IETF Logo Mail Archive

Re: [regext] review of draft-ietf-regext-login-security-03

"Gould, James" <jgould@verisign.com> Wed, 10 April 2019 17:54 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB7431204AA for <regext@ietfa.amsl.com>; Wed, 10 Apr 2019 10:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQzqPiUAWCIh for <regext@ietfa.amsl.com>; Wed, 10 Apr 2019 10:54:12 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5BE120414 for <regext@ietf.org>; Wed, 10 Apr 2019 10:54:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=19247; q=dns/txt; s=VRSN; t=1554918851; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=JUiebxZHoQFSnOtD8Z72azPt9FhN5gfjJ9xd/zx2ELs=; b=qql7wyY6z5Q620i3VZ1H8LGv/b5tL5Dc9clGG5gR7vymyhrLf0t7Rruy 8OzbFzDgHi+plXkyIDZaVEhUfXvxABPi7SK9nr5ga8OYnHEQAwRQyA84G gALnY3wWsj7rW/tx9QjposwCnfo56Hz5+nL6vbaXSoPu5yyVV7Qy6rLuh VaXMYgNJbrn0p1TgRSzNxvWRUsfgjkaMcAU88irMGpJmEgEWlLiOdyeaw lU+h/PPBhWcJfUSNG5WkEVrGysVbyD2crNnk2o8wwroGD1FUd0Sgf5zaq RJNaDKV98awA45XaZIcMnLKNYxoXPY1b646dRWIm2FxA2JeLM1OliqCC0 w==;
X-IronPort-AV: E=Sophos;i="5.60,334,1549947600"; d="scan'208,217";a="7434611"
IronPort-PHdr: 9a23:myRPsBEjaz8XXRPJzkMXcp1GYnF86YWxBRYc798ds5kLTJ76p8m9bnLW6fgltlLVR4KTs6sC17OP9fm/EjVZsd7B6ClELMUUEUddyI0/pE8JOIa9E0r1LfrnPWQRPf9pcxtbxUy9KlVfA83kZlff8TWY5D8WHQjjZ0IufrymUoHdgN6q2O+s5pbdfxtHhCanYbN1MR66sRjdutMZjId/N6o90AbFr3lHd+hL2G9lJk+YkxLg6sut5pJu/Dlct+47+8JcTan2erkzQKBFAjghL207/tDguwPZTQuI6HscU2EWnQRNDgPY8hz0XYr/vzXjuOZl1yaUIcP5TbYvWTS/9KhrUwPniD0GNzEi7m7ajNF7gb9BrxKgoxx/xJPUYJ2QOfFjcK7RYc8WSGxcVctXSidPAJ6zb5EXAuQBI+hWspX9qVUNoxuwBwajCuLvxSNHiXLtx6I2z+EhHBva0AE6Hd8DtmnfotXvNKcVVOC41KfEwzTEb/NL3Tfy9ZDEeQ0lr/6WWLJ/b9HRxUcyHA7CjFWQpovlPy6R1usQqGWb8fRvVfiui248qgFxrT6vyt0whYnOg4IY01bJ/jh3zoYyIN23Uk97Ydi8HZtOqS6aLYp2QtgjQ2FnviY6y7sGtoKhcCcWz5QnwgbTZOaef4mJ+B7sTv+dIDZgiHJ/Zr2/iAi98Ee9xuHgS8W4ykpFri1AktXUt3ACyQDT6sadRvt65Eeh1jCC3B3Q5OFcOU04iLbXJ4Q8zrMymJcfq1nPEy/4lUnsg6KbdV0o9vW05+j9f7nrpIOQO5VphgzxMakigNGzDOcgPggAQWeW+viw2bjm8ELjQ7hHiuY5n6zXvZzEOMsWp6u0DBRR34si6RuyCjmr3doakHYaKl9OZQiJgJLzO17UJfD1FfK/g1Oxnzh13/3GJbjhAonVLnjEjbfhYa5x605Cxwo3ytBS/49ZBK0ZLv7uWkD/rNPWAR4lPwCp2ernFsly1oQEWWKXGKOWKr7dvUWW5uI1OOmMYpUZtyr6K/gg//LujHk5lkEBfaSxwJcbdGq0EulkLkiXe3bgn9cMHGkQsgcxT+HmkFiCXiRSZ3a2UaI8/DY7CIe+AIfBSYCth6GB3COmEZBNeGBJFEqMEXbzd4WFVPcMbjieLdNmkjwBTbShUZMu1QmytA/mzLpqNvLU+igDuJ3+09h1+/fclRcv+jNoCMSRyX2CT2ZxnmkQXT85wLh/oVBhyleEyaV4meJXFdNN6PJGTgc3Lp/cwPJmC9D8QA7Bec2JSFn1CumhVHspS/o9xMMHZUp2HJOpiRWJl36yBpcZkKCCApA/9eTX2H2nY4430XvJ2bk9p1grXsUJMnepzOYr7QXcCp7Vu0SUi6jscr4Tin3j7mCGmCChu1xcXEo4c6zAUGtVLh/UotPk4k/qUbK0CK8mPQ0HwsmHfPgZIub1hElLEa+wcO/VZHi8zj+9
X-IPAS-Result: A2EGAADOLK5c/zCZrQpiAxsBAQEBAwEBAQcDAQEBgVEGAQEBCwGBDoFqgSoKhASIHIppghYlg12UaYE/Fx0IDwEYAQoLg3hGAheFdzQJDQEBAwEBAQgBAQEBAgEBAoEFDII6IhwxHC8JAQUBAQEBAQEnAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBCAIIBQI1EgEBGQEBAQIBAQEhCkEQCwIBCC4BARICAgIlCyUCBAESgyIBgRFcF6xJgS+FRoRmgTABi12BQT6BEScME4JMPoJhAQGBSy0KJgECBYI7MYImA40VhC+HX4xnAwYCiASEH4NFhDeCY5IBi1aFVEMLjVwCBAIEBQIVgU+CD3AVOyoBgkEJgg0Xg0yFFIU/cg0kjXANFYEKgSABAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 10 Apr 2019 13:54:09 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Wed, 10 Apr 2019 13:54:09 -0400
From: "Gould, James" <jgould@verisign.com>
To: "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] review of draft-ietf-regext-login-security-03
Thread-Index: AQHU7vypJBXqitQ6u0Gkh4VsF0Vlr6Y0ULOAgABICAD//8IuAIAASuEAgAC+JICAAFGwgP//+TSA
Date: Wed, 10 Apr 2019 17:54:09 +0000
Message-ID: <62722D2A-6126-4589-BD8C-CF22FA17B68C@verisign.com>
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch> <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch> <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com> <23C64725-1802-46B1-A371-9059F642E10A@verisign.com> <9735244c-3619-46e3-8ce2-f0d6bc8a9bee@www.fastmail.com> <1E28042B-759E-46D5-9D9C-5271255480D6@verisign.com> <99e7fe7e-d98c-4d80-97c8-015ff383b391@www.fastmail.com> <D192A5DB-AB8C-4B0E-90FE-B0B33213D2CD@verisign.com> <8b81134b-28d4-437f-a67f-c7d94eec5e73@www.fastmail.com>
In-Reply-To: <8b81134b-28d4-437f-a67f-c7d94eec5e73@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.7.190210
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="_000_62722D2A61264589BD8CCF22FA17B68Cverisigncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/jnkj4pCqrz5aFbwYoyFp8puegYM>
Subject: Re: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 17:54:18 -0000

