IETF Logo Mail Archive

Re: [regext] draft-ietf-regexy-login-security

"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 13 November 2019 20:43 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F70A12004D for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:43:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id joweFxkb_-NQ for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:43:19 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3AE01201C6 for <regext@ietf.org>; Wed, 13 Nov 2019 12:43:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1904; q=dns/txt; s=VRSN; t=1573677799; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=1BDPPN8CSeBOd43z1Maru9H72qICR7EKjzS57JhmzTE=; b=qDiLyX64hCqVwVGeX3gY89H41K/7zQ8pqU2Pa7u9Yip1ExfhN+KJpzcb X+A6yn0gD/0qByKGfXZycAxtalxrw9mh1mGoV2qR6hd5hmnQokMYNUs+O QEYLM41tel6zhGT7GYq9+e7VFRfgz8a0TIzIa6kfJTPGHCi+uHZiQ1c+k 1gOYv5cW5eFtvC3H+wYly23y41kQDiw7bVjROdok0ruiwTjBtODk+y9Az QNAxGR4kWyvHcS6AUkXrrU7vW3xkHeMBNAbzV0CSNaqmsaNFHI1IoBcHb q0XgoB4ctKL8sueO+PmWprR3zSMgeZXSgYOOph6tI4G8Nyz36U3Jr8YCp A==;
IronPort-SDR: 8VTNSQDr+s8C4J8MbC+y72jmPDO/rmQoDyu2SmveQM6ZjiNUOJDPb5P/IGtS8V4cG+euCQwGu9 eQ/zXROAEvfQ/J3TZbsTiUH1LlJsXbn9+SeM9Tdd9gb/Y9bYkiFV5BaokIzVsnBKQmvMBrlYI8 NWblTTAHecq2oip1gFdFvUGQmr34gw6jSsjQ4cvP+RsvL1q9F355pxH5UQeO17KoTupHQswkAr 19I19Wx0XZskuXCi9yADYKF3ww3Zxhrf862cAg8Dvr/nkVqmNNTnwOPmUapw7ppdbn8okVnely 8Bw=
X-IronPort-AV: E=Sophos;i="5.68,301,1569297600"; d="scan'208";a="37781"
IronPort-PHdr: 9a23:Rmp9/hUyfobYpR8Y7L34IH/HqXjV8LGtZVwlr6E/grcLSJyIuqrYbRGDt8tkgFKBZ4jH8fUM07OQ7/m7HzVbuN3Y7ClKWacPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIxi6sAvcutMLjYZsN6o9xQbFr3RVd+9L2W5mOFWfkgrm6Myt5pBj6SNQu/wg985ET6r3erkzQKJbAjo7LW07/dXnuhbfQwSB4HscSXgWnQFTAwfZ9hH6X4z+vTX8u+FgxSSVJ8z2TbQzWTS/86dmTQLjhSkbOzIl9mzcl8p9h79Zrh28vRxy247abp+IOvpicK3Tft0aSmhAXslNWCJODZixb5cWD+oDIepUs5Xxq0UIoBCjBQesHuTvyjpQi3P436M61OAhEQXY0wwmBN0BrmjbrNbtOKwPTO660K7IzSnfb/9YxDzw75PIchAmofGIWbJ/b8zRxlIxGAzZjVWdspLlMC2P1uQMqGib7uVgVeS1h2E7rAFxpyGiy8ExgYfKnoIY0k3I+TljzIooJ9C1RlR3bcOkHZZerS2XOIh7Tts/T210oio2178LtYKhcCQXx5kqxATTZ+GEfoSQ7BLsSuWcLSt9iX9ger+wmwq+/lKlx+HhSsa7zFNHoypYndbSuHAA0hje5dWaRfRj+EqqxCyB2BrJ6u5eJEA5ja/bK5k8zbEujpcTqkHDHjPumEXxka+Wal0o+ui25OTjZbXrvoKROZNshA3jMqsggsOxDuUkPgQTRWSb5/iz1Lr5/U3hWrlFlOA5nrPHsJDAPsQboLS1DBNS0oYm8xq/DjGm38oEnXQfMV5JZAiLg5XrNlzAOvz0EPeyjlq2nDpkxP3KJrjhDY/MLnjHnrfhZ7F960tExQoozdBf4JZUCrUfL/L1QUD+qsDXDhwiPgyq3ennEtR91pgfWWKABK+VKr/dsViN5u43OemDeJcVuCrhK/gi//PulXo5lEQAcqmuwZsYcna4Eel6LEWee3bjntABEWIStAokUOPqkEGCUSJUZ3uqRaIz+D47B5ypDIffXY2tgaKO3Du1HpFMYWBGEF+MQj/UcNDOQ/IkZCWOK8ltmTtCXr+kAcd1zRSGuAjmwrxrJe2S8Sod49arnsJ46ODDiTkz+CB6ScOH3CvFG3t5kW4YWxc30bxx50tnxQHQ/7J/hqkSNdtX4/5PWAoxNtqU9Od9F8y4ElbaftCNTFugSNitAhkvQ8gw2N4BZQB2HND03UOL5DajH7JAz+/DP5cz6K+Jh3U=
X-IPAS-Result: A2FXAACuacxd/zCZrQplGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF+hD0KlTybKQkBAQEBAQEBAQEHAS8BAYRAAoJFOBMCAwsBAQEEAQEBAQEFAwEBAQKFdAgwgjsig0kBAQEBAzo0FwQCAQgRBAEBARYBBxAyHQgCBAESCLcWgieFToR7gTaMLIFBPoERgxI+hDFcAoUkBI0eoHcDB4IokEaEeSOZfo5HmXwCBAIEBQIVgWmBe3BQgmxQERSCN45vF44jdI8jAQ2BIoEPAQE
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 13 Nov 2019 15:43:16 -0500
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1779.002; Wed, 13 Nov 2019 15:43:16 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] draft-ietf-regexy-login-security
Thread-Index: AQHVmlxLVsVEJWnr9k+vS6U3bx4ngKeJhb5QgABcYID//6z0kA==
Date: Wed, 13 Nov 2019 20:43:16 +0000
Message-ID: <d14cf332c0ff4aa194ae548204ead373@verisign.com>
References: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com> <78c95628e8f84901b7230f6674ee3120@verisign.com> <94e5e1f6-bd74-43ac-bef7-4d95ab91439e@www.fastmail.com> <28ca30c867da482088214cb27268e50e@verisign.com> <185ec4cf-177c-4269-8670-e68e5a72e82f@www.fastmail.com>
In-Reply-To: <185ec4cf-177c-4269-8670-e68e5a72e82f@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/4V-3-oPekwAbCWob1XHmS6_sui0>
Subject: Re: [regext] draft-ietf-regexy-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 20:43:20 -0000

