IETF Logo Mail Archive

Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt

"Gould, James" <jgould@verisign.com> Mon, 29 July 2019 21:01 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67301203C4 for <regext@ietfa.amsl.com>; Mon, 29 Jul 2019 14:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnSgKFXmAVjw for <regext@ietfa.amsl.com>; Mon, 29 Jul 2019 14:01:42 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F11D11203C7 for <regext@ietf.org>; Mon, 29 Jul 2019 14:01:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=11878; q=dns/txt; s=VRSN; t=1564434102; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=IbzE5AYgmzachBbL3Rvo32xQdx8o4S7oPdRRYGX0CEI=; b=R9fp1g4TyMpvAAFY+m64lHW6OVD9ljqIrMyR8yfqPqnQpa6C74e5GQat X5riIyGY250foUHhNMCp4Xuq/DRnQdi/6amg5G8EaZkm4yhH2avUETquL xyHg0zpHwvs3uTk3+JdgG6KtQBdiQo8sYOTSU6QfXmUrnl8yhsQlf/wE7 u+dCKuY4LDcdtK0T/uKGYZc29CvcFB117WXJO2gal9oAM1U2Q8ehnGv9q TRes1oQKDUFK20e5YL32nYwTJALNoSspVT7SvUJlgti0IAmhUFEugHjHH 1VG03QP4BEnebJa9WZe2GcjEzP/U3eLrIIyoFBfPs4lFS64JT9CC82a6o A==;
X-IronPort-AV: E=Sophos;i="5.64,324,1559534400"; d="scan'208";a="8114570"
IronPort-PHdr: 9a23:1cgKoBL2UiwN2zup5dmcpTZWNBhigK39O0sv0rFitYgXKv3yrarrMEGX3/hxlliBBdydt6sezbuP+Pm9BCQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTagf79+NhG7oRjeusULgYZvKrs6xwfUrHdPZ+lY335jK0iJnxb76Mew/Zpj/DpVtvk86cNOUrj0crohQ7BAAzsoL2465MvwtRneVgSP/WcTUn8XkhVTHQfI6gzxU4rrvSv7sup93zSaPdHzQLspVzmu87tnRRn1gyocKTU37H/YhdBxjKJDoRKuuRp/w5LPYIqIMPZyZ77Rcc8GSWZEWMtaSi5PDZ6mb4YXD+QPI/tWr5XzqVUNoxuxBwejBOLzxTFHiXD7xrE63P8kEQ3awAAtBdADvXLJp9v1LqcSVuW1wbHGwTvCaPNWxDP955XQfhs8pf+DR7dwftTKyUUhCgjIiVeQqYPiPzOI0uQCrnOW7/R+WuK1im4nsABxojepxss2lobJgYcVx0nC+C5kzog1Iti4R1R6Yd6iCJZQqT+VN5F3QsM5QmFotyA6yrwAuZGnZiQF1JMnxxvHZ/yGbYeI/hzjWPyWITdii3Jofq+0iRWq8UW41+HwStO43EtIoydLiNXAq3AA2hLJ5sWISfZx5lqt1SqV2wzO6OxIPVo4mbfUJpMi2LI8i5kevVzNHiDom0j6kKqbe0A+9eWr7+noebDrq5GCO4BpiwzzN78hl8i+DOk6NwUDUWaW9Oah27Dl4Eb3Wq9FjucsnancqJ3aIMMbqbOnDAJNyYYj7gq/Dy+h0NQFgXkLNFJFdwyDj4juI1zDPez2A++ij1usiDllyPHJMqH8DpnXMHjMjLDhfaxl60JG0gU80MpT54xOCrEaJvL/QFP+tNvdDhMhMgy0xfjoCMll248DRW6DGLKVPaHcvFOS++4iI+eBaJUatTv+M/Ql4uThjX49mV8TZ6mp2p4XZWi6HvRpJEWZfH7sjcoaHGcUoAU+Vu3qiEaDUT5cYXa+Rb4z5jY+CI6+F4fMWpitgKCd3Ce8BpBWfmVGB0uRHnfva4WLQfEMZz+OLc9miDALSb+hS4o53xG0qAD606ZnLvbT+iAAr5Lsytd16PPclBEu7jF0DtqS032DT21umWMIXTA2j+hDphlFw0uZ0KN7y9lVC85e5LsdSgISOZnAxup2ANe0UQXEKJPBAkyrTdi2HRkwQ84/hdgUbAw1T8+vgR3TwwKrDqMb0buRC8pn3Ljb2i27CMFgz3qCnIsoilQ9CIMbN2Khm6pz3xbeHY/Skkqf0a2tcPJPj2b26G6fwD/W7wljWwlqXPCABChHaw==
X-IPAS-Result: A2EYAABlXj9d/zCZrQpjAx0BAQUBBwUBgVMIAQsBgWcFgReBLgqEFIgciwyDZJUdFIErFyAFCQEBAQEBAQEBAQcBGAsMAQECg3hGAhc1ARiCKzQJDgEDAQEBBAEBAQEFAQEBAoYHDIIfCRIpARRNLwkBMgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGAEBAQECAQEBIRE4AgQFEgIBCA4KAgIRAQEBCwcCAgIlCxUQAgQBCQkbgwcBgXserFyBMoo+gQwoAYRxhlE0gUE+gREnH4FOfj6CYQEBgRweEQIUDAsKHggBAgWCPDKCJgSMIQESFwmCJocsk2RtAwYCghqGW4Rvg22EeIMblHOJcINLhmlOE5AMAgQCBAUCFYFQghFwFTsqAYJBCYJEARcUbwECgkiFFIU/cg0li2ABAQ0VgQ2BIQEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 29 Jul 2019 17:01:25 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Mon, 29 Jul 2019 17:01:24 -0400
From: "Gould, James" <jgould@verisign.com>
To: Patrick Mevzek <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
Thread-Index: AQHVK1Go+3TXOv5sIUCrjQELDm1Cjqa3IkSAgAoKFQCAGhiugIAHBeUA
Date: Mon, 29 Jul 2019 21:01:24 +0000
Message-ID: <FD64FF55-E615-409F-979D-FBFD92E44A82@verisign.com>
References: <2FE774F6-35D1-46B5-B403-2BA1CC8928B3@verisign.com> <9aad0040-20f6-480e-90d6-090ca91c18d3@www.fastmail.com> <4A0925CB-23A7-492C-83C8-36EB23F61A1F@verisign.com> <0119acdb-2ec9-4f14-b37a-d945e0b032b5@www.fastmail.com>
In-Reply-To: <0119acdb-2ec9-4f14-b37a-d945e0b032b5@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.9.190412
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <CC941E916E5795469DCB93DD01F1C95D@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/nXX-P-r8Cd7DxLUTmKMmNXwF0Lo>
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2019 21:01:52 -0000

