IETF Logo Mail Archive

Re: [regext] review of draft-ietf-regext-login-security-03

"Gould, James" <jgould@verisign.com> Wed, 10 April 2019 13:26 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279E21202F0 for <regext@ietfa.amsl.com>; Wed, 10 Apr 2019 06:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3uOgqMyskfMj for <regext@ietfa.amsl.com>; Wed, 10 Apr 2019 06:26:10 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1115B1202B5 for <regext@ietf.org>; Wed, 10 Apr 2019 06:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=19933; q=dns/txt; s=VRSN; t=1554902770; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=Kil5FRVoncYzEWn9xHKbUSrRv7pFF5EcMUakmLELok4=; b=Xkxs548L71KfoumHqau3fxk0sK3xNUGuGt+as3/EsNJy1E3syi9ndYKQ 6Ws4XbZs8Ryv456WIP4WInaW3/3sDjUGsr9fbuFXNPRUv25uBnTnT32h7 8xcJFCvM+JXiEBuqBHe6muwPuBoMi9oiYxPFgxzvHnHnvQIj937WaxXjg Bk09UdNc8znKENoM+Tm9uRrbSfo2N82WUo8HVNP0m0aEkg+d1mV04usbE PpBdJTXXwe0on8sErsgTeQq5r6l8Y9Cm7kijJ4SsevHq4yRcr5bVU57Ay cNVKH99iaUi1NRksM6D4/yRrDhMNyWknTWiYW6/X+ciewQ2Y89FhfplD9 g==;
X-IronPort-AV: E=Sophos;i="5.60,332,1549947600"; d="scan'208,217";a="7432462"
IronPort-PHdr: 9a23:lJHkWBRICQQkKR5p9cSU5uefHNpsv+yvbD5Q0YIujvd0So/mwa67ZBWFt8tkgFKBZ4jH8fUM07OQ7/m5HzVfqsjb+DBaKdoQDkdD0Z1X1yUbQ+e9QXXhK/DrayFoVO9jb3RCu0+BDE5OBczlbEfTqHDhpRQbGxH4KBYnbr+tQt2agMu4zf299IPOaAtUmjW9falyLBKrpgnNq8Uam4RvJrssxhfTv3dFeetayGJ2KVmOmxrw+tq88IRs/ihNp/4t7dJMXbn/c68lUbFWETMqPnwv6sb2rxfDVwyP5nUdUmUSjBVFBhXO4Q/5UJnsrCb0r/Jx1yaGM8L4S7A0Qimi4LxwSBD0kicHNiU2/3/Rh8dtka9UuhOhpxh4w47JfIGYMed1c63Bcd8GQ2dKQ8BcXDFDDIyhdYsCF+oPM/hFoYnhqVUArhW+CguiC+Pu1jBHiWT70rcm3+QkCwzKwBYtEtAIvX/JrNv1LqASUeWtwaXGzDvDaO5W2TPg54TQbxsvpeuDXbdufsrKx0UkCgTIjlefqYziIjOV0vkCvnOF7+V+T+KvinUnqwB+ojip3Msjlo7JhocMx13C6C53zoE1JdiiR056Z96pCIVQuD+AN4t3WcMiQm5ouCA7yr0ApZG3ZjQFyJMixxLHavyIbZSI4hz5WOaWOzd4i3Roc6+8iRaq6UWs1/HwWtOp3FtIoCdJiMTAu3AD2hDJ5cWKSeNx8lq91TqVygze6P1ILVopmafUKJMt2KM8m5kLvUTNACD7m1n6gaqTe0o++eWl7//ob7Doq5OCKoB5iwTzPb8ql8G+A+k1NwYDUmaZ9Ouh0rDo4Ff3T69QjvIsl6nUqJXaJcMGqaGnGwJVyYMj6wqnDzehzdQYgWELLFJbdxKDiIjkI0zDLuzgA/uig1uiiDhlyPHaMrH8GJnNMGTMkLD7fbZl8UJT0hc8wcpB55JOEbEBJuj/VVP2tNzdFhM5Mgq0zPj7CNhly48SRXiDDrKbPa7cq1OE++IiLueWaIIauzvxM/0l6OTvjX89l18dZ66p3Z4PZXC6EfRmJFiZYX7xjdoaD2cFoBA+TO3xiF2DXj5TYWy+UL475jE+EI6mF5vMRpixgLyd2ye2BoVWZmVdB1+RFnfoa5+LW/ERZy2OJc9tiCALVb+kS4U5zxGhqBf6y6Z7LurT4iAYr4zs1Ndr6OzciRE/7j10ANqB02GDVW10mXkIRzBllJx49AZlz3+P1rRxhfBTEppY4PYDGlMiMLbQyPBzDdz5XUTKedLfDB7sWNipDCEtZtM839FIZFxyUZ32lB3M0jq2K74Yi7LNA4Y7pPHyxX/0coxSzGvC2O1prVAjT9AFfTmkiali8wT7GYPTkl6YmKDsfqMZin2evFyfxHaD6RkLGDV7Vr/ICCgS
X-IPAS-Result: A2EvAACk7a1c/zCZrQpiAxwBAQEEAQEHBAEBgVMFAQELAYEOgWqBKgqEBJMEgjuDXZRpgT8XHQgPARgBDAmDeEYCF4V3NgcNAQEDAQEBCAEBAQECAQECgQUMgjoiHDEcLwkBBQEBAQEBAScBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEIAggHNRIBARkBAQECAQEBIQpBEAsCAQguAQESAgICJQslAgQBEoMiAYERXBcDrFmBL4QxAYEUhGiBMAGLXYFBPoERJx+CTD6CYQEBgUstCiYBAgWCOzGCJgONFYQvh1+MBWIDBgKIBIQfg0WEN4JjkgGLVoVUQwuNXAIEAgQFAhWBVgmBf3AVOyoBgkEJhXCFFIU/cg0kjXANFYEKgSABAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 10 Apr 2019 09:26:07 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Wed, 10 Apr 2019 09:26:07 -0400
From: "Gould, James" <jgould@verisign.com>
To: "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] review of draft-ietf-regext-login-security-03
Thread-Index: AQHU7vypJBXqitQ6u0Gkh4VsF0Vlr6Y0ULOAgABICAD//8IuAIAASuEAgAC+JIA=
Date: Wed, 10 Apr 2019 13:26:07 +0000
Message-ID: <D192A5DB-AB8C-4B0E-90FE-B0B33213D2CD@verisign.com>
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch> <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch> <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com> <23C64725-1802-46B1-A371-9059F642E10A@verisign.com> <9735244c-3619-46e3-8ce2-f0d6bc8a9bee@www.fastmail.com> <1E28042B-759E-46D5-9D9C-5271255480D6@verisign.com> <99e7fe7e-d98c-4d80-97c8-015ff383b391@www.fastmail.com>
In-Reply-To: <99e7fe7e-d98c-4d80-97c8-015ff383b391@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.7.190210
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_D192A5DBAB8C4B0E90FEB0B33213D2CDverisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/8FcBvbJKjA_pQvQAckVbPmBvYSM>
Subject: Re: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 13:26:12 -0000

