IETF Logo Mail Archive

Re: [regext] Security Lock anyone? (Was: Preliminary agenda for Prague, and call for agenda items)

"Wilhelm, Richard" <rwilhelm@verisign.com> Tue, 26 February 2019 01:40 UTC

Return-Path: <rwilhelm@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31795130DCB for <regext@ietfa.amsl.com>; Mon, 25 Feb 2019 17:40:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkM36uQa4c90 for <regext@ietfa.amsl.com>; Mon, 25 Feb 2019 17:40:23 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAD5512E7C1 for <regext@ietf.org>; Mon, 25 Feb 2019 17:40:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9180; q=dns/txt; s=VRSN; t=1551145223; h=from:to:date:message-id:content-id: content-transfer-encoding:mime-version:subject; bh=qu7jvjs3vVJw3QmZ0Zo21HMI/63lLOYOc0IgUy5Px2Y=; b=Q86iQ2NANzbv+Xz8Nwp3Y/PydgZ3rWvZ4Yvbk8T15w7HsZkkHDNJATJO Z3kpThsGAW1cfxJzIc3RzkgzJQ5VjEcddqGn0IsBvj2u/12qeUFem+Hkk Tk5FHMelk1IRi0fEYtpihl5QBLbxAPS3CeXU0O3aY5tmaSAoiYkvoVtpk NC0xqQ1fDU9bPrum8BifNDkip/68NLUVl+Xcqq1WQBKiwoW0wh4BQrpaH LxJz+6a+yKjyXtmOKWkx2pqmdZ+p+lP+Y4PaHvQFmFiFiGjRW8hTlcwkr 5yE5/VE9Cp6vRQG+sFGqnRgxPVsm6szao3k8FipEHizvaWKvYOgORQ7s8 w==;
X-IronPort-AV: E=Sophos;i="5.58,413,1544504400"; d="scan'208";a="6981739"
IronPort-PHdr: 9a23:N2iUxRAs3ZOGAEedljyhUyQJP3N1i/DPJgcQr6AfoPdwSP35psywAkXT6L1XgUPTWs2DsrQY07qQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KOT4n/m/Klsx+gqFVrxygpxNjzIDbb5qYNOZlcaPYYd8WWXBMU8RXWidcAo28dYwPD+8ZMOpWr4b9pl8OrRugCgmoAePj0iJDiGP33aIm0+QuCxvG0xEuE9kTt3nUttv0NKYWUeC10qbIyTDDYuhI2Tjj8ojIcwshofCDXbJ2a8be1U4vFwbcg1iWtIfrMTSV1uEXvGia6eptTf6ghHAhqwFtuDig3MMsio/Iho0J0FzL6SJ5wIMtKd2jSU50fNikHIFWtyGeL4d5XsIiQ3t0tyY+1LIGuIO0cDIWx5Qgwh7Tc/2HfJaU4hLtTuqRJi14hH1jdbmihBiy6VCtxvDgWsWuzVpHrCRInsPRun0N2RHf8MeKR/9l8ku8xTqDzR3f5+NYLUwuiKbWJJ0szqQtmpcQqUjDEDH5lUbqgKKTc0gr4Oul5uD8bbjjqJKQKZJ7hwD7P6s1nsGyAOY1Pw0AUmWV++mzybvu9lDjTrpQlP05iKzZvYjfJcQcu6G2HRdY0p0m6xajFzem18kYnWUfIFJFZh2Hi4/pNknTLf7kFfmznlSjni9kyf/HIrHtHI/BLmbfn7fmZ7Z981RQxxAuwtxF+ZJUEKoBIPTpVkDts9zYCwc1Mw2yw+n5FNVwzp4SVX6VDqOEMq7fv0WE6v8vLuSCfoMYtzLwJ+Ag5/H0jH85nVEdfbOu3ZsScH24BPpnI0SdYXrsnNgBFWIKsxEgTOP0kl2CUCVTZ3e9X6I6/D00FIWmDYLbSoC3nLOBxDu7HoFRZm1eFlCMFnHod4qKW/gSbiKSLdVtkz0EVbe7TY8h2gqjuxP7y7p9NOXY4DEXuoj73thv++LTjQ0y9SBzD8mFzW6NVW91nmIORzIu061zvUh9xU2F0ahjgvxYE9NT6+lUXQc5LpPT0ul6BMroWg3dZNuJSUipQsmoAT0rSdIx2dAOaV5nG9q+lhDDwzaqA7gNmryRGpM0/bzT3nftJ8tmynbJyrUhj1c8TstIL22mif03yw+GTZLOlUqXmqClM7Yc1SjC3GyC12PIt0gSGFpsVqPKU30ZaQ3Erd3/6WvJTqWnT78uZE8Jg8OYNapMP4GxiVxAX/blN5LSYEq9nm6qDlCJy6+CKo3wdC9ViCjHF0kCxlxL+X+ALgk4CWGtoErSCTV0HhTubl/it+5kpyX/BgUuwg6Hf1FJ1rep9FgSn/PWA6cJ070JqDsJqjhoEhC6xd2AWPSaoA80NppdZdMw5FIDnVjYvAx0JJDqZ/R4mV8acwlzumvw2g92EYRPl44hq3Z8n1k6Er6RzF4UL2DQ5pv3ILCCcmQ=
X-IPAS-Result: A2EgAAANmHRc/zGZrQpkHAEBAQQBAQcEAQGBUgYBAQsBgmqBKgqDfpYCg1qURBSBQh0IDAEYDQmDeEYCF4QYNQgNAQMBAQEBAQECAQECgQUMgjoiHDEcPgEBAQEBAScBAQEBAQEjAggFJBMSAQEYAQECAgEBARsGEToXBgEIEQQBAQECAh8EAwIEJQsUAQgKBAESH4MBAYFqF6tmgS+ELwEDAoYAgQuIdYJfgUE+gREnH4JMgx4BAQIBF4ELGSMHECOCUDGCJgKJbySCJ4QakjBcAwYChz+Ie4JDgXGFW4tHilOFSQmMQQIEAgQFAhSBSAGBdBEIcBU7KgGCQQmCHxcTgziEcCSFPgFyjx6BHwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 25 Feb 2019 20:40:17 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Mon, 25 Feb 2019 20:40:17 -0500
From: "Wilhelm, Richard" <rwilhelm@verisign.com>
To: "tongfeng.zhang@cira.ca" <tongfeng.zhang@cira.ca>, "erwin=40lansing.dk@dmarc.ietf.org" <erwin=40lansing.dk@dmarc.ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Security Lock anyone? (Was: Preliminary agenda for Prague, and call for agenda items)
Thread-Index: AQHUzXQ6KOovYDXpRTyT+c+9wEU8PQ==
Date: Tue, 26 Feb 2019 01:40:17 +0000
Message-ID: <2878F888-14BD-4D59-ABDE-51B391F2065B@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.6.190114
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A33515B89F9F1240A570542CFB492D67@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/CZSALmybXRn_GXs2YimJgZ9tqgw>
Subject: Re: [regext] Security Lock anyone? (Was: Preliminary agenda for Prague, and call for agenda items)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 01:40:26 -0000

It would be interesting to explore technical approaches to a standardized registry locking model, although I suspect some of the approaches that are technically possible might not prove to be broadly feasible from a business/contractual perspective.

Regarding the possibility of registry lock successfully defending against the attack, there is generally more to the registry lock security protocol between registry and registrar than the EPP bits on the wire.   For example, in Verisign’s implementation, a significant amount of communication during the critical unlock process takes place in a structured process using secure channels outside of EPP.  
 
At Verisign, Registry lock has been operating successfully for many years and protects important domain names every day.  All indications that we have indicate that it would have successfully defended against the attack.  Regardless, we look forward to discussions on this topic and, more importantly encourage registrars and registrants to engage both registrar and registry locking security mechanisms (along with other factors) to improve the stability of their domain names.

Regards,
Rick


On 2/25/19, 12:47 PM, "regext on behalf of Tongfeng Zhang" <regext-bounces@ietf.org on behalf of tongfeng.zhang@cira.ca> wrote:

    At .ca and all the TLDs CIRA operates,  we have a similar feature of registry lock.
    We are interested in standardization for sure.
    
    There is a regiOps workshop coming up in May in Bangkok. I see a fit there if regext is not the right place.
    
    Cheers,
    Tongfeng 
    
    
    -----Original Message-----
    From: regext <regext-bounces@ietf.org> On Behalf Of Erwin Lansing
    Sent: Monday, February 25, 2019 11:25 AM
    To: regext@ietf.org
    Subject: Re: [regext] Security Lock anyone? (Was: Preliminary agenda for Prague, and call for agenda items)
    
    Folks,
    
    At .dk we also offer a form form of registry lock, called VID, which I’d like to redesign at some point.  Having a standardised, or at least similar “enough” product offering across different registries and TLDs would make it much more attractive for registrants.  Even though I won’t be in Prague, I’m certainly interested in following any standardisation effort.
    
