IETF Logo Mail Archive

Re: [regext] Minor comment on draft-gould-regext-login-security-02

"Gould, James" <jgould@verisign.com> Tue, 15 January 2019 19:07 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05753130F13 for <regext@ietfa.amsl.com>; Tue, 15 Jan 2019 11:07:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOAiR5fErq_c for <regext@ietfa.amsl.com>; Tue, 15 Jan 2019 11:07:08 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2E59130F0D for <regext@ietf.org>; Tue, 15 Jan 2019 11:07:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6360; q=dns/txt; s=VRSN; t=1547579228; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=lVHjGsivIJKi0zQGG+oqAIWM5xRQJDevNWkFWFmhOYM=; b=T7pXVx7q9a9DHz0+tklkb9KjgLLqFCvplfOrauN9D8XeqmuaD/8Q51C6 KYZw9EvIWFFy+BCspMC+Hxh0uaGafs96KwAhaYtStaphoT6q3Vcid/WsZ mZRxGA2YMbxblDaejU1tcFa0j9w3+UtU+HGV4++5RnUqhQ+G78FrYGPaj t53h10OB6xi/W940JDEHB0xURZ9RlXPnjLn90VN6FCD3NK22bRkJZl9vz mviU/lnw217BpZIrVuitvZcoNh4SnwOjF9fULL4B/hj2+cPJ9KqCSu+Ro xwLWUIBazZCZvtFZP56ugq8IKsOJX0N5lirIWvpzH+T8x/LH4/7cHL6DX Q==;
X-IronPort-AV: E=Sophos;i="5.56,481,1539662400"; d="scan'208";a="6670627"
IronPort-PHdr: 9a23:uzak9RA5GwJEkDrr6ttkUyQJP3N1i/DPJgcQr6AfoPdwSP36pMqwAkXT6L1XgUPTWs2DsrQY07qQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KOT4n/m/Klsx+gqFVoByjqBNxwo7bfI6bO/Vlc6PBZtwaQHZNUtpLWiFDBI63cosBD/AGPeZdt4TxqVoArRyjBQmoGezj0iJDiHvs0q0/zeshCg/K1xEnEtIMv3TUq8j1NKMPXu2u0qnH0y/Db/JN2Tf854jIdAotru2LXbJ1aMfcz1QkGQ3CjlWVs4PlPjWV2/wTs2eF9epgVPmvi28oqwF3ozivwNsjhpPViYISz1DI7SR5z5gpJd22UkJ7ZsSkEJRWuiqHNIV2WtsvT3x0tCog17ELu5C2cDIXxJknyRPTcfOKfouQ7h7+SOqdOyp0iXB5dL6lmhq//kutxvfhWsS3yFpKoDRKn9rQun0I0hHc8MuKR/9m8Uqk1zuDyR3c5+BBLE8vkafWKpwsz7s+m5cds0nMAyn7k1jsgqCMbEUr4O2o5vziYrXhu5CTKZd5ihr7MqQygsy/Bvk4MhQWU2ib5+u80Lrj8FXkTbtWlvM6j6nWvojVK8sauqK1HhVZ0pg/5Ba4FTemyM4UkmMaI15fZhKHlZPpO1fULP/kCve/hkygkDZtx//YIr3sGojBImTZnLv8f7tw5VRQxBczwN1R/Z5ZBbIMLOr2WkDrtdzYChE5Mxazw+biENh91IweWWWSAq+dLazfqkGI6fw1I+mNf48VuTn9K/4/6/Hyin85nEcRfbO10psPdHC4AvNmLl2bYXrjhdcBDGMKsRcmQeHllFGCTyBcZ2yzX6In5zE7B4SmAZ3fSYCqhbyMxzq0HphMaWBcFl+AC3boeJuYW/cCci6SJdVhkjMcX7i7V4AhzQ2utBP9y7d/NurU/zYVuo/k1Nhp/eLTkww9+iBzD8iHz26NSGR0lHsSRzAqxKB/vVB9ylCb3KhinfNYGsJc5vxVUgohNJ7T0fB6C97oVgLGZNeJRwXuftLzSzM+Sc81z4pSO1hwAdS5jx/FmSGtBpcZkrWRD9o1/77SmX/rKIw1n3TJ07Qlgwx6GtVCL2y9h6F5sQPUAqbFlkyDnOCreLgSminX+zHHhSCWuWlUVxJ5V6nOWjYUYU6c5YDh42vOSKOnD7gsNU1KzsvUbuMAcNDmgEVabPbuJNqYZHi+0S/kHxuHy6OQRIvnZ2tb2z/SXhsqiQcWqDypMhU6CmPpgWvbASckXQbtbETx9eVWtn6hT1Q1wAfMZEpkgenmsiUJjOCRHqtAlokPvz0s/m15
X-IPAS-Result: A2EVAACtLj5c/zCZrQpZBwMcAQEBBAEBBwQBAYFRBwEBCwGBVYEUgSkKg3eIGpFZlCIUgSsXHQgMARgLC4N4RgIXgk40CQ0BAwEBAQEBAQIBAQKBBQyCOiIcMRwvCQEFAQEBAQEBJwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGQIBAwEBIRE6GwIBCBoCEgEBEgICAiULFRACBAESgyIBghCseIEvii6BC4tLgUE+gTgfgkyDHgEBAoEnDRUWFwomAQIFgjoxgiYCj3uSCgMGAocehmuEGoFkTYRZiUSBMol4hQoHi0ACBAIEBQIUgUaCD3AVOyoBgkEJgh4XE4M4hRSFP3IBDCSIMQ0VgQqBHwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Tue, 15 Jan 2019 14:07:06 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Tue, 15 Jan 2019 14:07:06 -0500
From: "Gould, James" <jgould@verisign.com>
To: "jgould=40verisign.com@dmarc.ietf.org" <jgould=40verisign.com@dmarc.ietf.org>, "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Minor comment on draft-gould-regext-login-security-02
Thread-Index: AQHUrQWB7xHc87iIi0+Ln5197xfZxA==
Date: Tue, 15 Jan 2019 19:07:06 +0000
Message-ID: <7715E930-6CE1-4D8A-BA66-91FB2CFD1F44@verisign.com>
References: <f5eb0320-e0b4-4d68-88dd-718ae3adf958@www.fastmail.com> <F17F905B-DF10-47A3-8F78-A879EBA47D46@verisign.com>
In-Reply-To: <F17F905B-DF10-47A3-8F78-A879EBA47D46@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.3.181015
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <FEBDA080C921E54C93306E414E6BCB19@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/SCN3rbhswpQFQyHeB-hOuvRAvEA>
Subject: Re: [regext] Minor comment on draft-gould-regext-login-security-02
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2019 19:07:11 -0000

