IETF Logo Mail Archive

Re: [regext] review of draft-ietf-regext-login-security-03

"Gould, James" <jgould@verisign.com> Thu, 25 July 2019 11:41 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC786120020 for <regext@ietfa.amsl.com>; Thu, 25 Jul 2019 04:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drLsrkru_3ll for <regext@ietfa.amsl.com>; Thu, 25 Jul 2019 04:41:52 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66653120019 for <regext@ietf.org>; Thu, 25 Jul 2019 04:41:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=4628; q=dns/txt; s=VRSN; t=1564054912; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=V1uMt0jIhaoaRKaViIWquiop7Mz5SvW7H52kwjyoKfA=; b=NrmxjUc8VzNkCsGPcJtBSFU0gSImDJgVtIjY3Bj6Gy2IHcpdMLT5wvQq Eup0mv3VrdTwSM12Np+2YaHgZ9Hf7SyfZ3H+yJMZ5yXND3XjpjIG2L4Pp Fqr0uUc5g66G0RsnPzuz5UK5IfHexDiLb8b4XSFP66pD9yoxeeraomt9e rJuEoVPqPcfU0ToiNl976osle2fBeR48OPZGdKUg84qppAovK0va3vh8z oq/9+JqUHY7lFJqTddh1I14JRNRrVlb6fqodka2e0PLXJpgt+qcJbBBSL JDisCq0JleH6V2Vw1wBDm3tX3WzpRXmLuPX3PODco+UyXWSij3/SO0XBr Q==;
X-IronPort-AV: E=Sophos;i="5.64,306,1559520000"; d="scan'208";a="10725339"
IronPort-PHdr: 9a23:w9lodR9al9rYdP9uRHKM819IXTAuvvDOBiVQ1KB+0+sQIJqq85mqBkHD//Il1AaPAdyBraIewLaO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxhWiDanYr5+Mhq6oArNusILnYZsN6E9xwfTrHBVYepW32RoJVySnxb4+Mi9+YNo/jpTtfw86cNOSL32cKskQ7NWCjQmKH0169bwtRbfVwuP52ATXXsQnxFVHgXK9hD6XpP2sivnqupw3TSRMMPqQbwoXzmp8rxmQwH0higZKzE58XnXis1ug6JdvBKhvAF0z4rNbI2IKPZyYqbRcNUHTmRDQ8lRTTRMDIOiYYUSE+oPM+VWr4f/qFQArBuxGQaiC+z0xz9UnXD22LE23/g7HAzE2gErAtIAsG7TrNXwLKoeX+G7zK7VzTXHcvxawSr25ozSfRAkv/6MRrx8etfWxEktGAPFiUiQqYj4MD6OyOQCrXKb7+t7VeKuhG4nrRt9rSSoxscpk4TEgJ8exF7D9SV82ok1JNu4RVZlYdG6CptQtjqaN4p5QsMkQmFovjo1xqcatp68eSgG0JUnyADDa/yJaYSI5QjjVOmXLDxlh3xlYKqyiwuu/US61+HxVMe53ExXoidFnNTArH8A2h/L5sSaVvdx5Fqt1DST2wzJ9+1JLkM5mbDGJ5Mi2rIwmIQcvEffEiLznUj5lqybe0E/9eWt5enrfKjpq56ZOoBvjgzzM6Yjl8mxDOk2MAUBQm6W8vmm2rL55032WrBKg+UzkqnerZ/VO9wWprW8Aw9JyoYj7Au/Dyu+3NQYg3YHKFVFdQqagob1I1/CPfD3A++wjVutjDtn2urKPqP9DZXKNHjDiK3tcqxg5EJG1goz18tf55ROBr4dJ/LzX1f9tN3eDhAnLwy52/vrBMln2o8DW2+CDLWVPL7SvFKG/O4iLOqBaJcQuDnnKvgl4/DujWU+mV8YZaSp35QXaHelHvRiPkqUemTsjckbEWcLpQo+TePqiFuYXTFPYHayWrow5isnB4K+EYfDWoetjaSZ3Ce+BZBZe2dGCkyWHnfuaoqLR/AMZDiOLc9mlzwOTaKhRJM51RGyqA/6zKJqLvDK9S0Xq53i28R16vbSlR4s6Tx0Ad6R02aXT2F7zSs0QGoO1bxloEd+gnKOz7p1gLQMDdl76/RVWwE2PpmaxOt/XZS6EBjMcdqZVH6nT8moRzYrQZh5l8UDbEttB/2jgwzNmS2wDOlGuaaMAcl+3aXB23S1b+R0znvdnuF1jVYhX89DHXOrnK9k9gfVQYXOlhPKxO6Raa0A0XuVpy+4xm2UsRQdCVYoXA==
X-IPAS-Result: A2ERAAAklDld/zCZrQpjAxwBAQEEAQEHBAEBgVMHAQELAYFsgReBLgqEE4gciweDZJUcgT8XHQgJAQEBAQEBAQEBBwEYCwwBAQKDeEYCF4JpNAkOAQMBAQEEAQEBAQUBAQEChgcMgjopARRNLwkBMgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGQEBAQMBASEROhsCAQgOCgICEgEBEgICAiULFRACBAESgldLAYIZrVGBMopBgQwoAYt2gUE+gREnH4JMPoJhAQGBeAomAQIFgjwygiYEjCCCWZt4AwYCghqGWYhahHiCLW2KRIoujTqGaU4TkAsCBAIEBQIVgVCCEXAVOyoBgkEJhiqFFIU/cg0li1kNFYENgSEBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 25 Jul 2019 07:41:50 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Thu, 25 Jul 2019 07:41:50 -0400
From: "Gould, James" <jgould@verisign.com>
To: Patrick Mevzek <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] review of draft-ietf-regext-login-security-03
Thread-Index: AQHU7vypJBXqitQ6u0Gkh4VsF0Vlr6Y0ULOAgABICAD//8IuAIAASuEAgAC+JICAAFGwgP//+TSAgIHWuYCAChpnAIAaEAUAgAAt9AA=
Date: Thu, 25 Jul 2019 11:41:50 +0000
Message-ID: <C5D35B27-4D17-40EB-90EE-5C8BD2A3796F@verisign.com>
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch> <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch> <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com> <23C64725-1802-46B1-A371-9059F642E10A@verisign.com> <9735244c-3619-46e3-8ce2-f0d6bc8a9bee@www.fastmail.com> <1E28042B-759E-46D5-9D9C-5271255480D6@verisign.com> <99e7fe7e-d98c-4d80-97c8-015ff383b391@www.fastmail.com> <D192A5DB-AB8C-4B0E-90FE-B0B33213D2CD@verisign.com> <8b81134b-28d4-437f-a67f-c7d94eec5e73@www.fastmail.com> <62722D2A-6126-4589-BD8C-CF22FA17B68C@verisign.com> <bd61b4f8-dd8e-44e0-b14b-05c2045ea853@www.fastmail.com> <16205BE9-227E-4847-B131-69F3DF861AEC@verisign.com> <3478d413-c256-4d43-bc38-bf09d990ccc1@www.fastmail.com>
In-Reply-To: <3478d413-c256-4d43-bc38-bf09d990ccc1@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.9.190412
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <5695AC63E9EC2C42B61000EA7ACC1145@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/1syaWnO9gPWOOO9CBf54taBTF5k>
Subject: Re: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 11:41:55 -0000

