Re: [regext] Opsdir last call review of draft-ietf-regext-login-security-06
"Gould, James" <jgould@verisign.com> Thu, 05 December 2019 13:58 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D18812004A; Thu, 5 Dec 2019 05:58:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id os9gRsvdVccO; Thu, 5 Dec 2019 05:58:13 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9DD7120013; Thu, 5 Dec 2019 05:58:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=4824; q=dns/txt; s=VRSN; t=1575554293; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=CBkwPMPo1TzOl2zfjd0TLyACLBaj+TYXFVlLhuUZfiY=; b=eP5FQSTM/WQKdl4m/Hoy0d4jjHUojZO8O6if1JabbzVrQNyLuUrX+xL3 XQ1hleWOBfqWNTthn4vWsOq9RPpgZW4oR5lbLIbIb0N9S+6YpAoM+j5su taUUhbdnbmcv4v5pjiJepRSdYedOrOTECf4N5X4XI4IMKP9lVLr2jmvXd UFlAenSZ2gVMQtgz44r1aMbzU4EWnxKXgMnRzEpVan9WnTMdORjatjRHG rMZR5rAE2I/f5QQRpdM9/tqFNuEJHkFopZ39WIxEpYSCzMl5auD3CIL2Q mk1D/p4K4Qo4i3lAqxuJu8TbYZnouNgDT92q3UKE01H15f0MOVAbWtTEa A==;
IronPort-SDR: 6A7Ql+l5ZWs4OO2TtJVVgcOxkojeckx3ZaMYjqyokYLz51s1ddVqM85SY5PbTDNe7e0bsU0iVM NoIbqcmcCaxegWwZGzecxqDcOG1FRtZ39sRwovD4m9TWdlkVEz4RhXH0l7XJ5/0ss5+Qf+pLa8 VI7/D/I1MlxhBcTMbs8niRDE7/Pp+WEJemuR19AY6M+e1Gy+dVrbZ4YQjs+GnsHTQ8awU/MGeQ 0ZWzVADgQqvqnMKckmeQxmHAnqa40YdFemZf7FbOTpf3dvQFTvYeNw55xIt8ncjckdxb7x9xMt Tgg=
X-IronPort-AV: E=Sophos;i="5.69,281,1571702400"; d="scan'208";a="229865"
IronPort-PHdr: 9a23:jbIoGhO5OiK7gCJfbpkl6mtUPXoX/o7sNwtQ0KIMzox0K/75p8bcNUDSrc9gkEXOFd2Cra4d0KyP4/mrBDxIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfL1/IA+roQjSq8UajotvJ6UswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyhdYsCF+oPM/hFoYnhqVUArhW+CguiC+Pu1jBGiXD50LYm0+s6FAHKwBAsEsgMvXnSsd77NL0SUeewzKTQwznNbvRW2Sr56IfVahwqvPWCUqh1ccXP0kkjGR7Og1KSqYzqODOVy+ANvHWA4up+S+2vkW8nqxpwojigwMcgkJXGhoUQyl3d8yhy3Yg7Jdq9SEFhYN6kFoNdtz+EOItsQ8MiWGBouCk8yr0Hv560YDIGx4ggxx7abfGMbouG4gr7WeqMPTt0nm9pdbCxihqo7EStyuPxWtO73VtJtiZJj8XAumoQ2xHR9sSLUOZx80ii1DqVygze6flIIU4qmqfYN5Isx7s9mYAQvEnHBSD7nUv7gLGLeUgl/+Wn8ODqb7Tkq5KZOYJ5hAPzPbkol8eiG+o3KBIOUHKe+emk0b3j+lD2T6tSg/0tl6nZrIjaJcMGpq6lGwNV0pgs6xK4Dzq+zdkWgWEJIE9FdxyfgIbmOk3CLO3iAfehn1usly1rx+jcMrL7H5rBNGbDkK36fbZ78UJT1A0zzdVH65JVDLEOPu7zV1fsuNDEFBM1Lg65zuj9BNlg1o4TV3iDD6CaPa/KtF+H/OMvI+2CZI8Pvzb9LuAo5/zhjX8+hF8debSm0IAJaH+mBPRmIl6ZYXvjgtcHC2sFog0+TOnyhF2YTTFTf2qyX7475jwjFI2mFYbDRo+rgLObwCe0BIZbaXxHClCXDXjocJ+IVOsLaCKXOsVhiCALVaC9S4890hGjrAj6y6J8LubN5yIYtIjj2cN05+LNiREy+yZ4D8OH02GCV2t0hH8HRycq3KBjpkxw0lOD3rJjg/xEDNBc++lGUgM+NZPHzux1FczyWgzbcteOUlamTc2sASstQdIp398Of0F9Fs2/gRDZxSWqDaMVm6WKBJMq7qLc0WH9J9xjxHbJyqYggEUmTtJLNW2hia5/9g7TC5fSk0qHi6mqaL4c3C/R9GaD12aBpkVYUAprXKXEQ38fekXWoc7+5kPYQL+kEa4nPRdZyc6eNqtKbcXkjU9YS/fsJtvfbH6xlnyxBRmW2rOMYpDme2IH3CXSWwA4lFU49GyCMhN2PiaupWvCBSZpXQbke0Lj9+BioVuwT1Q/yEeBaEg3k/L//QYOwPCdUdsS064K/iA7pH88SFGlxJfaCsCopgd9cuNbe9xrs3ld0meM/SN6I5isa+hAj1sTaE4/60Hh0AhzBq1enNIrt3Ilykx5LqfOgwAJTC+RwZ2lYu6fEWL15h36LveOglw=
X-IPAS-Result: A2EqAwCYC+ld/zCZrQpiAxwBAQEBAQcBAREBBAQBAYF+gwyBMQqEIZB+hBGXBTwJAQEBAQEBAQEBBwETDBABAQKEPgIXgiA4EwIDAQELAQEBBAEBAQEBBQMBAQEChiAMgjspAWMvCQEyAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQIIB00HRwEfBiMRRRACAQgODAISARMCAgIwFRACBAENBYMiAbF1gTKKTYEOKIUchxWBQj6BEScMFIFOfj6EMxYXCiYBAoJGMoIsBJAdjxqOKWoDB4IuhjtkiTMXWoQygkEvRIZ7hD+LOI5KgUWFe4EBkWICBAIEBQIVgWmBe3AVZQGCQQlHERSQWYpTdA0kjnYCDRuBB4EQAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 5 Dec 2019 08:58:31 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Thu, 5 Dec 2019 08:58:31 -0500
From: "Gould, James" <jgould@verisign.com>