Patrick,



We are discussing how to express the password format policy in draft-gould-regext-login-security-policy, which uses a Perl-compatible Regular Expression (PCRE).  The use of a PCRE was discussed at the REGEXT Interim Meeting 2018OCT16  (https://mailarchive.ietf.org/arch/msg/regext/3VWY7MlELXmEu5GdQbGnm70Im30).  I believe that a PCRE can effectively express the password format policy for EPP; although there may be exceptions to the rule.  Below I include an example EPP password format policy from draft-gould-regext-login-security-policy that uses a PCRE with a matching description.  A client can generate and pre-verify a new EPP password by leveraging the PCRE.



     <loginSecPolicy:pw>

       <loginSecPolicy:expression>

         (?=.*\d)

         (?=.*[a-zA-Z])

         (?=.*[\x21-\x2F\x3A-\x40\x5B-\x60\x7B-\x7E])

         (?!^\s+)

         (?!.*\s+$)

         (?!.*\s{2,})

         ^[\x20-\x7e]{16,128}$

       </loginSecPolicy:expression>

       <loginSecPolicy:description>

         16 to 128 printable characters (alphanumeric, space, and

         special characters) with at least one number, letter, and

         special character, with no leading or trailing whitespace,

         and with no consecutive spaces.

       </loginSecPolicy:description>

     </loginSecPolicy:pw>



I believe your password format policy can be expressed via a PCRE, but I’ll leave that exercise to you.



Currently draft-gould-regext-login-security-policy has the <loginSecPolicy:pw><loginSecPolicy:expression> element defined as required.  The question is whether there are existing or planned EPP password format policies that cannot be expressed via a PCRE.  If so, we can adjust draft-gould-regext-login-security-policy to support providing an external URL reference or make the <loginSecPolicy:pw><loginSecPolicy:expression> element optional, so that the server only provides the description.  Other possible password policy elements are not defined in draft-gould-regext-login-security-policy, like use of prior passwords or use of insecure words.  Should such non-format policies be defined in draft-gould-regext-login-security-policy and if so what policies should be defined?



Thanks,

—

JG







James Gould

Distinguished Engineer

jgould@Verisign.com



703-948-3271

12061 Bluemont Way

Reston, VA 20190



Verisign.com <http://verisigninc.com/>



On 4/9/19, 6:06 PM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:







    On Tue, Apr 9, 2019, at 16:37, Gould, James wrote:

    > I’m not claiming that all password policies can be condensed into a

    > regular expression, but at a minimum the syntactical policy can.



    Ok.

    I am still curious to know the valid regex encoding this policy for example:



    - any character from the Unicode Latin script

    - at least one uppercase, one lowercase, one digit, and one punctuation character (in no specific order)

    - no repeated sequence of two or more characters

    - no given character repeated in sequence

    - between 17 and 33 characters long in total



    --

      Patrick Mevzek

      pm@dotandco.com



    _______________________________________________

    regext mailing list

    regext@ietf.org

    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email