[regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)

[Alexey Melnikov via Datatracker <noreply@ietf.org>]

Alexey Melnikov has entered the following ballot position for
draft-ietf-regext-login-security-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thank you for this document. I have several small comments similar to what was
raised by Roman and Ben:

1) In 4.1:

   <loginSec:userAgent>:  OPTIONAL client user agent that identifies the
       client application software, technology, and operating system
       used by the server to identify functional or security
       constraints, current security issues, and potential future
       functional or security issues for the client.  The
       <loginSec:userAgent> element MUST contain at least one of the
       following child elements:

       <loginSec:app>:  OPTIONAL name of the client application software
           with version if available, such as the name of the client SDK
           "EPP SDK 1.0.0".
       <loginSec:tech>:  OPTIONAL technology used for the client
           software with version if available, such as "Java 11.0.2".
       <loginSec:os>:  OPTIONAL client operating system used with
           version if available, such as "x86_64 Mac OS X 10.11.6".

Is there a registry of allowed values or at least some instructions how to
construct these values? There are probably several existing IETF registries
that can be reused.

If these values are not supposed to be used by servers for anything other than
logging (i.e. if they can't be used to work around bugs), then the document
needs to say that.

2) In the same section:

   <loginSec:pw>:  OPTIONAL plain text password that is case sensitive,
       has a minimum length of 6 characters, and has a maximum length
       that is up to server policy.  All leading and trailing whitespace
       is removed, and all internal contiguous whitespace that includes
       #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20
       (space) is replaced with a single #x20 (space).  This element
       MUST only be used if the [RFC5730] <pw> element is set to the
       "[LOGIN-SECURITY]" value.

What is the definition of "whitespace"? Does this only include characters
listed above or does it also include other Unicode characters (e.g. Unicode
whitespace property)? If the former, then instead of using "whitespace that
includes ..." use something like "whitespace is defined as one of ..."

   <loginSec:newPW>:  OPTIONAL plain text new password that is case
       sensitive, has a minimum length of 6 characters, and has a
       maximum length that is up to server policy.  All leading and
       trailing whitespace is removed, and all internal contiguous
       whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage
       return), and #x20 (space) is replaced with a single #x20 (space).
       This element MUST only be used if the [RFC5730] <newPW> element
       is set to the "[LOGIN-SECURITY]" value.

As above.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

8.  Security Considerations

   The extension leaves the password (<pw> element) and new password
   (<newPW> element) minimum length beyond 6 characters and the maximum
   length up to sever policy.

Typo: sever -> server