Re: [regext] draft-ietf-regexy-login-security

"Patrick Mevzek" <pm@dotandco.com> Wed, 13 November 2019 20:44 UTC

Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E688C120046 for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:44:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=HiNRUjTS; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=FqJgb4YL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9H_paZXflCJ for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:44:20 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4285A120024 for <regext@ietf.org>; Wed, 13 Nov 2019 12:44:20 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 9111321ED6 for <regext@ietf.org>; Wed, 13 Nov 2019 15:44:19 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Wed, 13 Nov 2019 15:44:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=fqV0sHsWShb1lPeKuevV8LZdM5frdIv u/fVpITVG3Eg=; b=HiNRUjTSPSowY+0VUSZK8sQRZzlW3M8hfXyj4hvYHOPFiJH kRhqU/MNjYZogMpEPEYyIF2H1Z1oh8ehr6dAev96ehc2asf6oAdyLeBZO+TgwqMj DZNmwOcDJSZNfEtPkxQItFsx1Mb46Fcz+jZ69qlSZz9qZU3HSJDkAbv4/ba7HAVa uQa1riXOTPsEg6gt+FYhcaUqoDjzk+sRtW/qQS096rTf9KOrLpIOhcx55pArKzed xoIGyvzvLGXO+ur4LDCbAlv/iNUO+11VVyUODfUZ8fSZ/67nEjhlGzCpwr6PjuwT l5U++ccSOTrmikFCDFpdMa9RQLw+FgtxUyQD8kg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=fqV0sH sWShb1lPeKuevV8LZdM5frdIvu/fVpITVG3Eg=; b=FqJgb4YLlcVSQI4VVecgR/ GyKXqeI3e61XW4zHR0CvbEt9C7kAp3YUpYc0zcC2ix3V44Iogji0oeIhVnUbSb1f XB9hqsSnq1VE6LYr3Knsha3XIAkVXo4dqVpe6pAfrHxJnv8uXR8sWw0/aunvaMx6 8eDEXcSyvP08ir3frBLFq8SiFnpq8F8hpT4I6w07FLOigy0l40knf3jjA9SOR7Nf aIKUo/JSvDQ4HxlPqX2W/94tKOXsI98suIj8FweHmygSNjgHDXVTYiUkTRGhM+dr Wbwmn2H6SR5pkoITx4FcMsywg9sFh6t1nQml9dFAiWf08pi5sdN6iR2BqLzmSVWw ==
X-ME-Sender: <xms:I2vMXfyP2V-vkdZXJnj2ausFLwvaWNfjJyRZzAfrmPs1Ywisy3ls7NdsiAY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudefuddgudeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdfrrghtrhhitghkucfovghviigvkhdfuceophhmsegu ohhtrghnuggtohdrtghomheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpmhesughoth grnhgutghordgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:I2vMXbircyzgzpNpkf3bNJDdfKTZtkSdaa6chRnKqfoCpD8RulQ-_g> <xmx:I2vMXUVa0nivZdBfvSy8afYfet0wg9PLR37wR4Zn6pHn3naT6Hp8Vg> <xmx:I2vMXd12RYtK_bBho1LwmyyMi0sOVtUdXVQ2AbGFR3PKkTSRu-UxjQ> <xmx:I2vMXSpY-zRdrfWbNtGCeRsHdzMNtvEdYXhRI3UEhpB9pWegMoX2_w>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 44302C200A4; Wed, 13 Nov 2019 15:44:19 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-557-g34fce02-fmstable-20191113v1
Mime-Version: 1.0
Message-Id: <69c52c1c-5205-4add-93bf-871a93d252a7@www.fastmail.com>
In-Reply-To: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com>
References: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com>
Date: Wed, 13 Nov 2019 15:43:59 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/KyWtfltkiUQ2s7RRKYFLEJacrn0>
Subject: Re: [regext] draft-ietf-regexy-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 20:44:22 -0000

On Tue, Nov 12, 2019, at 19:57, Martin Thomson wrote:
> For a protocol of this nature, it seems like alternative methods could 
> be developed.  And if passwords are unavoidable for usability reasons I 
> can't see right now, then the CFRG is developing password-based 
> authentication protocols that might be suitable for this.  Or there are 
> protocols like OAuth that might allow for delegation.

I agree, there is no reason for this protocol to have clear text passwords
(both login and domain associated ones, I do not know any registry using contact
passwords but it may exist).
For the domain part, there is a separate discussion, as a draft emerged
to handle transfers but still using plain text passwords. I put on the table
an alternate proposal that works without any domain password whatsoever. So I think
"no password" is a reachable goal there, but it is a separate discussion from this draft.

As for the login we are discussing here,
I agree we could/should/may do better/differently.

That may be a topic of discussion for other/later drafts.
I was not a 100% fan of this proposal exactly because I agree with the goal
(improving current state of security) but not with the mean (I think we 
must go further than just allowing longer passwords, just this adds only
marginal extra security by itself).

-- 
  Patrick Mevzek
  pm@dotandco.com