To: Carlos Pignataro <cpignata@cisco.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-regext-login-security.all@ietf.org" <draft-ietf-regext-login-security.all@ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Opsdir last call review of draft-ietf-regext-login-security-06
Thread-Index: AQHVqxqh9CKITPvljUihV9uiDZjhtqerkdqA
Date: Thu, 05 Dec 2019 13:58:31 +0000
Message-ID: <7FB1D326-52B9-4757-81E5-44D224B78194@verisign.com>
References: <157551587247.11231.6261397066987751886@ietfa.amsl.com>
In-Reply-To: <157551587247.11231.6261397066987751886@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.f.191014
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <74A635EA47F7ED40825E3DE4A9539E0A@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/lJ0u57H_RBdgIKqnNPUHfX6BYQQ>
Subject: Re: [regext] Opsdir last call review of draft-ietf-regext-login-security-06
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 13:58:15 -0000
Carlos, Thank you for your review and feedback. I reply to your feedback embedded below. -- JG James Gould Distinguished Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 12/4/19, 10:18 PM, "Carlos Pignataro via Datatracker" <noreply@ietf.org> wrote: Reviewer: Carlos Pignataro Review result: Has Issues Hello, I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes an Extensible Provisioning Protocol (EPP) login security extension that allows longer passwords to be created and adds additional security features to the EPP login command and response. I found the document well structured and easier to read and follow, but I have one concern in regards to backwards compatibility and version management. The document says: 2. Migrating to Newer Versions of This Extension Servers which implement this extension SHOULD provide a way for clients to progressively update their implementations when a new version of the extension is deployed. Servers SHOULD (for a temporary migration period up to server policy) provide support for older versions of the extension in parallel to the newest version, and allow clients to select their preferred version via the <svcExtension> element of the <login> command. However, in which cases the first SHOULD can be ignored? That would break deployability. Further, now in the second paragraph, what is a "temporary migration period"? 27 msec, 2 minutes, 56 years? What is "older versions"? n-2? the previous how many? The client-driven selection and negotiation is useful, however, what are the guardrails and constraints for the server? JG - Ignoring the SHOULD is when the server implements a hard cutover of the old version to the new version based on other mitigating steps, such as providing adequate notice and providing a test environment for clients to test against prior to the cutover. The cutover and the mitigating steps is up to server policy, but the recommendation in the draft is to progressively update the server implementation. Performing a hard cutover would not break deployability if the server only supports the latest version and the clients are created to be forward compatible. It's much better to not force the clients to be forward compatible and to support the old and new versions in parallel for a period of time. The overlap period is a server policy decision and not something that the protocol should define and come to consensus on. Nit: Can the document incorporate instructions for the RFC Editor whether to remove the "Appendix A. Change History" section? JG - Thanks, "[[RFC Editor: Please remove this section.]]" can be added to section. Best, Carlos Pignataro.
- [regext] Opsdir last call review of draft-ietf-re… Carlos Pignataro via Datatracker
- Re: [regext] Opsdir last call review of draft-iet… Gould, James