Patrick,

I addressed your feedback in draft-gould-regext-login-security-03, which did require bumping the XML schema version up to urn:ietf:params:xml:ns:epp:loginSec-0.3.  I also made the corresponding change for the newPW case issue to draft-gould-regext-login-security-policy-02.  Please review and let me know if you identify any other items.  

Thanks,
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 1/11/19, 1:21 PM, "regext on behalf of Gould, James" <regext-bounces@ietf.org on behalf of jgould=40verisign.com@dmarc.ietf.org> wrote:

    Patrick,
    
    Thank you for implementing draft-gould-regext-login-security and the feedback.  I provide responses to your feedback below prefixed with "JG - ".      
      
    —
     
    JG
    
    
    
    James Gould
    Distinguished Engineer
    jgould@Verisign.com
    
    703-948-3271
    12061 Bluemont Way
    Reston, VA 20190
    
    Verisign.com <http://verisigninc.com/> 
    
    On 1/11/19, 2:12 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:
    
        Dear James and Matthew,
        
        A minor point while implementing it (finished, will announce it soon).
        
        If a new "long" password is presented, it is exchanged in the <newPW>
        node.
        
        However for events, among the list of possible values for type you have: newPw
        
        I see no reason for the different casing.
        
        I recommend that the type value is also newPW or, to be more in line with other
        values to just spell it out in full, hence "newPassword".
        
        In fact I have found out one instance of
        <loginSec:newPw>
        for the XML node, so maybe a leftover of a previous change.
        You may want to double check all examples/quotes of the node name to have the proper casing.
     
    JG - Thank you for finding the inconsistency to the case of the <loginSec:newPW> element in the extension.  The goal is to match the case of the <newPW> element in RFC 5730, so I'll be sure to consistently reference "newPW" throughout in the next version of the draft.  
       
        Also since all 3 nodes are optional under loginSec you may wish to specify that the extension should be sent only if at least one of the node is present beneath it.
        Or what the server should reply if it gets only an empty root node.
    
    JG - I agree some text would be helpful here.  I would anticipate that even if there was an empty <loginSec:loginSec> element, the server would only process the elements passed, so the server would do nothing with the empty element.  I'll take a shot with some text in the next version of the draft.
    
        (and on a more philosophical level, I feel userAgent should not be defined in this extension because it has nothing to do with passwords and could be useful just be itself; it is useless however to create an extension just for it so I can understand why putting it there, but it is still bundling things together that are not related)
    
    JG - The Login Security Extension goes beyond passwords and relates to security in general.  The userAgent helps identify current and future security events that can be included in the login response.  
        
        And maybe provide some advice about downgrade, what about the following chain of events:
        - change of password using loginsec:newPW for a long password
        - but then change back to short password using pure newPW without the loginSec part.
        
        Allowed? Recommended?
     
    JG - Yes, it would be allowed by the extension, but may not be allowed by server policy.  The <loginSec:newPW> element is only required if the new password is longer than the RFC 5730 maximum of 16 characters.  The same holds true for the <loginSec:pw> element.  I recommend that the client increase instead of decrease the strength of the passwords, but there is nothing in the extension that would disallow it.       
    
       
        -- 
          Patrick Mevzek
          pm@dotandco.com
        
        _______________________________________________
        regext mailing list
        regext@ietf.org
        https://www.ietf.org/mailman/listinfo/regext
        
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email