IETF Logo Mail Archive

Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt

"Patrick Mevzek" <pm@dotandco.com> Mon, 21 October 2019 05:44 UTC

Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E5C1200B8 for <regext@ietfa.amsl.com>; Sun, 20 Oct 2019 22:44:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=iKdNRg25; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=t33glX4x
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeA6OcDfyINW for <regext@ietfa.amsl.com>; Sun, 20 Oct 2019 22:44:40 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9953C12002E for <regext@ietf.org>; Sun, 20 Oct 2019 22:44:40 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id CF7303A0 for <regext@ietf.org>; Mon, 21 Oct 2019 01:44:39 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Mon, 21 Oct 2019 01:44:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=3L4aW8wTdkXudk8quawrDbcdgYu6VYI bkjg7sRKWVHM=; b=iKdNRg25NzJI7mqMNt/B/kmnWQkIJaeVzHtSqlwK8MAQ+xl wbRsD3OtRPmQNy0/+yPyX6zMjd57zHkZ7HyvXtuYERcnlcuxPdt8hdTOPaYzvNS1 2+FJGYK/XMujJ9FYRtTrwuVfVlmEn6oXX7LOMK75yR2xXh75KVdfmTXkBUlNliy8 7q4GX2V8W8iXUBuADlX6GgVm0mrIM64djwlB8dzyR3foVuYFe4RLqoRua3lYxWbk apmu5oGXX54StRWY5m4ePEl6nyoRJSrTGlCLdn14OInx0BvDNIhGpngdzb1968Pl dl/G/i2D+jb11poWPsCC6CVTTLX/AqKyVg3eWoA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=3L4aW8 wTdkXudk8quawrDbcdgYu6VYIbkjg7sRKWVHM=; b=t33glX4xfg/VvL/hR6bI8U jbwUr3xtgBIurQngb6LAtXdKvmYSkPI2OHP4+9loDSC1F4EvnuVnDSlAA45R7Sf+ SH9Z0/O6iEG2MohoPuVWgM+z6ZS9SpkQSsoyJelaxNS9AK7ULkQR7cE3/FCf8uwO v0cH0HyG8SrlMjPnxIuvZ7/eNHNiAOQ4/RmD6Q9ZhZP+DbrwR778Tux5miALyWEb 1uR5WgaW9fZKQXQX2NYWehU2dKHWnMuBfPLSFRyNCcWCj/8gwpcBd3XbBQYIJW50 4VqfsByRFx0YkmYMTNEY/clWUHw4O1yGmR9FfNemIjCay90/NjwiT5e7jwqQuSDg ==
X-ME-Sender: <xms:x0WtXStkK8RpIcQKlrSDTPN3b1YuiGi4BZIdeZA2-6l-D3TQ8683HunREFs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrkeeggdeljecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreerjeenucfhrhhomhepfdfrrghtrhhitghkucfovghviigvkhdfuceophhmseguohht rghnuggtohdrtghomheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpmhesughothgrnh gutghordgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:x0WtXQQ83JMaU95LapSdjtv70Qf_NhTGN8_uyEpRCm5MbiZ9Abp_Qg> <xmx:x0WtXcJ_0ouvp0CWqXDmzI4cjKYgVe3mDNOBMrqs8tluBqyKo-mcvg> <xmx:x0WtXc4Nki5JJ8e1h4GoagiItCvpPbaROyWLR3Z4jaHQ0TW6MZn5Wg> <xmx:x0WtXZXxuwXi2LkPH0TSG8Q_wxIPnJJHnZahc5_7gVjj4VmxbltZdw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1FD9FC200A4; Mon, 21 Oct 2019 01:44:39 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-469-gd84f3d2-fmstable-20191021v3
Mime-Version: 1.0
Message-Id: <94ef1659-28d1-44d4-87d4-36b1c4c0782a@www.fastmail.com>
In-Reply-To: <2FE774F6-35D1-46B5-B403-2BA1CC8928B3@verisign.com>
References: <2FE774F6-35D1-46B5-B403-2BA1CC8928B3@verisign.com>
Date: Mon, 21 Oct 2019 00:43:52 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/k42HEvU3E0whLGqmke49FyEiWuI>
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 05:44:43 -0000