Patrick,

I provide responses to your feedback below.

-- 
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/>

On 7/25/19, 1:46 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:

    Hello James,
    
    On Mon, Jul 8, 2019, at 14:16, Gould, James wrote:
    > JG - The draft is a Best Current Practice (BCP) per RFC 2026, and not a 
    > standards track draft.  The draft describes how to leverage the 
    > existing EPP RFCs for addressing the security of the authorization 
    > information value for transfers.  EPP can have protocol extensions 
    > defined as informational and standards track drafts, as well as 
    > operational practices defined as BCP drafts.  There are many examples 
    > of IETF BCPs.  This topic is very applicable to the IETF and the REGEXT 
    > working group in particular.
    
    I will remain in disagreement here (mandating how registries should store passwords
    or choose them regarding length and complexity
    is certainly a bigger issue than just EPP and has nothing to do regarding how EPP
    works as an exchange protocol between 2 entities), so I will only reply briefly as my
    contributions will not help whatsoever building this draft and try
    to refrain from participating in any future LC regarding this draft.

JG - The authorization information is an important element of the EPP RFCs to securely transfer domain names (and contacts), so defining the operational practice for securing the authorization information using the existing EPP RFCs is very relevant.  Your feedback is welcome and encouraged.     
    
    I would also suggest or offer the idea that various points in the draft
    (like "the authorization information .... MUST NOT be stored by the registrar.")
    do not align (which means: will never happen) with various registrars policies
    or architectures.
    That one for example shows itself in later parts:
       5.  Gaining registrar optionally verifies the authorization
           information with the info command to the registry, as defined in
           Section 4.3.
       6.  Gaining registrar sends the transfer request with the
           authorization information to the registry, as defined in
           Section 4.4.
    
