Re: [regext] draft-ietf-regext-login-security
"Patrick Mevzek" <pm@dotandco.com> Tue, 02 July 2019 07:10 UTC
Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF971201E7 for <regext@ietfa.amsl.com>; Tue, 2 Jul 2019 00:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=C+7oMVp0; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=PkZWDHhr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TILV9yNGKVeE for <regext@ietfa.amsl.com>; Tue, 2 Jul 2019 00:10:37 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 155C91201F8 for <regext@ietf.org>; Tue, 2 Jul 2019 00:10:37 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 296E521FE5 for <regext@ietf.org>; Tue, 2 Jul 2019 03:10:36 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Tue, 02 Jul 2019 03:10:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=wfckn2/XBCWnIp543U586eU0rouQio4 XcLbOl5x5WY8=; b=C+7oMVp0yu1UoQVDYpnRCvt3Q0cFh6Afja0idEJvmi6u1SY ai2VtHQ6gJbxoYXDooOU6sszP9RQOkLrchoZOifDvsz5tbvLIA3bQgcAtUC0UH7z tY/V15XwzH4ewVkHKWl4E//RiV1mn2fS/yM45OWUf9GauS+nacMzahH9IKIHjgPK tm5jFYo2vZbSFnSJVpef9R0WN7c80sfLekHOlMkCUzleZKoy+/Zbc2YYIwIQXud6 dsLnRnKp/cOkl/BTPCcE4i54m/Ks5zjfR+SquLLPHHlL76y4lRBJiUez/HkMItoU ES8YhI9v+pUFLcrDabu9vknbx7+tgko/5WO4bxQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=wfckn2 /XBCWnIp543U586eU0rouQio4XcLbOl5x5WY8=; b=PkZWDHhrMcwGldK/WOL3uj Ip/C/Jqzj8q/TR/pWb5MzADaEhncpgDSwApi2B5OQgbxMDf6Fd9YsOTvPXUeg4me C9Z6PUBk4y9a3zwgiA7fsfYi3Yign2PAI0lVZZmVjFxcjDJ3sX+W/07RRF3HFX8P /SGLMCOZhZ6ifbl/rw9WA2PwSFz1rGEFODLDVmBPsDTvs+H3L4ESGAqQ9tsU7Yzf dH49yyWy+ww+STpv40LmxCViaWeZgUq6gcr040OMn4grUfhYX+1G8U3MRDZlhgnU N0kt5tqMH9Ft49o/T5qbZox8dPj+I7eRLYPpqlnyAYdo8swzzlwExjYqW8o0qB0Q ==
X-ME-Sender: <xms:awMbXeN_2Vy2ktFoQiWosS6a9rM3bhJ06JpQMOBHA9kHAllSPUsL0S5ktqE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrvdejgdduudeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfrfgrthhrihgtkhcuofgvvhiivghkfdcuoehpmhesugho thgrnhgutghordgtohhmqeenucffohhmrghinheptggtfihhohhishdrohhrghenucfrrg hrrghmpehmrghilhhfrhhomhepphhmseguohhtrghnuggtohdrtghomhenucevlhhushht vghrufhiiigvpedt
X-ME-Proxy: <xmx:awMbXc3kp9HJP2xl2QIrBiIA3wu7GEl4fRtA-2Dq6ElWZPh8a6tF7Q> <xmx:awMbXSmg4CXPEXhbQKa5AYhY6gQZe-v81UtcDmsiW4_9nA6hNDiUvw> <xmx:awMbXa6-BQzbiGVdtLQauJ02ganSlrU_nqPEmMosdSoz2cLyc9RmzA> <xmx:bAMbXdMg3EjvYdh1uAakpsJHTAPZwd_op8jwCA93AWiX5hwdUhPOrA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 98A39C200A5; Tue, 2 Jul 2019 03:10:35 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-731-g19d3b16-fmstable-20190627v1
Mime-Version: 1.0
Message-Id: <f03f749c-c8eb-48a3-b9a5-bf9988a013ac@www.fastmail.com>
In-Reply-To: <53272950-1116-4A7B-AC02-E135F8FE813F@antoin.nl>
References: <155991321704.19585.17357914405003536991.idtracker@ietfa.amsl.com> <247A90BF-6E1D-4615-A409-033BE458AC60@antoin.nl> <325F6229-1119-4F4B-AC12-4C3BA37B41D1@verisign.com> <53272950-1116-4A7B-AC02-E135F8FE813F@antoin.nl>
Date: Tue, 02 Jul 2019 02:10:34 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Y2nYOQ7JbhUIfPb80tXQL0neTNc>
Subject: Re: [regext] draft-ietf-regext-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 07:10:39 -0000
On Fri, Jun 21, 2019, at 08:22, Antoin Verschuren wrote: > We believe the draft draft-ietf-regext-login-security still has an open > issue from Patrick Meczek where James response should be confirmed, but I have reviewed past exchanges and I do not think that there is anything open left: I remain in disagreement on various points[1] hence I will not formally approve it, but I won't either block its advancement. So, "all fine" for me. Minor in 4.1: "MUST be included in the response based on the following conditions" you should probably emphasize that there is an "AND" between the two points, not an OR. Probably obvious