Patrick,



I did the exercise of defining the PCRE the matches your password format policy, which can be verified using https://regex101.com.  The PCRE is defined below:



(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[.,:;!?-])(?!.*(.{2,}).*\1)(?!.*(.)\2)^[\x00-\x7F]{17,33}$



I breakdown the PCRE to meet each of your password format policy requirements below:



- any character from the Unicode Latin script

^[\x00-\x7F]{17,33}



- at least one uppercase, one lowercase, one digit, and one punctuation character (in no specific order)

(?=.*[A-Z])(?=.*[a-z])(?=.*\d)(?=.*[.,:;!?-])



- no repeated sequence of two or more characters

(?!.*(.{2,}).*\1)



- no given character repeated in sequence

(?!.*(.)\2)



- between 17 and 33 characters long in total

^[\x00-\x7F]{17,33}



Do you have any thoughts related to what additional password policies should be captured in draft-gould-regext-login-security-policy?



My thoughts include optionally defining the number of past passwords that cannot be used and defining a flag of whether the use of insecure words will be checked.



Should the <loginSecPolicy:pw><loginSecPolicy:expression> element be made optional to address a password format policy that a PCRE cannot be created for?



If a server cannot define their password format policy using a PCRE, I believe the policy may be too complex and should be re-evaluated.  My recommendation is to leave the <loginSecPolicy:pw><loginSecPolicy:expression> element as required.



Should the <loginSecPolicy:pw> element support a method to reference an external resource (e.g., url) that defines the password policy information?



An external resource would require manual intervention by the client, so I don’t recommend supporting an external resource.



Thanks,



—

JG







James Gould

Distinguished Engineer

jgould@Verisign.com



703-948-3271

12061 Bluemont Way

Reston, VA 20190



Verisign.com <http://verisigninc.com/>



On 4/10/19, 10:18 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:



    On Wed, Apr 10, 2019, at 08:26, Gould, James wrote:

    > I believe that a PCRE can effectively express the password format policy for EPP; although there may be exceptions to the rule.



    [..]



    > I believe your password format policy can be expressed via a PCRE, but

    > I’ll leave that exercise to you.



    Ok, so there is no proof, just beliefs.



    Hence, I will still object to having PCRE used in that way, because they are just not fit for the job.



    > The question is whether there are existing or planned EPP

    > password format policies that cannot be expressed via a PCRE.



    I gave one example I think.

    Of course you are free to dismiss it and say "but the model works for 90% of cases", and then have an extension that works for 90% of cases which means on the field that multiple registries will instead just write their own (or not implement that one because they can not use it in their case). This is exactly why the world of EPP extensions is so fragmented. But I will rest my case here.



    --

      Patrick Mevzek

      pm@dotandco.com



    _______________________________________________

    regext mailing list

    regext@ietf.org

    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email