IETF Logo Mail Archive

Re: [regext] review of draft-ietf-regext-login-security-03

"Patrick Mevzek" <pm@dotandco.com> Tue, 09 April 2019 21:21 UTC

Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D171B120342 for <regext@ietfa.amsl.com>; Tue, 9 Apr 2019 14:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=Jm6aDqEb; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=KrbYKEyo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVIg9pNrmqEc for <regext@ietfa.amsl.com>; Tue, 9 Apr 2019 14:21:21 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFBFF1200D6 for <regext@ietf.org>; Tue, 9 Apr 2019 14:21:20 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 46F1326534 for <regext@ietf.org>; Tue, 9 Apr 2019 17:21:20 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Tue, 09 Apr 2019 17:21:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=2YHsHYdXRJkR6w8QqSB6Za16GPfJzCZ GBjibxdRhb0o=; b=Jm6aDqEb3TBdOQRH5JWGTieXhoq+9uGBsgUjm52kNVrc42g PE0bAjqUmKCatZX4seAH2s/ttW9K714czoDQ/c1ZJkFyVPSPTBT6xQVGf7QLa7JS VB8x+FkqpiAjgrlfmtJ09JOyzhfFWNSZQZoYApobuupfoyWpPIuIf6MThivJlKZm IazX6P4P9cQUQHbMsoZD6IVz1KkFsHacCtngsQmftmfrztf6D66tPFY047QUASb/ 74ighWYDr8Nw7QiW3JqXWtJkcH6CGO/6GZEloIgE0rpFbjegA3QaVFFqq37QPVSF bIC5UvV+Lrx5nViFTcAPr0ykkJaFuGyQBzvP/yw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=2YHsHY dXRJkR6w8QqSB6Za16GPfJzCZGBjibxdRhb0o=; b=KrbYKEyous3C4IaHQ1H8Il 3Wpjl5ymrIauxmL3z60fKytZ82g+IfSp026z4syCA4cG9S2/sZmmScHPSkYqMAhC mJCbmjZqVuWZcj6OFYYOCGfGGIhigAxdyYjM6lNbxPnRGDJEFjb6OzR7r3uFHO8L iWT6iW/vCUU1VqdQhmkZ9fIwUeurjTn0aSj/CC6hW/45+BjXmHbIYlN3jz0Gsmx5 NJWcvRv4bbZfHts+ABBjIdgGSlAcUAm+bTlvKQl88sZhsgE2mUIRVOJon2Xq3vIK 3og4TmxHHMKQcZPl9xSCukgAJsqQu3qQ+e7TvA055DOsxEBJ6XTEWWScLt+cd+CQ ==
X-ME-Sender: <xms:zwytXBM88u5ucney51-GdKne_i7rVZBrxYKSD0BDxzhOPWobahvE1mIqem4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudehgdduieduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfrfgrthhrihgtkhcuofgvvhiivghkfdcuoehpmhesugho thgrnhgutghordgtohhmqeenucfrrghrrghmpehmrghilhhfrhhomhepphhmseguohhtrg hnuggtohdrtghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:zwytXF3-ZGXpU1oYQ0HbCsq5QPeOmy8Hnrf9XGKt1e7X72XwP6NVPQ> <xmx:zwytXFYNov03P8QZcKcoBbogGVtYK8mgkUKWGE4bF9ESIG1dxXxcZw> <xmx:zwytXN5aFL9QTl1Z5wXXMY2X6CTW9s8dZ1eneXUQW99zK_V3gWAbPg> <xmx:0AytXByUTH1zKJ6mfZXoEDQBEbUAObPruBfCk7oOzogWQuOLNMAvsw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B3BA1D48AF; Tue, 9 Apr 2019 17:21:19 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-329-gf4aae99-fmstable-20190329v1
Mime-Version: 1.0
X-Me-Personality: 66173168
Message-Id: <9735244c-3619-46e3-8ce2-f0d6bc8a9bee@www.fastmail.com>
In-Reply-To: <23C64725-1802-46B1-A371-9059F642E10A@verisign.com>
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch> <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch> <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com> <23C64725-1802-46B1-A371-9059F642E10A@verisign.com>
Date: Tue, 09 Apr 2019 17:18:50 -0400
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/77pYyow9lwTn66vwxdgVq3vOMlI>
Subject: Re: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2019 21:21:23 -0000


On Tue, Apr 9, 2019, at 16:01, Gould, James wrote:
> The password expression can be included in the error response using the 
> human readable message per registry policy, which will work for 
> troubleshooting purposes only, since the human readable message should 
> not be parsed by the client.  The login security extension is not well 
> suited for communicating policy information, which is the point of 
> draft-gould-regext-login-security-policy.  The password policy 
> information can be formally communicated via 
> draft-gould-regext-login-security-policy over EPP or using an 
> out-of-band mechanism.        

That was exactly Martin's point on which I was replying:
<quote>
I know that you have foreseen draft-gould-regext-login-security-policy 
to query about password complexity but I think for convenience of the 
registrar it would still be nice to somehow include the password 
requirement in the response even if it is redundant. Otherwise one has 
to implement draft-gould-regext-login-security-policy at the same time 
or communicate the requirement out of band.
</quote>

And the example given clearly used an attribute to store the regex, which is clearly not 
human redable.

And again there is no "password expression" since like I tried to show but failed apparently, not all password policies can be compressed into one regular expression.

And also putting such kind of things (regex) into a "human" readable message makes no sense.
(it is neither human nor readable)

It would be far more logical to have a human readable message saying:
"Password not in compliance with rule A.III.b.3.i of regulations at https://www.registry.example/a_super_nice_documentation.pdf"

So my point was:
- don't think password policies can be condensed into a regular expression (that may be the case for one registry, but certainly not for all, so I see no need to try enforcing that)
- don't put things like that in "human" readable parts

Finally, like I said, piggybacking everything on another EPP extension risks for now the fact that not a lot of registries will implement it.
Each extension should try to stand-alone as much as possible...
Otherwise in your current setup a registry needs to implement this extension, the core policy one, and then the extension on the policy one. I have low hope this will happen... And the amount of discussions around this 

-- 
  Patrick Mevzek
  pm@dotandco.com

v2.23.0 | Report a Bug | By Email