but since there are other discussions abount unannounced extensions it is probably better to be more specific. [1] Among other things (they already have been discussed or not worth discussing, so I just mention them here for archives, not to open the debate): - I dislike the use of a specific hardcoded string such as LOGIN-SECURITY (IETF even has a specific RFC about choosing "random" names, which was followed by various cases, like for the xn-- in IDNs. See RFC 3797/2777 or its use for IDNs at http://www.ccwhois.org/mailarchive/cctld-discuss/vol05/0096.html) - the extension mixes different things (new password scheme, letting the client identify itself better like user-agent in HTTP, letting the server give back more structured information about both passwords and TLS... this should be in 3 extensions, not one) - discussing about TLS versions being insecure or not would probably need a reference to RFC8446 and draft-ietf-tls-oldversions-deprecate - as for reporting problems at the TLS stack was there a discussion on why/when this should happen at the EPP level instead of directly at the TLS level? Specifically because there can be setups where the TLS terminations is in front of the EPP application servers so a server wanting to forbid some connections, for problems at the TLS level may be technically unable to do it at the EPP level. - a lot of things are not defined. For example for ciphers, what is the value field? Is that TLS ciphers from IANA repository? something else? Not defining things like this is easier to bootstrap the extension usage, but at the end of the day will make it less interoperable and complicate registrars life. For insecure TLS versions, what will be the format? TLS 1.0 TLS_1.0 TLS_1_0 TLSv1.0 like the example given 0x0301 etc. - the level could have from the get go accepted typical logging levels, so like info/debug/trace/notice in addition to current warning/error - there is no discussion if the server SHOULD/MAY/MUST refuse the login (return code > 2000) if there is any event at level="error". - "The client SHOULD NOT decrease the security of a new password by decreasing the length of the current password." that does not explain how the server should react then? Allow it always? Deny it? Let it decide per local policies? - a mention/discussion of RFC7613 would seem appropriate - more generally working today on authentication should be based on SASL and we should open things better and with more extensibility. This extension is just piggybacking on the current scheme which creates its own range of interoperatbility problems. -- Patrick Mevzek pm@dotandco.com
- [regext] regext - New Meeting Session Request for… IETF Meeting Session Request Tool
- [regext] Call for agenda items for IETF 105 Antoin Verschuren
- Re: [regext] Call for agenda items for IETF 105 Gould, James
- Re: [regext] Call for agenda items for IETF 105 Mario Loffredo
- [regext] draft-ietf-regext-login-security Antoin Verschuren
- Re: [regext] draft-ietf-regext-login-security Gould, James
- Re: [regext] [Ext] Call for agenda items for IETF… Gustavo Lozano
- Re: [regext] Call for agenda items for IETF 105 George Michaelson
- Re: [regext] draft-ietf-regext-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regext-login-security Gould, James
- Re: [regext] draft-ietf-regext-login-security Martin Casanova
- Re: [regext] draft-ietf-regext-login-security Gould, James
- Re: [regext] draft-ietf-regext-login-security Martin Casanova
- Re: [regext] draft-ietf-regext-login-security Gould, James
- Re: [regext] draft-ietf-regext-login-security Patrick Mevzek
- Re: [regext] Call for agenda items for IETF 105 Joseph Yee
- Re: [regext] draft-ietf-regext-login-security Gould, James