Re: [regext] I-D Action: draft-ietf-regext-secure-authinfo-transfer-02.txt

"Gould, James" <jgould@verisign.com> Fri, 12 June 2020 15:56 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B30193A09C7 for <regext@ietfa.amsl.com>; Fri, 12 Jun 2020 08:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2QH-nPY6K5h7 for <regext@ietfa.amsl.com>; Fri, 12 Jun 2020 08:56:43 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE41B3A0942 for <regext@ietf.org>; Fri, 12 Jun 2020 08:56:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7030; q=dns/txt; s=VRSN; t=1591977404; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=7VoSO8a6zJQ5lsXsHTc9Fmy9BwgqJosfpLxcR/D+gUU=; b=kJfslg497LrP7QJskgTb3WgkrOV3FANtKLnZB45pyDY236pv4Wx5dQSM tKq4orbS7/Pi2v6WM4mf71pO8oIgypnNy9obYYotJjTXofLhvNUE1JZla 8TdUl2VYtITFzxl/FifcxQpLFlD3sedGL5C+TgIvsdVXzU2HRku5/Bhnr gBl3F7FyaPPqBAOI8k3LFKi9EuzCVrtCyuAKltoD5taHW8RO4tNnuFLhZ 4XWk8RN8jtyks7JuCFub3wvmosOg4LDmsvWEVxk9xwpcC2TogchlvXUPj CWO/iUoEzzrYoVSvivEq5v+oBmT30Sc1MiT5qaUxVWdr8M8iP/6F4DzNH w==;
IronPort-SDR: +PaZm4yojGA6PBMvXowDVVxymATcamDOYi8XdIdzWZQZwrenneF+R/HEQuF+db6zlzlWj6d+ct Q9QK/ytf/JGjL7aZLZwLfRdBApdVgHPD8y66Qr1gqULKJs4soZRrdL8c558yC5pW488HxMnbiP +YRGbIDbpto1Ecc6pUFknsqDnN93OpBDrVRKgNngtuxxemXjAf0At/0+gbiJtfxHj7Wtx82cSi 7snqXKwHTALsHHBrRHjP2xsPrvb77Gi/4EayCc90lA1Na1yNpNiafFgHdO9etdy+WUhJX8RZZe QtI=
X-IronPort-AV: E=Sophos;i="5.73,503,1583193600"; d="scan'208";a="1910389"
IronPort-PHdr: =?us-ascii?q?9a23=3AJwqRthz3kKUEN/7XCy+O+j09IxM/srCxBDY+r6?= =?us-ascii?q?Qd2u8WIJqq85mqBkHD//Il1AaPAdyGrasa0qGH7+jJYi8p2d65qncMcZhBBV?= =?us-ascii?q?cuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx?= =?us-ascii?q?7xKRR6JvjvGo7Vks+7y/2+94fcbglVhDexe65+IRSroQnessQbjpZpJ7osxB?= =?us-ascii?q?fOvnZGYfldy3lyJVKUkRb858Ow84Bm/i9Npf8v9NNOXLvjcaggQrNWEDopM2?= =?us-ascii?q?Yu5M32rhbDVheA5mEdUmoNjBVFBRXO4QzgUZfwtiv6sfd92DWfMMbrQ704RS?= =?us-ascii?q?iu4qF2QxLulSwJNSM28HvPh8JwkqxVvQ6hqRJ8zYHaYYGaKPVwcazGcNMGXm?= =?us-ascii?q?VBW9pdWzBbD46+aYYEEuoPPfxfr4n4v1YCoxqwBQ6xBOPr1zBEnmL906kg3O?= =?us-ascii?q?QkDw7GxwIsFM8JvXTWo9X1M7oSUeSow6TT0zXMcelW2Tbm6IjJfRAhp+uAUq?= =?us-ascii?q?53ccrU0EQiER7OgVqMp4L/JTyVyvgNvHaB7+pmTe+hhGoqph9/rzWh2sohi4?= =?us-ascii?q?bEi54Ix17K6Sh03YY4KN64RkN5btCpH4VduzyaOYZ4Xs4vTWFltSQ4x7AYtp?= =?us-ascii?q?O2cigExZI6zBDRbPyHdpKH4hPlVOuJPzd3mmhleLOkhxaz/kigzOz8Vs+o31?= =?us-ascii?q?pQsiVFldzMumgR2BzS8ciIVvx98l291jaI0gDf8uBELl4olarVMZIhxaQwlp?= =?us-ascii?q?UVvE/eHSH2gF37gLKKekk+5+Sl6erqbq/7qpKcOYJ4kA7zP6c2lsCiHeg0KB?= =?us-ascii?q?UCUmqH9eimybHu8k70TK9XgvA1lKTSrYrUKt4BpqGjBg9YyoMj6xGiADi4yN?= =?us-ascii?q?kYhnwHLE5deBKAkojpJ0nCIPDmAve7hFShiCpmyezeMLH8AprDNnfNn7b9cb?= =?us-ascii?q?pg8UJc1hY8zddF55JMEL0OOu/8VlXvtNzCFR85NRa4zPrgCNV4zo8eWGSPDb?= =?us-ascii?q?GFMK7KrFOE+vgjL/SOaYIbojrxNvgo6vD0gXI2mlIRZayp0oEWaHC8EPRmOU?= =?us-ascii?q?KZYX/0j9cDHmcKuRc+TOj3h1CZTz5ceWyyX6Mn5jE6B4KmC53PSZyqgLyExC?= =?us-ascii?q?u7BIFZZnhaClCQFnflb5+EVOkDaC2MLc5hjicJVbm/RI892xGirgj6y6BoLr?= =?us-ascii?q?mcxipN/4ju29Vl+8XSmA08sztuAI7Vh3uAQGxkgksJSiM4mqdlrhou5E2E1P?= =?us-ascii?q?0yrPtFEdAXr9FAVwohf9aIzeN9FtT+chzMZNaSSVmgBN6hBGdiHZoK39YSbh?= =?us-ascii?q?MlSJ2ZhRfZ0n/yDg=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2EjBQCLpONe/zCZrQpjA4EJhGSBMwqEGpR3l0wXJgsBA?= =?us-ascii?q?QEBAQEBAQEHARMMEAQBAQKEQhmCFiU4EwIDAQELAQEBBQEBAQEBBgMBAQECh?= =?us-ascii?q?kQBC4I7Ing8CTkBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEFAggHNBkHNRIgBiMROh0BCBoCFBICBDAVEgQKCYMmAbZVgTKFUYUHgQ4qj?= =?us-ascii?q?GWBQj6BESccgk0+gmcCA4FKGAwLCiYIgkUzgi0Ekh+GXZtBAweCWYg8kGIdg?= =?us-ascii?q?nCBFogEkEaCF4xNhEqBYoZUEoFClCMCBAIEBQIVgWpmgRNwFRohKgGCPglHF?= =?us-ascii?q?wINjikYg06FFIVCdA4mAwIGAQcBAQMJjg6BD4ERAQE?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 12 Jun 2020 11:56:41 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%6]) with mapi id 15.01.1913.005; Fri, 12 Jun 2020 11:56:41 -0400
From: "Gould, James" <jgould@verisign.com>
To: "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] I-D Action: draft-ietf-regext-secure-authinfo-transfer-02.txt
Thread-Index: AQHWQNIP1ZDwVVYgn0Cq5PcwPnck5g==
Date: Fri, 12 Jun 2020 15:56:41 +0000
Message-ID: <A711B62F-E35B-48D5-8D5E-AB3B2EEB11FA@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.16.200509
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <712F3245FA5EC642BF8A28BB7E5394E7@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ctTYYWYuhsh7lw7kTkEXkHXW-R8>
Subject: Re: [regext] I-D Action: draft-ietf-regext-secure-authinfo-transfer-02.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2020 15:56:45 -0000

