IETF Logo Mail Archive

Re: [regext] review of draft-ietf-regext-login-security-03

"Gould, James" <jgould@verisign.com> Tue, 09 April 2019 21:37 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D77A120454 for <regext@ietfa.amsl.com>; Tue, 9 Apr 2019 14:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEpP3db7vUyo for <regext@ietfa.amsl.com>; Tue, 9 Apr 2019 14:37:36 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4816912043A for <regext@ietf.org>; Tue, 9 Apr 2019 14:37:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=20047; q=dns/txt; s=VRSN; t=1554845856; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=GDsq74Eg7Zuz4ZPDsi1r/cCL3U4XZqhgBcWLovrJXE0=; b=bLI3e/IIu/p4siijPBCPvepn3f1TMJNSPoto0xx3Ywzp9a6qAlKtpllL g0wFIG0hy3CWHykdyVz6Xj+cOPML7gT+5ZAt+VJ0pDKw9sS4PgYCB++tW TfDxIICrkMvjAJJO+kLUBQ+7wwnEr31eO6lo/rcSBxS36c4mltMLdV8KA GPot3ILVoYycioF8yrGRu21NfdiYXJbGG8PGlY47MbMKlgsVgbZPoXY4J XX0w8oKHQC4g40YZKijW01iATFd2dCewdWB+zCzKzhbs0qsPndfeIjpXv vIlmIsi6M32m6qQbPba+Vx6dj3mQAW7YhcehuXYlTxdPgi8zYwj3EHx7/ Q==;
X-IronPort-AV: E=Sophos;i="5.60,330,1549947600"; d="scan'208,217";a="7427482"
IronPort-PHdr: 9a23:f+H8eRBe/ninPTaQOky3UyQJP3N1i/DPJgcQr6AfoPdwSP37psmwAkXT6L1XgUPTWs2DsrQY0rOQ6v2rADJaqdbZ6TZeKcQKD0dEwewt3CUYSPafDkP6KPO4JwcbJ+9lEGFfwnegLEJOE9z/bVCB6le77DoVBwmtfVEtfre9FYHdldm42P6v8JPPfQpImCC9YbRvJxmqsAndrMYbjZZ/Jqor1xfEonREd/lXyG92OFmfmwrw6tqq8JNs7ihcp+gt+9JcXan/Yq81UaFWADM6Pm4v+cblrwPDTQyB5nsdVmUZjB9FCBXb4R/5Q5n8rDL0uvJy1yeGM8L2S6s0WSm54KdwVBDokiYHOCUn/2zRl8d9kbhUoBOlpxx43o7UfISYP+dwc6/BYd8XQ3dKU8BMXCJDH4y8dZMCAeofM+hFs4nzqVgArRW8CgaiBePg1jBHi2Ts0qEm1uQsCx3K0RYiEt8IrX/arM/1NKAXUe2twqXGzDLDb+5S2Tjg8ITDbxQvruuJXb1uasrdx1QkGgTHjlWfrozlIjeV2fkWvmiF8eVgT+Ovi3UmqwF+pDij3Nsjio7Mho8MzF3P6Ct3wIEwJdKiSU57Z8apEIVOuCGANot2WcIiQ25uuCY7zL0JpYS3czQNyJQi3xLfauKIc5SG4h75U+aROzh4iXR4c7y8nxa/6VWsxvHmWsWp0ltHoDBJnsTMu30DzRDe5cuKRuNg8ku9wzqDygLe5v1eLUwpmqfWKIQtzqMzm5YLv0TMACz7lFnzgaKTbEop+eyl5P/ib7jouJOTKo55hwTlPakqm8GyA+E1PwYAUmWZ5Oux0qDo81fjT7VQlPI2l7HUsJXdJcsGuKG0GxRV0oM/6xanCDemzcgYkWEHLF1bfBKHiJDkNkzSLv7gEPuwg0yinjhqyPzaI7HtGIvNIWTEkLf7ZbZx8VRTxxcpwdBB/ZJUEbcBLOjvVU/2sdzUFh45MwqqzOb7ENhxy58SVXiSDqKbPq7eq0KE6+IhLuWWa4IYuy7xK/0/6P7viX85l0Udfa6s3ZYPanC4EfNmI1idYXXxmdoBD3kFvhA/TOzxiV2CXjhTa2yuUKI74zE3EJimApvbRoCxnLyB2z+2HoVTZm1dF1+MFmvoeJ+CW/gRdC2SJdVtnSADVbikU4Uhzw2htBfmy7p7KerZ4jcYuozs1Ndr6OzTiQo/9T1qAMSB3WGBVWZ0nnkHR2x+4Kcq61R44luEzaF+j/dfU9dU4rkBBh8/HZLb0+V8B9v1HAnGe4HNABy8T9qrES0ZT98tzZkJeUk3U4G4gx/OzzaCArIJmfqMHpNioYzG2H2kbel61nLKkOEDhlwrWYEHYW+pgbN7+yDNCpTIiESWkeChcqFKj32Fz3uK0Wfb5BIQawV3S6iQBX0=
X-IPAS-Result: A2EUAAB6D61c/zCZrQpiAxwBAQEEAQEHBAEBgVEHAQELAYEOgWqBKgqEBIgcinKCO4NdlGmBPxcdCA8BGAEKC4N4RgIXhWw0CQ0BAQMBAQEIAQEBAQIBAQKBBQyCOiIcMRwvCQEFAQEBAQEBJwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGQEBAQIBAQEhCkEQCwIBCC4BARICAgIlCyUCBAESgyIBgRFcF64ogS+FRoRtgTABi12BQT6BOB+CTD6CYQEBgUstCiYBAgWCOzGCJgOKUweCOYQuggmFVoxmAwYCiAKHY4Q3gmORfItThVRDC41bAgQCBAUCFYFPgg9wFTsqAYJBCYINF4NMhRSFP3INJI1wDRWBCoEgAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 9 Apr 2019 17:37:34 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Tue, 9 Apr 2019 17:37:34 -0400
From: "Gould, James" <jgould@verisign.com>
To: "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] review of draft-ietf-regext-login-security-03
Thread-Index: AQHU7vypJBXqitQ6u0Gkh4VsF0Vlr6Y0ULOAgABICAD//8IuAA==
Date: Tue, 09 Apr 2019 21:37:34 +0000
Message-ID: <1E28042B-759E-46D5-9D9C-5271255480D6@verisign.com>
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch> <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch> <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com> <23C64725-1802-46B1-A371-9059F642E10A@verisign.com> <9735244c-3619-46e3-8ce2-f0d6bc8a9bee@www.fastmail.com>
In-Reply-To: <9735244c-3619-46e3-8ce2-f0d6bc8a9bee@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.7.190210
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_1E28042B759E46D59D9C5271255480D6verisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ZW2b5Wn9ryeQHYQNF7dQ8I76ewo>
Subject: Re: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2019 21:37:40 -0000