    Best,
    Erwin
    
    
    
    > On 25 Feb 2019, at 17.11, Marc Groeneweg <Marc.Groeneweg@sidn.nl> wrote:
    > 
    > All,
    > 
    > At SIDN (for .nl) we have our own form of registry lock called .nl control (https://www.sidn.nl/en/nl-control?language_id=2). Perhaps this can be used as input for a joined effort in increasing security around registry/registrar operations.
    > 
    > Regards,
    > Marc Groeneweg
    > 
    > On 25/02/2019, 14:57, "regext on behalf of Gavin Brown" <regext-bounces@ietf.org on behalf of gavin.brown@centralnic.com> wrote:
    > 
    >    If a BoF happens in Prague I will certainly attend.
    > 
    >    On 25/02/2019 07:26, Alexander Mayrhofer wrote:
    >> Antoin, all,
    >> 
    >> 
    >> 
    >> for now this is more a question / request to the group, rather than a 
    >> specific agenda slot request – but:
    >> 
    >> 
    >> 
    >> In the light of the recent attacks on registration interfaces, do we 
    >> want to take a fresh look at standardization of “Registry Lock” / 
    >> “Security Lock”. There’s some previous work on this topic (see 
    >> https://tools.ietf.org/html/draft-wallstrom-epp-registrant-problem-statement-00).
    >> As Patrick pointed out, there’s also some IPR considerations in this 
    >> area (See his blog post at 
    >> http://www.circleid.com/posts/20150603_registry_lock_or_epp_with_two_factor_authentication/).
    >> 
    >> 
    >> 
    >> I constantly hear from registrars that “Security Lock” (our product
    >> name) would be much more attractive if there wasn’t a myriad of 
    >> different processes at each registry – so my take is that there’s 
    >> room for standardization (which probably goes beyond the pure EPP extension).
    >> I’m also hearing some fellow ccTLD colleages are interesting in a 
    >> common “profile”.
    >> 
    >> Would regext be the right spot for such a discussion? If yes, would 
    >> it be interesting to hold a 20 minutes slot in Prague? Or even a 
    >> Bar-BoF before we “report back” to the working group?
    >> 
    >> 
    >> 
    >> Best,
    >> 
    >> Alex
    >> 
    >> 
    >> 
    >> 
    >> 
    >> *Von:*regext <regext-bounces@ietf.org> *Im Auftrag von *Antoin 
    >> Verschuren
    >> *Gesendet:* Sonntag, 24. Februar 2019 14:43
    >> *An:* Registration Protocols Extensions <regext@ietf.org>
    >> *Betreff:* [regext] Preliminary agenda for Prague, and call for 
    >> agenda items
    >> 
    >> 
    >> 
    >> Hi all,
    >> 
    >> Please find the preliminary agenda for Prague attached.
    >> I hope I captured everyone that has requested time to speak. If not, 
    >> let the chairs know.
    >> We still have a little bit of time left on the agenda, so if you have 
    >> urgent agenda items, let us know as well.
    >> If you are on the agenda, start preparing ;-)
    >> 
    >> 
    >> 
    >> 
    >> Regards, Jim and Antoin
    >> 
    >> - --
    >> Antoin Verschuren
    >> 
    >> Tweevoren 6, 5672 SB Nuenen, NL
    >> M: +31 6 37682392
    >> 
    >> 
    >> 
    >> 
    >> 
    >> _______________________________________________
    >> regext mailing list
    >> regext@ietf.org <mailto:regext@ietf.org> 
    >> https://www.ietf.org/mailman/listinfo/regext
    >> 
    >> 
    >> _______________________________________________
    >> regext mailing list
    >> regext@ietf.org
    >> https://www.ietf.org/mailman/listinfo/regext
    >> 
    > 
    >    --
    >    Gavin Brown
    >    Chief Technology Officer
    >    CentralNic Group plc (LSE:CNIC)
    >    Innovative, Reliable and Flexible Registry Services
    >    for ccTLD, gTLD and private domain name registries
    >    https://www.centralnic.com/
    >    +44.7548243029
    > 
    >    CentralNic Group plc is a company registered in England and Wales with
    >    company number 8576358. Registered Offices: 35-39 Moorgate, London,
    >    EC2R 6AR.
    > 
    > 
    > _______________________________________________
    > regext mailing list
    > regext@ietf.org
    > https://www.ietf.org/mailman/listinfo/regext
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email