I submitted draft-ietf-regext-secure-authinfo-transfer-02 to address feedback from Ulrich Wisser (use of random salt) and from Patrick Mevzek (NULL dependent on the type of database), and I filled in the Security Considerations section.  Please review and provide any feedback to the draft.

Thanks,

-- 
 
JG



James Gould
Fellow Engineer
jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/>

On 6/12/20, 11:53 AM, "regext on behalf of internet-drafts@ietf.org" <regext-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:

    
    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Registration Protocols Extensions WG of the IETF.
    
            Title           : Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer
            Authors         : James Gould
                              Richard Wilhelm
    	Filename        : draft-ietf-regext-secure-authinfo-transfer-02.txt
    	Pages           : 27
    	Date            : 2020-06-12
    
    Abstract:
       The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the
       use of authorization information to authorize a transfer.  The
       authorization information is object-specific and has been defined in
       the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact
       Mapping, in RFC 5733, as password-based authorization information.
       Other authorization mechanisms can be used, but in practice the
       password-based authorization information has been used at the time of
       object create, managed with the object update, and used to authorize
       an object transfer request.  What has not been fully considered is
       the security of the authorization information that includes the
       complexity of the authorization information, the time-to-live (TTL)
       of the authorization information, and where and how the authorization
       information is stored.  This document defines an operational
       practice, using the EPP RFCs, that leverages the use of strong random
       authorization information values that are short-lived, that are not
       stored by the client, and that are stored using a cryptographic hash
       by the server to provide for secure authorization information used
       for transfers.
    