    Since both actions have no guarantee to happen back to back and immediately (nor to be done by the same subsystems, from the same EPP client, throught the same EPP connection),
    the registrar MUST store the authorization somewhere.
    Think about connection issues or delayed payment (wish to check authorization
    information even before taking the payment and starting the transfer), etc.

JG - I address this feedback in my response to Jody Kolker's message, so let me know whether the explanation and revised text does not handle the use case.
    
    As is, this document will create interoperability problems in part because
    it does not even define an extension visible at greeting.
    Without that, how could an EPP client know if the server follows point 4.1
    for example, which is even more troublesome because of its MAY?
    Without a clear indication, a client can continue sending a password, and
    see its domain:create command be rejected, without even knowing why
    (error reporting is not something  sufficiently standardized and stable across
    all registries for a client to base itself on).

JG - The draft does not change what is currently supported by the EPP RFCs, but simply defines a best practice that servers can implement to secure the authorization information.  I believe the policies of the server can best be described in the Registry Mapping (draft-gould-carney-regext-registry ) or a policy extension to the Registry Mapping.  I will consider how draft-gould-regext-secure-authinfo-transfer can be described via the Registry Mapping.      
     
    >     Things like that:
    >     
    >     > The operational practice will not require the client
    >     >       to store the authorization information and will require the
    >     >       server to store the authorization information using a
    >     >       cryptographic hash.  
    >     
    >     How the password is stored and handled at the registry is completely
    >     out of EPP scope. It could as well be symmetrically encrypted, and I fail
    >     to see even how this can be enforceable (how will you verify remotely
    >     how the registry stores the password?), as it is not protocol related.
    >     
    > JG - Why would the storage and handling of the authorization 
    > information be out of EPP scope? 
    
    Imagine a registry storing passwords as plain text
    and another storing it encrypted through some clever mechanism deriving the key
    from other registrars data (like its EPP password, that one never being needed
    to echo back, so could be stored as an hash).
    
    What does that change for EPP?
    Absolutely nothing.

JG - The draft defines an operational practice.
    
    > Do you agree that a cryptographic 
    > hash is more secure than using an encrypted value?
    
    Irrelevant to EPP. The EPP schema clearly mandates for the passwords (both login and authInfo) to be exchanged in clear text (encapsulated in TLS of course).
    One can see now that things should be done differently, and I could agree there.
    But this has no relationship with how the registry stores it.

JG - Correct, EPP does define the passing of the authorization information in clear text over an encrypted channel.  The storage of the authorization information is an important factor for its security.  
    
    > JG - It's not meant to take into account all cases that exist today, 
    
    That will then remain a big problem for me, as an implementer.

JG - It is meant to start the discussion of how to secure the authorization information, so if there are other cases or approaches to consider, they can be incorporated into the draft.  
    
    >     So in my views the current password based model per domain has died,
    >     and other solutions have to be searched for. Maybe there is space to pursue
    >     in solutions around OTP frameworks.
    > 
    > JG - You may want to take a stab at defining an alternative mechanism.  
    > I believe that EPP does not need to be extended to make the 
    > authorization information secure for transfers.  
    
    Aside, remember that the current EPP schema already allows for authorization
    to happen, not only by providing the domain authInfo but instead the authInfo
    of a related contact (and its ROID to be able to pinpoint it).
    
    And I seem to remember at least one registry to allow that. So definitively
    rare but not 0 either.

JG - I have implemented support for the authorization information roid attribute to authorize as domain transfer using the registrant contact authorization information.  The approach defined in draft-gould-carney-regext-registry is also applied to the authorization information of contacts, so there is no problem passing the plain text contact authorization information that would be hashed by the registry for comparison to the contact's hashed authorization information on a domain transfer.      
    
    > Any ideas that you have to improve it would 
    > be greatly appreciated.
    
    Maybe, but for me this work is not a good fit inside this working group
    or even the IETF. It may be a better fit for some ICANN groups, in order
    to deliver some "consensus policies" document (but remembering also at the same time that there is a world outside of gTLDs....). In my view the whole process around
    transfers (and not just talking here about the EPP transfer command) should be reviewed
    and reworked.

JG - The approach defined in draft-gould-carney-regext-registry can be applied to any TLD to secure the authorization information for a secure transfer.  The entire transfer process (e.g., form of authorization, immediate transfer) is out of scope for draft-gould-carney-regext-registry, since its limited to the authorization information.
    
    -- 
      Patrick Mevzek
      pm@dotandco.com
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email