IETF Logo Mail Archive

Re: [regext] draft-ietf-regext-login-security

"Gould, James" <jgould@verisign.com> Fri, 12 July 2019 21:36 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7B212004A for <regext@ietfa.amsl.com>; Fri, 12 Jul 2019 14:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0dKH4e_W06T for <regext@ietfa.amsl.com>; Fri, 12 Jul 2019 14:36:20 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 230EC12000F for <regext@ietf.org>; Fri, 12 Jul 2019 14:36:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=34271; q=dns/txt; s=VRSN; t=1562967380; h=from:to:date:message-id:references:mime-version:subject; bh=wz38mIXhp/3SFtq5T1GwLc8RJcCMcg/oMF3ANZL7fao=; b=fyA6LHZ14gKXw/ilIr+rEvfBfgC2VPC3Yx52hlt6G9lyKiFtMY3gcnfK ek9l5YUFGjcTH8pOonFnhh5Ci4UgoCmCyK8/ElkVYIF/P1Qz5SoXossFJ jVyxHG1FWrqPqUpck8Xn0oqmgxsZ2Q2CMnP4jmX2/q6j+y+snDscq83dK 76XA8UwaTLw0djaBjocFRLDHoj+6GNaqOV031Rlz9h9TCrILeda0tbUyB k4FO/0MmbjcfF6lOEU9jLgRW1iaWoZqGCi77x0JaTs8rp/iVFwgNHENJR W7ML+U9b6eNv67AzAJsb6auzUk2Uq1m6TPO8iNtp9UlTHhb92b7qqulee Q==;
X-IronPort-AV: E=Sophos; i="5.63,483,1557187200"; d="scan'208,217"; a="10642800"
IronPort-PHdr: 9a23:ccisExC6LhKnhHAyscLgUyQJP3N1i/DPJgcQr6AfoPdwSP37p82wAkXT6L1XgUPTWs2DsrQY0rCQ7virADFRqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba5sIBmsrQjdqsYajZZiJ6s11xDEvmZGd+NKyG1yOFmdhQz85sC+/J5i9yRfpfcs/NNeXKv5Yqo1U6VWACwpPG4p6sLrswLDTRaU6XsHTmoWiBtIDBPb4xz8Q5z8rzH1tut52CmdIM32UbU5Uims4qt3VBPljjoMOjgk+2/Vl8NwlrpWrhK/qRJi347aboKbNPRwcaPcYdwVSnFMUdxNWyxEGI6wc5ECAugHMO1Fr4f9vVwOrR6mCAWiBe3vzSJIhnvr0qEizu8vFRvJ3Ak+ENIVvnjfsdL4NKUdUeCy0anIySjMYuhI2Tjj8ojIcwshofCDXbJ2a8be1U4vFwbcg1iWtIfrMTSV1uEXvGia6eptTfyvhHA9qwFwuTivx8gsio/IhoIT1l/I7zl2wIEwJdGgSU50f8KkEJVKuyGdLYt2TdsuTH10tyc0yr0Gvp+7fDMQxJQg3R7fZPqKeJWL7BL7TOudPCt0iGh4dL+9iRu+61Wsx+3yW8Wu31tHqjJJnsTQunwXyhDe6NSLRuFg8kqu2juDzR3f5+JcLUA6i6XWKIItz7s1m5UJsknOGjT5lUD4gaOIa0op++2l5P/jb7jnpJKRMoF5hw/8P6sznMG0HP42PRIUX2eB/OSxzLjj/UrkT7pUlvA2iazZsIzCJcQcu665HxdZ0oY95Ba7CDeryMkVk2UfIl5YeB2Jl4fnNFDSLPzmF/u/nUijkDBxx/DeJLHuGIjCImLdkLf7ZrZ97VRQxxY0zdBa/55UC7cBL+zvWkLpqdDUEgU1PxG2zuvpEtlxy4MTVGyVDqKWNK7eqVqI6fguI+mIao8VojH9K/096v7sgn85nkIdfa200pYMdnC3AO5mI0SCYXrtjdcBF30GsRY5TOzvkFGCSyJcZ26uX6Ig4TE2EJqmDYLYS4+wh7yBwD20HptLaW9aDVCAC2vnd4KBW/0UciKdPtdhkiAYVbimU4Ihzw+htADkxLtoMurZ4SwYuoz/1Nh7/eHTkgsy9TMnR/iahiuVSkl4mX8BQTM92+Z0pkk3ggOb1IB0hOBRE9BY4LVCVQJscdaW1eF1BsDucgPMYtnPT0ypCJ3yGzw+Q8It694Df0g7HM+t2EPtxS2vVvU6kKGPCNh80KvZ0mO7b5J/xHHb0KUJkVQ8Q9BOOmvgjal6oVuAT7XVmlmUwv75PZ8X2zTAoT+O
X-IPAS-Result: A2ElAQAv/Chd/zGZrQpbBwMcAwQJBIFYBA0BgRRTBYEUgSwKhBKDSo5qgholg2OWVhcZDAkBAQEBAQEBAQEHARgBCgwBAQKBAoJ2RhmCYzcGDgEDAQEBBAEBAQEEAQEBAoYlDII6IhxNLwkBMQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEIAggHJBESARoBBAEBASFLEAsCAQguAQEIBAYCAgIlCyUCBAESCRCCPksBgR1eHqtngTKDRDE9AYEUhHiBNAGLdYFBPoERJwwTgkw+gmEBAQGBNRUtCiYBAgWCOzKCJgSMGDmCI4R+gi2GPo0YbQMGAoIZhliBQocXFoRfgiwvPopDiiuNNIZnTRKMGYNuAgQCBAUCFYFmgXtwFTsqAYJBCYJDGINOhRSFP3IBDCWNYg0VgQ2BIQEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 12 Jul 2019 17:36:16 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Fri, 12 Jul 2019 17:36:16 -0400
From: "Gould, James" <jgould@verisign.com>
To: "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] draft-ietf-regext-login-security
Thread-Index: AQHVMKVHjWQbOMjcGkWmWw3Rk66nRQ==
Date: Fri, 12 Jul 2019 21:36:16 +0000
Message-ID: <DADFC5FD-CABC-4745-94D6-D7FF82013CBE@verisign.com>
References: <155991321704.19585.17357914405003536991.idtracker@ietfa.amsl.com> <247A90BF-6E1D-4615-A409-033BE458AC60@antoin.nl> <325F6229-1119-4F4B-AC12-4C3BA37B41D1@verisign.com> <53272950-1116-4A7B-AC02-E135F8FE813F@antoin.nl> <f03f749c-c8eb-48a3-b9a5-bf9988a013ac@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.9.190412
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_DADFC5FDCABC474594D6D7FF82013CBEverisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/CmnlERl_JBccQfP-rMRhvs0Hua8>
Subject: Re: [regext] draft-ietf-regext-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 21:36:25 -0000

