[regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)
Alexey Melnikov via Datatracker <noreply@ietf.org> Thu, 23 January 2020 10:58 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: regext@ietf.org
Delivered-To: regext@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 751E812001E; Thu, 23 Jan 2020 02:58:55 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-regext-login-security@ietf.org, Joseph Yee <jyee@afilias.info>, regext-chairs@ietf.org, jyee@afilias.info, regext@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.116.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Alexey Melnikov <aamelnikov@fastmail.fm>
Message-ID: <157977713547.22794.12692666659052458667.idtracker@ietfa.amsl.com>
Date: Thu, 23 Jan 2020 02:58:55 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/b5gF5PsxoqPfgBxk9DU1sQceixE>
Subject: [regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 10:58:55 -0000
Alexey Melnikov has entered the following ballot position for draft-ietf-regext-login-security-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for this document. I have several small comments similar to what was raised by Roman and Ben: 1) In 4.1: <loginSec:userAgent>: OPTIONAL client user agent that identifies the client application software, technology, and operating system used by the server to identify functional or security constraints, current security issues, and potential future functional or security issues for the client. The <loginSec:userAgent> element MUST contain at least one of the following child elements: <loginSec:app>: OPTIONAL name of the client application software with version if available, such as the name of the client SDK "EPP SDK 1.0.0". <loginSec:tech>: OPTIONAL technology used for the client software with version if available, such as "Java 11.0.2". <loginSec:os>: OPTIONAL client operating system used with version if available, such as "x86_64 Mac OS X 10.11.6". Is there a registry of allowed values or at least some instructions how to construct these values? There are probably several existing IETF registries that can be reused. If these values are not supposed to be used by servers for anything other than logging (i.e. if they can't be used to work around bugs), then the document needs to say that. 2) In the same section: <loginSec:pw>: OPTIONAL plain text password that is case sensitive, has a minimum length of 6 characters, and has a maximum length that is up to server policy. All leading and trailing whitespace is removed, and all internal contiguous whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 (space) is replaced with a single #x20 (space). This element MUST only be used if the [RFC5730] <pw> element is set to the "[LOGIN-SECURITY]" value. What is the definition of "whitespace"? Does this only include characters listed above or does it also include other Unicode characters (e.g. Unicode whitespace property)? If the former, then instead of using "whitespace that includes ..." use something like "whitespace is defined as one of ..." <loginSec:newPW>: OPTIONAL plain text new password that is case sensitive, has a minimum length of 6 characters, and has a maximum length that is up to server policy. All leading and trailing whitespace is removed, and all internal contiguous whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 (space) is replaced with a single #x20 (space). This element MUST only be used if the [RFC5730] <newPW> element is set to the "[LOGIN-SECURITY]" value. As above. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- 8. Security Considerations The extension leaves the password (<pw> element) and new password (<newPW> element) minimum length beyond 6 characters and the maximum length up to sever policy. Typo: sever -> server
- [regext] Alexey Melnikov's Discuss on draft-ietf-… Alexey Melnikov via Datatracker
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Hollenbeck, Scott
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James