[regext] AD review for draft-ietf-regext-login-security-04
Barry Leiba <barryleiba@computer.org> Tue, 29 October 2019 04:10 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C022312008C; Mon, 28 Oct 2019 21:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcJnDqn6ux96; Mon, 28 Oct 2019 21:10:42 -0700 (PDT)
Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8502120046; Mon, 28 Oct 2019 21:10:38 -0700 (PDT)
Received: by mail-il1-f182.google.com with SMTP id a13so10174073ilp.1; Mon, 28 Oct 2019 21:10:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zq8qLR1ZbWxvwSfytIP2b0C/qpat2kB5Gq9gGEi5cAk=; b=kkOm3XHkzpq7PPHIs70fXJwbRH8IiwQp5gejOSZfp1+TEON8J1olkjY99Mtq04j0Ry 5t+osfzN/KYLt5R4e1BAGjp+dxb9pP1Y+o3CJsH3njK3H5kX3N9SRNd51alvzI09/S3e dmaSas+YW6eTzhXS8bErUtwYkjnl90rWdj1iiHuLO+XQIoNEwIe3Uod5YC3aE0y4F1Xq dU6/PclPxe020uf+wJRKoGgquRUEH1+AcCULfBepYVGJrfNmQZZfQUzb/G6DHGa+dRVL oE5UEKHsGLFU7mrZV7gpsyexZq3RWXDsc9/zB1axYEx/UOIZB1kisCdkNnMIbRQnOIH8 9jJw==
X-Gm-Message-State: APjAAAWu30T1R/PKQVTKNQy6/iiJgLJoM2atqIH2m50l+utdtDeDniNW 46WL0ESqiU7LDcqpdqlIVIk6Wxo2T/mKrR2g6UPHnA==
X-Google-Smtp-Source: APXvYqyQ5aEpNP7/LvL3USq3OEEobjNqiGjPGaXTKS1CmxPqE6qT1DiIDQrJrNLrVDue3gXlvaa81t+GShYpeeLgtjA=
X-Received: by 2002:a92:d686:: with SMTP id p6mr6054380iln.17.1572322237621; Mon, 28 Oct 2019 21:10:37 -0700 (PDT)
MIME-Version: 1.0
References: <157201109832.4265.12129957434145983111.idtracker@ietfa.amsl.com>
In-Reply-To: <157201109832.4265.12129957434145983111.idtracker@ietfa.amsl.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Tue, 29 Oct 2019 00:10:26 -0400
Message-ID: <CALaySJLP6VUcuEkUrmKau=JE8v1=F4WsfGGR8n8TivoY1Wg5eg@mail.gmail.com>
To: "draft-ietf-regext-login-security.all@ietf.org" <draft-ietf-regext-login-security.all@ietf.org>
Cc: regext@ietf.org
Content-Type: multipart/alternative; boundary="000000000000722bc0059604ccc4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/295wXHlDK5ouas7XTEw5hT6p6-U>
Subject: [regext] AD review for draft-ietf-regext-login-security-04
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 04:10:44 -0000
I have mostly editorial comments that I hope you’ll consider, but that will
not block anything. My comment below for Section 4.1 is, though, something
I want to discuss before I start last call.
— Section 1.1 —
Please use the new BCP 14 boilerplate and references; see RFC 8174
In examples, "C:" represents lines sent by a protocol client and "S:"
represents lines returned by a protocol server. Indentation and
white space in examples are provided only to illustrate element
relationships and are not a REQUIRED feature of this protocol.
This is not a BCP 14 key word, and should be “required” in lower case.
— Section 2 —
For other similar regext documents, ADs have suggested that the
compatibility/migration recommendations be left in the document for
publication, rather than asking the RFC Editor to remove them. Unless
there’s a good reason not to publish this section, please remove the
request to the RFC Editor.
— Section 3.1 —
There MAY be multiple
events returned that provides information for the client to address.
“provide”
The <loginSec:event> MAY include a free form description.
There should be a hyphen in “free-form” here and elsewhere when it’s used
as a modifier.
The enumerated list of "type" values include:
“includes”
"password": Identifies a password expiry event, where the
password expires in the future or has expired based on the
"exDate" date and time.
"certificate": Identifies a client certificate expiry event,
where the client certificate will expire at the "exDate" date
and time.
Why are these worded differently? Is there a reason they do not both say,
<< where the [thing] has expired or will expire at the “exDate” date and
time. >> ?
"lang": Identifies the language of the free form description if the
negotiated language is something other than the default value of
"en" (English).
This seems to imply that it should never be set to “en”. If that isn’t
what’s meant, it might be better said as, << Identifies the language of the
free-form description. The default is “en” (English). >>.
Example login security event for a password expiring in a week:
There’s no context for “in a week.” How about this?: << Example login
security event for password expiration, where the current date is
2018-03-26: >>
(And similarly for the related example in Section 4.1.)
— Section 4.1 —
<loginSec:pw>: OPTIONAL plain text password that is case sensitive,
has a minimum length of 6 characters, and has a maximum length
that is up to server policy. All leading and trailing whitespace
is removed, and all internal contiguous whitespace that includes
#x9 (tab), #xA (linefeed), #xD (carriage return), and #x20
(space) is replaced with a single #x20 (space). This element
MUST only be used if the [RFC5730] <pw> element is set to the
"[LOGIN-SECURITY]" value.
Two things here:
1. Are there any limitations on valid characters other than the four
mentioned? Is there any server policy involved?
2. What is the reason for collapsing those, four characters, and not
allowing a password to actually contain, say, a tab, or three consecutive
spaces? What about all the other Unicode characters that represent spaces
in various forms, or zero-length characters?
—
Barry
On Fri, Oct 25, 2019 at 9:44 AM James Galvin via Datatracker <
noreply@ietf.org> wrote:
> James Galvin has requested publication of
> draft-ietf-regext-login-security-04 as Proposed Standard on behalf of the
> REGEXT working group.
>
> Please verify the document's state at
> https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/
>
>
- [regext] Publication has been requested for draft… James Galvin via Datatracker
- [regext] AD review for draft-ietf-regext-login-se… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek