Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
"Gould, James" <jgould@verisign.com> Mon, 29 July 2019 20:59 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA68120090 for <regext@ietfa.amsl.com>; Mon, 29 Jul 2019 13:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmim8sBQasbA for <regext@ietfa.amsl.com>; Mon, 29 Jul 2019 13:59:48 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B101200B6 for <regext@ietf.org>; Mon, 29 Jul 2019 13:59:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=44863; q=dns/txt; s=VRSN; t=1564433981; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=gOZU0NcpNw94XCEVetYJOakFJ/iz/DvlNjY66CO0ehw=; b=ZT8Qy3UmD31MnvZAF3v8sBpyXnrmTOj/NKKCBfe0EU5/3mfpzFu3lpMf 9AxSEw4nLuwCUEgrPOLEWcXRGSzzE8tKij6n6KWbmeG7zpDKk384XjzhO l98gVOI9VS1tKNaPrqP7/3h9YqfSkVpye/BNVjr1GoeJY8NDuqaNNbBqo u3SbsIb1ODhP+G6U1CaARO8cWaGWkcBMnuX81t6aHZseOdaf/oDvc0baj O72ZUug2FhVlT3eRw0a2McqAg+P0f99WVxyv2bLoQeeYf6JZ/V4xOFMAL q6BjFzTqg0ZvD3uzuIG/qzMX9IGrTghPZJw312A/r2WRdJvSs0Yt3wtDC A==;
X-IronPort-AV: E=Sophos;i="5.64,324,1559534400"; d="scan'208,217";a="8062177"
IronPort-PHdr: 9a23:xLfisBWbjADnHDV7y6ob0hxjxG7V8LGtZVwlr6E/grcLSJyIuqrYZRSPtadThVPEFb/W9+hDw7KP9fy5AypRuN3Y7S1KWacPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIxi6sBvdutMSjId/Jao91xvEr3tVcOlK2G1kIk6ekQzh7cmq5p5j9CpQu/Ml98FeVKjxYro1Q79FAjk4Km45/MLkuwXNQguJ/XscT34ZkgFUDAjf7RH1RYn+vy3nvedgwiaaPMn2TbcpWTS+6qpgVRHlhDsbOzM/7WrakdJ7gr5Frx29phx/24/Ub5+TNPpiZaPWYNcWSXNcUspNSyBNB4WxZJYNAeUcJ+ZVt4nzqUUToxuiCweiB+3vxT1GiX/3waI13P8sHhva0AwlBd8CrG7ZodfzOawPUe611q7IzTDbYv9Y2Dn975XIchQ8rv2UQLl+ddDeyUwxGAPegFmbtIvoPzGa1uQKrmib6/dvWPmxi2E5sQFxoyOvxsYjionPnI4a1lfE9SBgzYszONa2Rkl7Ydu+H5tRsSGXL5V2Td04Q2FpoyY6y7IGuZi6fCgM1Jsr3QLQa/uCc4WO/xntV/6RLC9liH55Yr6zmhS//Ea6xuHhVsS53kxGoyVGn9XUq3wBywbf5tWFR/dh5EutxDmC2gPJ5u1ZIk04jaTbJIAiz7Isk5cetF7MEyzylUrtiaKbeFso9fWp5uniebrrop6ROo1xhwzwPKkjmNGwDOIlOQYURWeb4/6z1Lj78E38R7VFk+M5n7HCsJDfOcQbvqm5AxJJ0oo76xawETOm0NMAkHQaMFxLYA+LgIjxNV/BIf/0Eeqzj06ykDh3wPDGJKXhDo/XIXfeirvhY6x961VayAYp0d9f4JdUBqkAIPL1REDxqMTVAgIlPwCu3urqCttw2pkDVW+PDKKVKqzfvFyQ6uIqOeaMZYsVuDjnK/gi4v7jlX05mVAafam02ZsYdWu1Hup4LEWDYHrsmdYBEWgMvgYkUOPqj1iCXSZJZ3muR6I8+i07CIW+AIfBRYCth7iB3CSlEZ1MfW1GBVeMHmryeIqZRvgNaDieLdNmkjwBTbKhUZMu1QmytA/mzLpqNvLU+igDuJ3+09h1+/fclRcv+jNoCMSRyX2CT2ZxnmkQXT85wLh/oVBhyleEyaV4meJXFdNN6PJGTgc3Lp/cwPJmC9D8QA7Bec2JSFn1CumhVBM2QsN54NgKYEtnU4GgjRfH3CewK7ASm7WHCI1y+aXZiTy5H89h0XfN1+EEgkc0T8gHYXWjrqJ46wHVC4XO1U6ekvDuPe4G0SHA5HurzGeSsgdfSgE6GfHfUH8Sdlf+rNnl6AXFVbD4Wpo9NQ4Ug+GFN69GLpXLhFBLX72rbNbRZH+1l0+uCAyJ3bKDaszhfGBLj3aVM1QNjw1GpSXODgM5HCr05juGVDE=
X-IPAS-Result: A2EQAACfXT9d/zCZrQpjAxwBAQEEAQEHBAEBgVMHAQELAYEUUwWBF4EuCoQUiByITYI/g2SVHRSBKxchBAkBAQEBAQEBAQEHARgBCgwBAQKDeEYCF4J5NAkOAQMBAQEEAQEBAQUBAQEChgcMgjopARRNLwkBMgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGAEBAQECAQEBIUkCBAUHBwQCAQgOAwQBARYBAQEIAQIHAgICJQsdCAIEAQkJG4MHAYEdXh6sW4Eyij6BNAGEcYZRNIFBPoERJx+BTn4+gmEBAYEcEgESAQkCIAsDBx4IAQIFgjwygiYEjCEBKQmCJoR/gi2GQY0jbQMGAoIahluEb4NtFoRigl0+lHOJcINLhmlOE5AMAgQCBAUCFYFQgSBxcBU7KgGCQQmCRAEXFG8BAoJIhRSFP3INJYthAQ0VgQ2BIQEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 29 Jul 2019 16:59:39 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Mon, 29 Jul 2019 16:59:39 -0400
From: "Gould, James" <jgould@verisign.com>
To: Jody Kolker <jkolker@godaddy.com>, Patrick Mevzek <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
Thread-Index: AQHVK1Go+3TXOv5sIUCrjQELDm1Cjqa3IkSAgAoKFQCAGhiugIACM3YAgATR8AA=
Date: Mon, 29 Jul 2019 20:59:38 +0000
Message-ID: <782934D3-AA21-42F7-A728-DADED00EC446@verisign.com>
References: <2FE774F6-35D1-46B5-B403-2BA1CC8928B3@verisign.com> <9aad0040-20f6-480e-90d6-090ca91c18d3@www.fastmail.com> <4A0925CB-23A7-492C-83C8-36EB23F61A1F@verisign.com> <0119acdb-2ec9-4f14-b37a-d945e0b032b5@www.fastmail.com> <MWHPR02MB3230A50F076B9B554AFE9BACBFC00@MWHPR02MB3230.namprd02.prod.outlook.com>