Patrick,

The use of the PCRE in draft-gould-regext-login-security-policy  was solely meant to define the format policy.  The other password policies can be able to be defined in a consumable manner.  For "Passwords should be changed every 12 months and should be different than the previous 6 passwords.", the changing of the password every 12 months would be covered with the policy definition of the "password" security event, as in:

     <loginSecPolicy:event type="password">
       <loginSecPolicy:level>warning</loginSecPolicy:level>
       <loginSecPolicy:level>error</loginSecPolicy:level>
       <loginSecPolicy:exDate>true</loginSecPolicy:exDate>
       <loginSecPolicy:exPeriod>P1Y</loginSecPolicy:exPeriod>
       <loginSecPolicy:warningPeriod>P15D</loginSecPolicy:warningPeriod>
       <loginSecPolicy:errorAction>login</loginSecPolicy:errorAction>
     </loginSecPolicy:event>

Covering the policy associated with the use of the previous 6 passwords is currently not covered by draft-gould-regext-login-security-policy, but I can add support for it.  

Thanks,

-- 
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/>

On 7/25/19, 12:58 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:

    
    
    On Mon, Jul 8, 2019, at 13:57, Gould, James wrote:
    > Use of the PCRE to define the password format policy is meant for 
    > machine consumption, so "easy to read" is not a factor.  The 
    > description is meant to be human readable and "easy to read".  
    > 
    > Do you have a specific example of an EPP password format that cannot be 
    > defined using a PCRE?  
    
    I think you are switching between format and policy while I am clearly stating
    that even if a regex could encode (most, but I would not guarantee all) formats,
    it certainly can not deal with policy in all generic cases.
    
    Here is an example of a policy from a registry I am sure you know very well:
    "Passwords should be changed every 12 months and should be different than the previous 6 passwords."
    
    This can not be reflected in a regular expression.
    You can put that as free text anywhere: then you do not achieve more than current documentation for human consumption
    Or you decide to try to model things like that with a specific XML schema,
    and while you technically could, I highly doubt you can make that flexible enough to handle
    all registries different policies.
    
    So in the end, the goal to define the policy around passwords is not met for me
    (just because it can't be met, so it is maybe just a matter of aligning the goal),
    , while the goal to define the syntax of passwords can be met.
    
    I think we just disagree on the question if that second goal is good enough
    or not.
    But I would at least suggest that the draft is clearer on what it defines,
    policy or format.
    
    -- 
      Patrick Mevzek
      pm@dotandco.com
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email