    
    The IETF datatracker status page for this draft is:
    https://secure-web.cisco.com/1nWxSgquNYjgRAC-j7g-VX-huOMuGaRF_Adgd4ljR80nKZJgFwGQhL7V03Wm05eaxtZ2Y6H9oIEINUeA27eu-ikVIf1PaeOlnGLEW6NnNipF0lmBTQ6XMA71GtS5im3ZqmIoqZ13Sc7Z-aqQp5xKO2HJhwuanB8lVXY8ZjR1UgHMs6De8S2eVU0MfgHZFVFigyOp2GYMWkeUEakfrTcF2JaDiVhtPwQaPg-QXyVUZbJ1t-KTwIkTbrdPzugE7vADHnxb1TPm3yUrsHebay_nvbQ/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-regext-secure-authinfo-transfer%2F
    
    There are also htmlized versions available at:
    https://secure-web.cisco.com/13almBZ8FDCQavB05zHjFUPljVtW-d0NxcKrCOkIq6A6pddCx-MpAskvn7IHnOyYkxMf16cEusKn5F85ynZbf29tXz2U_dsdqbFT7uwI-e5Y5sIT7Q3Nn-bNiZ5PSzfGQaVEfaFchkdtm_V6bHQprAKr8UWqT6R_WwgtKfCmKqxkfpHd1w2B8xKGdvpMDJkNsM0vLrgZv-K8oEqhDvWGJMt79fsw0v6mVDOP5wsn2gXsM6loz3GqdM_0m5-u8aKd-ApP3b8HIsspX7SkOXpgGzbnKqTKymwgpnoFERJRTffA/https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-regext-secure-authinfo-transfer-02
    https://secure-web.cisco.com/1FsT0ACHPYyK5SRgcXu_v3-lLChJrUK5sOV6vfMKr_Zsplu4vEUXdy9zv7DoXXyXPdTHWJae7kjWq2pUMEAqq6enMORE3G0XZnlJE1bMMoxODEQrCJq7zhhO1HK7hG9x3pLc45jzju8iLwQaunjxsJCaL7a2NFWBff7DQvih_IkkUr1AiZaief3OuALXZXygYBn1WQVWM-mq_aL_sZ7473fWW8214ph_gDo91oajhkLCnRGZlGsm4zFFZD5kDxI1qY_I0Ehn-iNPTcCURKwgkEw/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-regext-secure-authinfo-transfer-02
    
    A diff from the previous version is available at:
    https://secure-web.cisco.com/1lvI5BcWA72D95A13V0ng_AP5HHS4vJl-Yz71-H46OoUpa9OjZ3baZEIDUKCYNJn3BV3K4H5WsW-DbFCtbdlsOrmtlY9FIJq1TQ1UhYGmIJSm36KsZ6qathoGVmWp7j6sNDENeGVebtacUs5UsVNZnO6R65lTqEBKBTHCKxVvy-BlNtJrmwCL6-oTcW1m7mv8t-CAtfkI9qyMeNjueQpPmJQ1xgJkH4tHqhRvKoLfwWcT71LAYBhZ_agsp09Wbdihy3LlyhHy39kEMujxTN8DOw/https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-regext-secure-authinfo-transfer-02
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.
    
    Internet-Drafts are also available by anonymous FTP at:
    ftp://ftp.ietf.org/internet-drafts/
    
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://secure-web.cisco.com/1bwhJBiwIPO5mhJD-cbteJ1zChdI1AP5SedMd81C2ikzT5tG6Pw7SF67qrqDhvSi2t54tVTrlVOx5wyVgBRppEiVr9NKDH-mUArP-JgsZUIR6BvTT8GETOjI9EnoeFgVtUAx1OkL4qq0G-Sqz0EraZyyTDuW7vcXRnXc2YNNeyc7ztaIXia9dZaMwUAZqeUsEvpF82iKDn0uYTOnyYnAzGYXuji6TwIX-eFgSDsFoQsqpYDD8GFuaf8S5Y_-Y5vwWo9q0dadMNDUtYG5ePFh3lw/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fregext