> -----Original Message-----
> From: regext <regext-bounces@ietf.org> On Behalf Of Patrick Mevzek
> Sent: Wednesday, November 13, 2019 3:33 PM
> To: regext@ietf.org
> Subject: [EXTERNAL] Re: [regext] draft-ietf-regexy-login-security
> 
> On Wed, Nov 13, 2019, at 15:13, Hollenbeck, Scott wrote:
> 
> > I don't think that local storage of sensitive information, such as
> > passwords, is a *protocol* issue per se. It does make sense to note
> > that it's a bad idea to do that in the Security Considerations
> > sections of RFCs where passwords are exchanged as part of a protocol
> > interaction, but it's not an interoperability issue.  An even better
> > idea is to recommend "better" practices in those Security
> > Considerations sections.
> 
> It is not a protocol issue per se, but if the protocol is so designed that they
> are definitively not exchanged as plain text (even over a transport protecting
> them), then it becomes not an issue anymore at all, as there is no more
> sensitive information to deal with.
> One stone, two birds.
> 
> Remember that the first step to secure information is just making sure you
> handle as little sensitive information as needed, and then secure the rest.
> 
> Having clear text passwords at the protocol level is definitively not a MUST
> for the protocol to work correctly, the protocol could work with other ways
> to authenticate, eliminating the sensitive part of the information exchanged.

Agreed! As I said earlier:

"I agree that we should consider login security improvements over time as new options are available to us."

Remember, EPP is now 20 years old. There are almost certainly better ways of addressing this topic than we had at our disposal in 1999. All it takes is an Internet-Draft, or a note to the mailing list, to start exploring alternatives.

Scott

v2.23.0 | Report a Bug | By Email