, 13 Dec 2012 09:25:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qsantmz+T0mm for <ire@ietfa.amsl.com>; Thu, 13 Dec 2012 09:25:57 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 8A18721F8653 for <ire@ietf.org>; Thu, 13 Dec 2012 09:25:54 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 83A055F9C47; Thu, 13 Dec 2012 17:25:43 +0000 (UTC) (envelope-from fobispo@isc.org)
Received: from [IPv6:2001:470:1f05:1326:7926:8872:cb7b:f8fe] (unknown [IPv6:2001:470:1f05:1326:7926:8872:cb7b:f8fe]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id CD09C216C3D; Thu, 13 Dec 2012 17:25:41 +0000 (UTC) (envelope-from fobispo@isc.org)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Francisco Obispo <fobispo@isc.org>
In-Reply-To: <C41D7AF7FCECBE44940E9477E8E70D7A0D740B8D@BRN1WNEXMBX02.vcorp.ad.vrsn.com>
Date: Thu, 13 Dec 2012 09:25:41 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <44162919-EE64-4C86-916D-C43F5404E5CA@isc.org>
References: <C41D7AF7FCECBE44940E9477E8E70D7A0D740B8D@BRN1WNEXMBX02.vcorp.ad.vrsn.com>
To: "Gould, James" <JGould@verisign.com>
X-Mailer: Apple Mail (2.1499)
Cc: Luis Muñoz <lem@isc.org>, ire@ietf.org
Subject: Re: [ire] New version (4) of the spec and new draft on DNRD (1)
X-BeenThere: ire@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Internet Registration Escrow discussion list." <ire.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ire>, <mailto:ire-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ire>
List-Post: <mailto:ire@ietf.org>
List-Help: <mailto:ire-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ire>, <mailto:ire-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2012 17:25:58 -0000

Hi James,

On Dec 13, 2012, at 8:16 AM, "Gould, James" <JGould@verisign.com> wrote:

> Gustavo,
> 
> I noticed the following additional items with draft-arias-noguchi-dnrd-objects-mapping-01:
> 
> 	• The description of the <crID> and <upID> should match what is in the EPP RFC's.  Specifically, change "identifier of the registrar" to "identifier of the client".  In our registries we have account users (verisign as well as registrar) that are reflected in the <crID> and <upID> fields via the user's user name (e.g. jgould).  This is important to track exactly who took the action, since actions can be taken outside of the EPP channel (Registrar Tool, CSR Tool, batch) that should properly be reflected in the <crID> and <upID> elements.  Now the next logical question is whether there needs to be a deposit for users to link the "client identifiers" to.  I would imagine that an EBERO provider would import the <crID> and <upID> fields as strings and replace them (most likely using different fields) with real user identifiers based on future updates to the objects.

I don't know about that, from the EPP perspective a *ID is a registrar not a system user, so interchanging the two doesn't seem like a good idea to me.

You could use a separate field to track those changes, without affecting the EPP semantics.


> 	• The question is whether the authInfo should be escrowed at all since these reflect secret passwords.  Our system stores them encrypted and I don't believe it is a good security practice to escrow them in a decrypted form or even provide a tool that can decrypt them.  I believe that the EBERO provider recovering a registry from the data escrow deposit can generate new random authorization info values and make them available in bulk to the registrars or on-demand by the registrars submitting an EPP info command for the objects.  What are your thoughts with this?  
> -- 

I agree with this, specially since the passwords are not the only component used to authenticate users, for example, we use IP addresses and TLS certificates as well, (we match the information in the certificate with the information associated with the clID)

In any case recovering a registry will require some time to setup these relationships, so I don't think there's a need to automate every single step.

> 

Francisco Obispo 
Director of Applications and Services - ISC
email: fobispo@isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE

v2.23.0 | Report a Bug | By Email