Patrick,



So my point was:

- don't think password policies can be condensed into a regular expression (that may be the case for one registry, but certainly not for all, so I see no need to try enforcing that)



I’m not claiming that all password policies can be condensed into a regular expression, but at a minimum the syntactical policy can.  Other factors associated with the password policy can be handled in discussions around draft-gould-regext-login-security-policy.



- don't put things like that in "human" readable parts



I’m not proposing that password expression should be placed in the human readable message, but I’m pointing out that it can if a server desires to do so.  The server can also place the example message that you provided.  The draft does not need to define what is provided in the human readable message.



—

JG







James Gould

Distinguished Engineer

jgould@Verisign.com



703-948-3271

12061 Bluemont Way

Reston, VA 20190



Verisign.com <http://verisigninc.com/>



On 4/9/19, 5:21 PM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:







    On Tue, Apr 9, 2019, at 16:01, Gould, James wrote:

    > The password expression can be included in the error response using the

    > human readable message per registry policy, which will work for

    > troubleshooting purposes only, since the human readable message should

    > not be parsed by the client.  The login security extension is not well

    > suited for communicating policy information, which is the point of

    > draft-gould-regext-login-security-policy.  The password policy

    > information can be formally communicated via

    > draft-gould-regext-login-security-policy over EPP or using an

    > out-of-band mechanism.



    That was exactly Martin's point on which I was replying:

    <quote>

    I know that you have foreseen draft-gould-regext-login-security-policy

    to query about password complexity but I think for convenience of the

    registrar it would still be nice to somehow include the password

    requirement in the response even if it is redundant. Otherwise one has

    to implement draft-gould-regext-login-security-policy at the same time

    or communicate the requirement out of band.

    </quote>



    And the example given clearly used an attribute to store the regex, which is clearly not

    human redable.



    And again there is no "password expression" since like I tried to show but failed apparently, not all password policies can be compressed into one regular expression.



    And also putting such kind of things (regex) into a "human" readable message makes no sense.

    (it is neither human nor readable)



    It would be far more logical to have a human readable message saying:

    "Password not in compliance with rule A.III.b.3.i of regulations at https://www.registry.example/a_super_nice_documentation.pdf"



    So my point was:

    - don't think password policies can be condensed into a regular expression (that may be the case for one registry, but certainly not for all, so I see no need to try enforcing that)

    - don't put things like that in "human" readable parts



    Finally, like I said, piggybacking everything on another EPP extension risks for now the fact that not a lot of registries will implement it.

    Each extension should try to stand-alone as much as possible...

    Otherwise in your current setup a registry needs to implement this extension, the core policy one, and then the extension on the policy one. I have low hope this will happen... And the amount of discussions around this



    --

      Patrick Mevzek

      pm@dotandco.com



    _______________________________________________

    regext mailing list

    regext@ietf.org

    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email