Re: [regext] draft-ietf-regexy-login-security
"Patrick Mevzek" <pm@dotandco.com> Wed, 13 November 2019 19:55 UTC
Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 164C41200B4 for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 11:55:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=mIi3GSCG; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=m0fCgit2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDUzjcO__NSg for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 11:55:17 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EA4F12003E for <regext@ietf.org>; Wed, 13 Nov 2019 11:55:17 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 7FB5D21FF1 for <regext@ietf.org>; Wed, 13 Nov 2019 14:55:16 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Wed, 13 Nov 2019 14:55:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=AISpIp0oJhcyrsQL5+NiLzUPL75HnxJ H14FmAoX+uQA=; b=mIi3GSCG5WeyGo9aNLUgRShur0j8v81VibOwYhagIo9cc0e INwr9tIxDsnoqATzMag6yVn510OrZL5GVJ7nVOjSXUo3OqDi4/q5eUtutGINkPHF gN5jiVQIozOC9HsLzu0aceDkQf0ehNg+FdSJf6yllh1g9ShlDNn0jL+uemmJDzFZ SKM6bHAi+TzwYe4F0ba5nAh8kTQd3f1HHQ1mQX6dzlSD2WAnG7ib3Ojvxfxzaqrk eV81Ax5Ki6zNkcba/1HfFZXGbe3C/hEn6RAefjannhsFp1+uT7yV3GJI8G3jp2H7 dl18QtYKkCmOlI4Mxln3laJwCmQisW75Kye9YOg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=AISpIp 0oJhcyrsQL5+NiLzUPL75HnxJH14FmAoX+uQA=; b=m0fCgit2mOQg2DDUqkKXRP QWHE29nhD1PyB/L8RLy9MaETffaa/dxqL/eW6zUfB87radqYtlBvrgVgSHQDiAn0 GfBYD3MfznfgM0ULkG5QYKZsAzic5e6K6w1m+06Nt5RqMqnDUsIbzmKfVpUCxffq Pad70Xy9UpuqdlBDHNpPqfYLJ3VFGBtBVuOVsEiJ0M6YYWdDQrtggYzOzKXe60NV JHNwrqBBJ8xus/dmsAFKO0m34fNk95c4hEDFsBYxDbKf6tmkHNhn02hruL/jzbth nargSAlZgP3ufBGmenLrhTNc9vxjgBUSxbkfnWfHWBVj6FLR9/AlOZRqdwACrQMQ ==
X-ME-Sender: <xms:pF_MXVf7x2hZ8Ja2WbiM2UoHgn9X8hWUwXfudD3VRfazD7QhLihj_xul4xI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudefuddgudefgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdfrrghtrhhitghkucfovghviigvkhdfuceophhmsegu ohhtrghnuggtohdrtghomheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpmhesughoth grnhgutghordgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:pF_MXfEAD2YGcGc_wEILFuvRNHc00gD6148LtdUZTh175mxAZbvdfQ> <xmx:pF_MXbgHM5vNqE4VzdKECcvKC24AWpueFgWYc5YTcyjfrUjX6u0LKA> <xmx:pF_MXT0Ee1gqunISF2H2cRv3x6G9lqeOHqoQUDLUFCdx75gENaS6zQ> <xmx:pF_MXaZNX5vRy6KkUlmM0MozMwvTWSvTwp6dUK27KriAs_c63vu24Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 124CFC200A4; Wed, 13 Nov 2019 14:55:16 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-557-g34fce02-fmstable-20191113v1
Mime-Version: 1.0
Message-Id: <94e5e1f6-bd74-43ac-bef7-4d95ab91439e@www.fastmail.com>
In-Reply-To: <78c95628e8f84901b7230f6674ee3120@verisign.com>
References: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com> <78c95628e8f84901b7230f6674ee3120@verisign.com>
Date: Wed, 13 Nov 2019 14:54:37 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/h7hqJjnGVlFTUSEkNz5gHjOXrfc>
Subject: Re: [regext] draft-ietf-regexy-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 19:55:19 -0000
On Wed, Nov 13, 2019, at 08:37, Hollenbeck, Scott wrote: > TLS protection is specified to avoid sending passwords in plaintext form. Yes but this solves only the security in transit part, not security at rest. These EPP frames are stored on both side of the connection, logged, added to backups, etc. This is needed for various troubleshooting needs, as well as disputes and so on. Without any specific code filtering out the passwords out of the frame before storage (which comes from its own edge cases because then it means you are troubleshooting things based on data as stored not really as exchanged, even if the difference in theory is well contained to specific parts), you then have the password in clear in many places. And not all registrars maintain open persistent connections or some registries shut down active connections like each hour no matter what, which means a registrar may send dozens or hundreds or more login request per day. > I agree that we should consider login security improvements over time > as new options are available to us. It's always best to start a > conversation by throwing a proposal out there for people to consider. I am interested to work on this if anyone else is also. I might try to offer a proposal at some point, not sure. During discussions of this draft, I pointed to SASL for the extensibility it provides, but this was apparently not a good fit for this specific extension. -- Patrick Mevzek pm@dotandco.com
- [regext] draft-ietf-regexy-login-security Martin Thomson
- Re: [regext] draft-ietf-regexy-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Gould, James