Patrick,



Thanks for confirming the lack of an open item for draft-ietf-regext-login-security.  I respond to your feedback embedded below.



—

JG





James Gould

Distinguished Engineer

jgould@Verisign.com



703-948-3271

12061 Bluemont Way

Reston, VA 20190



Verisign.com <http://verisigninc.com/>



On 7/2/19, 3:10 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:







    On Fri, Jun 21, 2019, at 08:22, Antoin Verschuren wrote:

    > We believe the draft draft-ietf-regext-login-security still has an open

    > issue from Patrick Meczek where James response should be confirmed, but



    I have reviewed past exchanges and I do not think that there is anything open left:

    I remain in disagreement on various points[1] hence I will not formally

    approve it, but I won't either block its advancement.



    So, "all fine" for me.



    Minor in 4.1: "MUST be included in the response based on the following conditions"

    you should probably emphasize that there is an "AND" between the two points, not an OR.

    Probably obvious but since there are other discussions abount unannounced extensions

    it is probably better to be more specific.



JG - Agreed that this is an AND and not an OR.  Maybe this can be addressed by modifying the sentence to read "Upon a completed login command (success or failed), the extension MUST be included in the response based on both of the following conditions:"



    [1] Among other things

    (they already have been discussed or not worth discussing, so  I just mention them here for archives, not to open the debate):



JG – Thank you for listing your items.  I include my responses for consideration by the working group.



    - I dislike the use of a specific hardcoded string such as LOGIN-SECURITY

    (IETF even has a specific RFC about choosing "random" names, which was followed

    by various cases, like for the xn-- in IDNs. See RFC 3797/2777 or its use for IDNs at http://www.ccwhois.org/mailarchive/cctld-discuss/vol05/0096.html)



JG - EPP RFC 5730 requires a minimum of 6 characters and a maximum of 16 characters for the pw and newPW elements, so something needs to be set in the pw element at a minimum.  The use of the "LOGIN-SECURITY" placeholder value is meant to be explicit about overriding the value with the corresponding value in the extension.   A random value would make it less clear.  RFC 3797/2777 describes a method of random selection, which I don't believe is applicable here.



    - the extension mixes different things (new password scheme, letting the client

    identify itself better like user-agent in HTTP, letting the server give

    back more structured information about both passwords and TLS... this shouldi

    be in 3 extensions, not one)



JG - All of these elements are associated with security and are extensions to the EPP login command or response, so it is cleanest to include them in a single EPP extension.