In-Reply-To: <MWHPR02MB3230A50F076B9B554AFE9BACBFC00@MWHPR02MB3230.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.9.190412
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_782934D3AA2142F7A728DADED00EC446verisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/OO3cJQkWhn1PLNvKiFJG9hpJbKQ>
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2019 20:59:57 -0000
I will respond to Patrick’s full feedback separately, but I’ll address the one item raised below in response to Jody’s feedback. From a higher-level, draft-gould-regext-secure-authinfo is intended to provide the starting point for discussion of how to secure the authorization information for transfers.
I pulled Patrick's original feedback on the authorization information storage language of the draft below:
I would also suggest or offer the idea that various points in the draft (like "the authorization information .... MUST NOT be stored by the registrar.") do not align (which means: will never happen) with various registrars policies or architectures.
That one for example shows itself in later parts:
5. Gaining registrar optionally verifies the authorization
information with the info command to the registry, as defined in
Section 4.3.
6. Gaining registrar sends the transfer request with the
authorization information to the registry, as defined in
Section 4.4.
This feedback is associated with the following sentence of the draft:
To protect the disclosure of the authorization information, the authorization information MUST be stored by the registry using a strong one-way cryptographic hash and MUST NOT be stored by the registrar.
The intent of the “MUST NOT be stored by the registrar” is for the losing registrar and not the gaining registrar, since the losing registrar should simply generate the authorization information and provide it to the registry and the registrant. There is no reason for the losing registrar to store the authorization information, since the losing registrar can unset and set the authorization information at any time. I can see architecturally where the gaining registrar may need to store the authorization information as a “transient” value (e.g., work queue item) to support the completion of the transfer process. The registry will automatically unset the authorization information upon a successful transfer, so the gaining registrar storing the authorization information as a “durable” value (e.g., beyond the transfer process) is not needed.
How about changing the language in the draft to be more specific to the intent, as in:
To protect the disclosure of the authorization information, the authorization information MUST be stored by the registry using a strong one-way cryptographic hash, MUST NOT be stored by the losing registrar, and MUST only be stored by the gaining registrar as a “transient” value in support of the transfer process.
Does this cover the use case presented?
--
JG
James Gould
Distinguished Engineer
jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>
703-948-3271
12061 Bluemont Way
Reston, VA 20190
Verisign.com <http://verisigninc.com/>
On 7/26/19, 11:23 AM, "regext on behalf of Jody Kolker" <regext-bounces@ietf.org on behalf of jkolker@godaddy.com> wrote:
Regarding the drafts position of "the authorization information .... MUST NOT be stored by the registrar."
I agree that registrars will need the ability to store the password for a request to transfer in a domain in some situations (bulk transfers, network outages, registry maintence etc.). There simply is no way around not storing the password to handle every situation.
As far as where this draft should be, I consider it only to be a best practice draft, not anything that will significantly change EPP. I would love to have some type of standard for transferring domains or at least some type of communality between all of the TLDs, but I believe that will be a pipe dream. Every TLD operator will believe they have the "best" transfer implementation.