On Tue, Jun 25, 2019, at 07:29, Gould, James wrote:
> The Extensible Provisioning Protocol (EPP) Secure Authorization 
> Information for Transfer (draft-gould-regext-secure-authinfo-transfer) 
> was posted to define a BCP for securing the authorization information 
> using the existing EPP RFCs.  The overall goal is to have strong, 
> random authorization information values, that are short-lived, and that 
> are either not stored or stored as cryptographic hash values.  Review 
> and feedback is appreciated.  

I had another thought on the subject, another model.
I am posting it here in case there are future discussions, I do not push for discussing
now but I think it needs to be on the table as I believe it to offer an alternative
that I do not judge as being better or worse than what is in section 4 of the draft
but I think it has basically the same threat model attached to it and at least the
nice property of not requiring the registry to be mandated to handle authInfo tokens
in specific way, which is for me outside EPP merit (but it keeps some other defects,
like a state per domain at registry side)

So here is the background, and the assumptions:
- the authInfo is only used to authorize transfers, outside that it is useless
- the registrant just passes this code from current to prospective registrar when it is starting a transfer process
- when the registrant goes to old registrar to get the authInfo, I think it already knows who the new registrar would be

If any of the above is not true, then the below will not work.
But if the assumptions hold, here is the alternative way:

- domains do not need authInfo codes anymore, at all
- when a registrant want to stage a new transfer, it goes to the current registrar and in some appropriate section makes the registrar sending a command to "open" a transfer period, after having selected the future registrar concerned; in reply to this command the registry gives a one time token (even time limited) permitted to do the transfer between the specific 2 registrars
- the registrant goes to the new registrar and starts the transfer with the specific token given; in fact in that case the transfer could even be immediate, as the previous registrar in fact already gave its consent by "opening" the transfer window.

Registrars almost do not have to store it, and even if they do the token is tied
to a specific operation (a transfer), in a specific time frame, and ideally between 2 registrars. A far lighter authorization token than the full authInfo attached to a domain.

The EPP allocationToken extension could even be probably used for that.

I think it could easily fit in the current model by having transfer op=prepare
for example as a new case (yes I know that the XML schemas does not allow extending
those values)

In a way it is similar to some registries implementing a "push" transfer that is indeed reversed from the current EPP flows as operations are under control of the current registrar.

Ok, the big problem would be for all registrars to maintain the list of current registrars
for the registrant to choose from. Complicated but not impossible. And not mandatory
strictly for the above to work in fact.

Also, if one wants to bring other ideas on the table I think that some thinking could
be done around how CA handle authorization to deliver certificates: by a specific
change in the DNS, or the website (or in some previous iteration of the guidelines,
and somethings that comes fully back in the domain name business, by a specific
change in the content of Whois output, like in addresses, or nowadays similarly in RDAP).

Again, with a similar threat model, a specific change in the DNS output or the RDDS output
(I would be less inclined to include web changes here first because not all domains
may have a working website and second because this goes quite outside the domain
name industry purely and adds more threat surface)
could be enough to authorize the transfer.

This could go like this:
- registrant goes to new registrar, and requests transfer; no authorization token is required
- registry replies saying to registrar something that needs to be given back to registrant: "to authorize this transfer, add a resource record TXT in your zone file at name XXXXXX with content YYYYY; or add a street element in whois being XXXX"
- if the registrant, through supposedly the current registrar for second option, or even himself directly for first option if he manages its nameservers, does the requested change, then the transfer is automatically acknowledged by the registry.

The registry would have to poll from time to time to check if the changes requested
appear, and limit things to a specific time window.

The biggest drawback is that in this scheme the current registrar may not have any
explicit guaranteed way to oppose any outgoing transfer (because some changes outside of
it could be enough to authorize the transfer)... except that is what
the status clientTransferProhibited was made for.

-- 
  Patrick Mevzek
  pm@dotandco.com

v2.23.0 | Report a Bug | By Email