    - discussing about TLS versions being insecure or not would probably need

    a reference to RFC8446 and draft-ietf-tls-oldversions-deprecate



JG - The TLS versions supported is a decision for server policy and is not outlined in the EPP extension.  The EPP extension enables the server to inform the client of the deprecation of a negotiated TLS version and the EPP extension does not define or recommend any specific deprecation policy.  I don't see making a reference to RFC 8446 or draft-ietf-tls-oldversions-deprecate as needed to support what is defined in draft-ietf-regext-login-security.



    - as for reporting problems at the TLS stack was there a discussion on why/when this

    should happen at the EPP level instead of directly at the TLS level?

    Specifically because there can be setups where the TLS terminations is in front

    of the EPP application servers so a server wanting to forbid some connections,

    for problems at the TLS level may be technically unable to do it at the EPP level.

    - a lot of things are not defined. For example for ciphers, what is the value field?

    Is that TLS ciphers from IANA repository? something else?

    Not defining things like this is easier to bootstrap the extension usage, but at the

    end of the day will make it less interoperable and complicate registrars life.

    For insecure TLS versions, what will be the format?

    TLS 1.0

    TLS_1.0

    TLS_1_0

    TLSv1.0 like the example given

    0x0301

    etc.



JG - The tlsProtocol security event is meant to communicate the deprecation of a TLS protocol that was negotiated when connecting to the EPP server.  You need to first be capable of connecting to the server to send the login command, so the tlsProtocol security event will enable the server to proactively let the client know that the TLS version negotiated is deprecated with an optional date when the TLS version will not be supported.  If the TLS version is not supported, the TLS handshake will fail, and draft-ietf-regext-login-security will not be of use.  The termination of the EPP TLS connection is typically done with an EPP-aware gateway / server, but if a proxy is used that is incapable of passing the TLS connection information to the EPP application server, the EPP server will not be capable of supporting the certificate, cipher, or tlsProtocol security events.  An EPP server does not need to support all of the draft-ietf-regext-login-security security event types.  The draft-gould-regext-login-security-policy is meant to inform the client what security events are supported along with the security event policies.  There is no standard related to the format of the TLS versions and the ciphers that I'm aware of, so the value returned for a tlsProtocol and cipher security event is up to the TLS stack chosen by the server.



    - the level could have from the get go accepted typical logging levels, so like info/debug/trace/notice in addition to current warning/error



JG - The point of the security event is meant to identify an issue and is not meant for other levels that are typically used for logging, such as info/debug/trace/notice.



    - there is no discussion if the server SHOULD/MAY/MUST refuse the login (return code > 2000)

    if there is any event at level="error".



JG – The security event can be associated with multiple security use cases (connection, login, and statistics) that is up to server policy to define what an "error" level results in.  The SHOULD/MAY/MUST and the refusal of the login is server policy and not applicable to draft-gould-regext-login-security.  The draft that does define the server policy is draft-gould-regext-login-security-policy.



    - "The client SHOULD NOT decrease the security of a new password by

       decreasing the length of the current password." that does not explain how the

    server should react then? Allow it always? Deny it? Let it decide per local policies?



JG - I don't believe the server will even know, assuming that they're storing the password as a hash.  I believe the server should define the format requirements of the new password (e.g., max, min, characters) and not attempt to enforce this security consideration.



    - a mention/discussion of RFC7613 would seem appropriate



JG - I reviewed RFC 7613 and I really don't see it's applicability to draft-ietf-regext-login-security, since the format of the passwords is up to server policy.  Use of a specific password format that supports International characters and the PRECIS framework can be defined in a BCP, where section 8.1 of RFC 7613 states that the ability to include a wide range of characters for creating a strong password with high entropy ought to be weighed against the possible need to reproduce them on various devices using various input methods.  Weighing the options is a server policy decision and not in scope for draft-ietf-regext-login-security.



    - more generally working today on authentication should be based on SASL and

    we should open things better and with more extensibility. This extension is just

    piggybacking on the current scheme which creates its own range of interoperatbility

    problems.



JG - EPP RFC 5730 does define the use of PLAIN SASL, which is what draft-ietf-regext-login-security is extending to support longer passwords.  Piggybacking on the current scheme enhances the interoperability.  If you have a proposed alternative scheme for EPP authentication, I recommend that you define it in an Internet Draft for consideration.



    --

      Patrick Mevzek

      pm@dotandco.com



    _______________________________________________

    regext mailing list

    regext@ietf.org

    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email