If we could at least start with a discussion, maybe we could get to similar transfer process for most TLDs.
Would be curious to hear from other registrars and registrys on this topic.
Thanks,
Jody Kolker
-----Original Message-----
From: regext <regext-bounces@ietf.org> On Behalf Of Patrick Mevzek
Sent: Thursday, July 25, 2019 12:46 AM
To: regext@ietf.org
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
Notice: This email is from an external sender.
Hello James,
On Mon, Jul 8, 2019, at 14:16, Gould, James wrote:
> JG - The draft is a Best Current Practice (BCP) per RFC 2026, and not
> a standards track draft. The draft describes how to leverage the
> existing EPP RFCs for addressing the security of the authorization
> information value for transfers. EPP can have protocol extensions
> defined as informational and standards track drafts, as well as
> operational practices defined as BCP drafts. There are many examples
> of IETF BCPs. This topic is very applicable to the IETF and the
> REGEXT working group in particular.
I will remain in disagreement here (mandating how registries should store passwords or choose them regarding length and complexity is certainly a bigger issue than just EPP and has nothing to do regarding how EPP works as an exchange protocol between 2 entities), so I will only reply briefly as my contributions will not help whatsoever building this draft and try to refrain from participating in any future LC regarding this draft.
I would also suggest or offer the idea that various points in the draft (like "the authorization information .... MUST NOT be stored by the registrar.") do not align (which means: will never happen) with various registrars policies or architectures.
That one for example shows itself in later parts:
5. Gaining registrar optionally verifies the authorization
information with the info command to the registry, as defined in
Section 4.3.
6. Gaining registrar sends the transfer request with the
authorization information to the registry, as defined in
Section 4.4.
Since both actions have no guarantee to happen back to back and immediately (nor to be done by the same subsystems, from the same EPP client, throught the same EPP connection), the registrar MUST store the authorization somewhere.
Think about connection issues or delayed payment (wish to check authorization information even before taking the payment and starting the transfer), etc.
As is, this document will create interoperability problems in part because it does not even define an extension visible at greeting.
Without that, how could an EPP client know if the server follows point 4.1 for example, which is even more troublesome because of its MAY?
Without a clear indication, a client can continue sending a password, and see its domain:create command be rejected, without even knowing why (error reporting is not something sufficiently standardized and stable across all registries for a client to base itself on).
> Things like that:
>
> > The operational practice will not require the client
> > to store the authorization information and will require the
> > server to store the authorization information using a
> > cryptographic hash.
>
> How the password is stored and handled at the registry is completely
> out of EPP scope. It could as well be symmetrically encrypted, and I fail
> to see even how this can be enforceable (how will you verify remotely
> how the registry stores the password?), as it is not protocol related.
>
> JG - Why would the storage and handling of the authorization
> information be out of EPP scope?
Imagine a registry storing passwords as plain text and another storing it encrypted through some clever mechanism deriving the key from other registrars data (like its EPP password, that one never being needed to echo back, so could be stored as an hash).
What does that change for EPP?
Absolutely nothing.
> Do you agree that a cryptographic
> hash is more secure than using an encrypted value?
Irrelevant to EPP. The EPP schema clearly mandates for the passwords (both login and authInfo) to be exchanged in clear text (encapsulated in TLS of course).
One can see now that things should be done differently, and I could agree there.
But this has no relationship with how the registry stores it.
> JG - It's not meant to take into account all cases that exist today,
That will then remain a big problem for me, as an implementer.
> So in my views the current password based model per domain has died,
> and other solutions have to be searched for. Maybe there is space to pursue
> in solutions around OTP frameworks.
>
> JG - You may want to take a stab at defining an alternative mechanism.
> I believe that EPP does not need to be extended to make the
> authorization information secure for transfers.
Aside, remember that the current EPP schema already allows for authorization to happen, not only by providing the domain authInfo but instead the authInfo of a related contact (and its ROID to be able to pinpoint it).
And I seem to remember at least one registry to allow that. So definitively rare but not 0 either.
> Any ideas that you have to improve it would be greatly appreciated.
Maybe, but for me this work is not a good fit inside this working group or even the IETF. It may be a better fit for some ICANN groups, in order to deliver some "consensus policies" document (but remembering also at the same time that there is a world outside of gTLDs....). In my view the whole process around transfers (and not just talking here about the EPP transfer command) should be reviewed and reworked.
--
Patrick Mevzek
pm@dotandco.com
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
- [regext] FW: New Version Notification for draft-g… Gould, James
- Re: [regext] New Version Notification for draft-g… Gavin Brown
- Re: [regext] New Version Notification for draft-g… Gould, James
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek
- Re: [regext] FW: New Version Notification for dra… Gavin Brown
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek
- Re: [regext] FW: New Version Notification for dra… Gould, James
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek
- Re: [regext] FW: New Version Notification for dra… Jody Kolker
- Re: [regext] FW: New Version Notification for dra… Gould, James
- Re: [regext] FW: New Version Notification for dra… Gould, James
- Re: [regext] FW: New Version Notification for dra… Martin Casanova
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek