Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
Martin Casanova <martin.casanova@switch.ch> Thu, 08 August 2019 09:17 UTC
Return-Path: <martin.casanova@switch.ch>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4252120089 for <regext@ietfa.amsl.com>; Thu, 8 Aug 2019 02:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jrgqHLbcBGVA for <regext@ietfa.amsl.com>; Thu, 8 Aug 2019 02:17:27 -0700 (PDT)
Received: from edge10.ethz.ch (edge10.ethz.ch [82.130.75.186]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3868C120115 for <regext@ietf.org>; Thu, 8 Aug 2019 02:17:25 -0700 (PDT)
Received: from mail260p.d.ethz.ch (172.31.52.69) by edge10.ethz.ch (82.130.75.186) with Microsoft SMTP Server (TLS) id 14.3.468.0; Thu, 8 Aug 2019 11:17:20 +0200
Received: from [130.59.18.153] (130.59.18.153) by mail260p.d.ethz.ch (172.31.52.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Thu, 8 Aug 2019 11:17:22 +0200
To: regext@ietf.org
References: <2FE774F6-35D1-46B5-B403-2BA1CC8928B3@verisign.com> <9aad0040-20f6-480e-90d6-090ca91c18d3@www.fastmail.com> <4A0925CB-23A7-492C-83C8-36EB23F61A1F@verisign.com> <0119acdb-2ec9-4f14-b37a-d945e0b032b5@www.fastmail.com> <MWHPR02MB3230A50F076B9B554AFE9BACBFC00@MWHPR02MB3230.namprd02.prod.outlook.com> <782934D3-AA21-42F7-A728-DADED00EC446@verisign.com>
From: Martin Casanova <martin.casanova@switch.ch>
Openpgp: preference=signencrypt
Autocrypt: addr=martin.casanova@switch.ch; keydata= mQINBFlbSjkBEAD39YaduVH9oaorO8mSfO71wTy+AZpBp2g+VbM5vuwOXkETrJpK+ZrEThoM IdGwRmmF9Cw4m6mcSheXjcZUzLMKgxDPsHMVoNPNKnEHWNd986nTWXwjcPV1QPxmarHuC6iO dPT7JSqrHFWMjcHEEWleivYC71OUj3eMyyd1r7TYzMjhvsuDfKH8y3yyuAE/xuawG/04CmZL NvNP1HkKhmjuOkP/kWR/3ql2YdwuNsLeXMZjIKpMSlaQ66F/EoAjV753Atyf11hBz1qnunPZ 4oho8BX1y2H+Y/rbpDYV+SwXJuJoO61uV7FjfjRTPC2afb+S2VK/k5SLAABriBnpAULlWPv1 Nxsmstqcwa2jE2m1ff21sQHVXmZuAbMJPAcnnVcadsTLiOZRkYnAM4UIwzFTooqGOsK2AzQB r/9v7GqTBKrrF16dp6fdl0V3kvK1R8YC8D6MpmjaDgnyN19c+7bykRhtwA3jDd70Br+Pl3br d/F0sHuGZmwCB3L4cbEV0JcLIzDupQJf0RSGe5O7yWtunfBkkLiA3jnF7rGFn4HkVrpEyPcv KvPOHf3w2k3FZ7LuLAVfLSHVKOSM9t8aameyrzBWrYvyLy6tt2hDcvnCvISc3zbJhh1Gx5SE mP/nBN6LLbaBDOs/ka/JrxJkfDRLncZwEad6MoV+lB7X9VqzawARAQABtCtNYXJ0aW4gQ2Fz YW5vdmEgPG1hcnRpbi5jYXNhbm92YUBzd2l0Y2guY2g+iQI9BBMBCAAnBQJZW0o5AhsjBQkJ ZgGABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEBPFMLRFaPmYsKUP/36w44IU8zih/5YO FFFKf7R/2xJwKWs6TgQvnVcC6KsNmTMh1781/joVpQUfxLwPDvL+/BLeFQLENsDtQMado7/X SY12Ms/9gN4xqxGVJ+69CrlMzCXx+p6AyZW/6Qnf5fpgnqN0XePJpvW5ebcdJ371JBwYPvPv v8tdtc7j/hxwuTHJb6hYnrjAIrvrjI9zDy2D/D6ssTf7h6fTv64YdLiV302Lk3Lufxob14ES 8EQL12U6ks/8vRdrsmT3Cqk+oLJS5PR0uonK6V1BgYbLkYYdRxd/cGmM1ZFzOsuhIg5hWNj2 D/Ww/sC74olET1FnM3Gk14hOa3xZSVdnv73rHFHsK3mxUOISQknS8iDZSRvhXhxuzhmlUskg lxeW3t7AAEtGi1KlnjUyj4Hg7M9bp/AOGROj8MAZzv05lFfOYHr/r1gn55JUhxJEsS0kYo6A HFHWbmFzhfCWz4JKzdthbOp+BCc9n2W9BA0NCPMfAU0ehHmuokQwuu5BV32masxWGZRo8aey mJl7L4PBT9QHdOLxeS7Wc0rXnDM2izVeUxJghwU50lI8TbuqBKw8gsqSX60XtJ+dYJLrIAht 5+GRydWsyHtuxVl3PBSOiheu9eZF2xUWunI31dC3SETxZ9LF+CxSw43Mzfz/m4LZ0b1YRFsh uwzzXQbXG7DPZC1cT4H+uQINBFlbSjkBEADFvVH7fsJNKqAGyvCr2rmlSKwkg64mx8w8STIL K0iO6hQu7pd06I3Hogub4s2ju67rgw0NS3xeSjP7QdSAbyYoknMXP+K5uRkBp2A+tiBo9ubo JIDLRrU4mrdBuavm6TMrdPNKWIWugQnrsT5yewD2QS7zK7p7gVHUhXGmWRZN0Kl34r3+nyJo tGYnFDwZufJ2+w7IDNoEF9PFXgPQW2J47j9U7D5nV/Ac3lJKWI5JAA1AMQ1/RkoVRevz4fEL fG/fZw84mtxMT8nImeJ/WZ7P2UGmF7dueZkZmLvrPZYEKoBn6hONktzxF0uZ7RpyWMKdtZD8 s5UR2Ohx45/2wYNyCOrAzb02pf0OSf1peQKnEic+vTi3fqcrdOGAQIdJq6CxnVBpq9lAQb3h 7Ikakx9Mj8Jd3u17gdYdqZezdwq5lXbEU1RkF7ZEgtP1k5aDbE+d3UT3QMnrvIyl0htrqEpd 5CX7yn6XOsFXa3NDu6XuV/aBf+Tb+l0P8eF6e1w4Mx28lBlomkSjj/YzP0176C1ZsztmkIDj RWkpzD5SCzYdNHc64mAP1PT6BBK64idRJlqn/RKolCsKk0DZ3aWfOEiBYFgvDgkFYQFx7rCb Ai1SBP4dW7vsnJ8fJHmfGEj2tR5fDibh/DiJPpzQb3hsT5fdxNAK1x5I2bz+34yfGKfQPQAR AQABiQIlBBgBCAAPBQJZW0o5AhsMBQkJZgGAAAoJEBPFMLRFaPmYAuYP/iTrc+4hpu2f4AHR 7GqlcYKrSWY1p34yzIESlRU4FuSQZR8OS6HvcMoS8iVdgro3+LNzOde9DOaO4ISqlopu8fTC /SbpizxKejTCPmcJeAOyvZpVYsALLyt+CGOkEID36u5v2uVfFGMjfm82bOLlrsV96yovSAnH cffobAAL9jDgClfReXlMbkvshPqBI5KGI3LOpX0zQxkuKvb+t4QQj6HJJqGwJtCzVhx7e3uk HIltbpFCYzXj/MqjlLOQjHK03XWFn7+d6/1bu6ptvYKRIpI51ZgEIQxTrdc7X2gU9dvmTHk6 DMoAJsX8j/rjA6pjIGmkmNf5EaSvzt+U48TqKYCws3gYu2zmSRVgzRD7vWVop1CKt4OBgvKi 5kO5nF3teksvJXw5qERv8mDf4NSxkocJHlkDzR7UZOJRZb4fVMRPx5jRsS2nh3YhH//05/Wd QnFM4hkMKy0Q7M0Bw+TieuTJXEmSBgdLcscXY1ElEnlfO10x3R6CHgzUHI32WbmV9r2CdOG4 qaUd5tC9IFV3dfdyhLA+fl6AurMmhrM0THhQ04T19htKPanuIJenVfsb3Tdwna0txwWQtlAE JYZQ3eYAun42DOXl5VwWEiWeipKYuoK/qvn8UurQoKSu3RrckWJZiKgpHi3R8vfcTvAOkyKc VAZcZu9m6I6DIgR9WXEy
Message-ID: <7f2dc327-be2d-1dde-959f-792bfeab9911@switch.ch>
Date: Thu, 08 Aug 2019 11:17:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <782934D3-AA21-42F7-A728-DADED00EC446@verisign.com>
Content-Type: multipart/alternative; boundary="------------7418D83C1990BCBBA60B75CC"
Content-Language: en-US
X-Originating-IP: [130.59.18.153]
X-ClientProxiedBy: mailm210.d.ethz.ch (129.132.139.34) To mail260p.d.ethz.ch (172.31.52.69)
X-TM-SNTS-SMTP: 5375F459B54ED5058AA8B102B86EC3AF15082E7AED1A13994F73D29B3ABDC0192000:8
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/nb7Goxzfzq5l1xXQc_eVk4FF4Ck>
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-secure-authinfo-transfer-00.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 09:17:31 -0000
I think the draft is a good idea since the handling of AUTHINFO is a sensitive topic. A Best Practice is certainly useful to help avoid blind spots regarding security regarding AUTHINFO implementing the EPP RFC's, or at least to be aware of the "state of the art" / benchmark regarding security dealing with AUTHINFO. So conscious decisions about following or not following it can be made. Martin On 29.07.19 22:59, Gould, James wrote: > > I will respond to Patrick’s full feedback separately, but I’ll address > the one item raised below in response to Jody’s feedback. From a > higher-level, draft-gould-regext-secure-authinfo is intended to > provide the starting point for discussion of how to secure the > authorization information for transfers. > > > > I pulled Patrick's original feedback on the authorization information > storage language of the draft below: > > > > I would also suggest or offer the idea that various points in the > draft (like "the authorization information .... MUST NOT be stored by > the registrar.") do not align (which means: will never happen) with > various registrars policies or architectures. > > That one for example shows itself in later parts: > > 5. Gaining registrar optionally verifies the authorization > > information with the info command to the registry, as > defined in > > Section 4.3. > > 6. Gaining registrar sends the transfer request with the > > authorization information to the registry, as defined in > > Section 4.4. > > > > This feedback is associated with the following sentence of the draft: > > > > To protect the disclosure of the authorization information, the > authorization information MUST be stored by the registry using a > strong one-way cryptographic hash and MUST NOT be stored by the registrar. > > > > The intent of the “MUST NOT be stored by the registrar” is for the > losing registrar and not the gaining registrar, since the losing > registrar should simply generate the authorization information and > provide it to the registry and the registrant. There is no reason for > the losing registrar to store the authorization information, since the > losing registrar can unset and set the authorization information at > any time. I can see architecturally where the gaining registrar may > need to store the authorization information as a “transient” value > (e.g., work queue item) to support the completion of the transfer > process. The registry will automatically unset the authorization > information upon a successful transfer, so the gaining registrar > storing the authorization information as a “durable” value (e.g., > beyond the transfer process) is not needed. > > > > How about changing the language in the draft to be more specific to > the intent, as in: > > > > To protect the disclosure of the authorization information, the > authorization information MUST be stored by the registry using a > strong one-way cryptographic hash, MUST NOT be stored by the losing > registrar, and MUST only be stored by the gaining registrar as a > “transient” value in support of the transfer process. > > > > Does this cover the use case presented? > > > > -- > > > > JG > > > > > > > > James Gould > > Distinguished Engineer > > jgould@Verisign.com > <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> > > > > 703-948-3271 > > 12061 Bluemont Way > > Reston, VA 20190 > > > > Verisign.com <http://verisigninc.com/> > > > > On 7/26/19, 11:23 AM, "regext on behalf of Jody Kolker" > <regext-bounces@ietf.org on behalf of jkolker@godaddy.com> wrote: > > > > Regarding the drafts position of "the authorization information > .... MUST NOT be stored by the registrar." > > > > I agree that registrars will need the ability to store the > password for a request to transfer in a domain in some situations > (bulk transfers, network outages, registry maintence etc.). There > simply is no way around not storing the password to handle every > situation. > > > > As far as where this draft should be, I consider it only to be a > best practice draft, not anything that will significantly change EPP. > I would love to have some type of standard for transferring domains or > at least some type of communality between all of the TLDs, but I > believe that will be a pipe dream. Every TLD operator will believe > they have the "best" transfer implementation. > > > > If we could at least start with a discussion, maybe we could get > to similar transfer process for most TLDs. > > > > Would be curious to hear from other registrars and registrys on > this topic. > > > > Thanks, > > Jody Kolker > > > > -----Original Message----- > > From: regext <regext-bounces@ietf.org> On Behalf Of Patrick Mevzek > > Sent: Thursday, July 25, 2019 12:46 AM > > To: regext@ietf.org > > Subject: Re: [regext] FW: New Version Notification for > draft-gould-regext-secure-authinfo-transfer-00.txt > > > > Notice: This email is from an external sender. > > > > > > > > Hello James, > > > > On Mon, Jul 8, 2019, at 14:16, Gould, James wrote: > > > JG - The draft is a Best Current Practice (BCP) per RFC 2026, > and not > > > a standards track draft. The draft describes how to leverage the > > > existing EPP RFCs for addressing the security of the authorization > > > information value for transfers. EPP can have protocol extensions > > > defined as informational and standards track drafts, as well as > > > operational practices defined as BCP drafts. There are many > examples > > > of IETF BCPs. This topic is very applicable to the IETF and the > > > REGEXT working group in particular. > > > > I will remain in disagreement here (mandating how registries > should store passwords or choose them regarding length and complexity > is certainly a bigger issue than just EPP and has nothing to do > regarding how EPP works as an exchange protocol between 2 entities), > so I will only reply briefly as my contributions will not help > whatsoever building this draft and try to refrain from participating > in any future LC regarding this draft. > > > > I would also suggest or offer the idea that various points in the > draft (like "the authorization information .... MUST NOT be stored by > the registrar.") do not align (which means: will never happen) with > various registrars policies or architectures. > > That one for example shows itself in later parts: > > 5. Gaining registrar optionally verifies the authorization > > information with the info command to the registry, as > defined in > > Section 4.3. > > 6. Gaining registrar sends the transfer request with the > > authorization information to the registry, as defined in > > Section 4.4. > > > > Since both actions have no guarantee to happen back to back and > immediately (nor to be done by the same subsystems, from the same EPP > client, throught the same EPP connection), the registrar MUST store > the authorization somewhere. > > Think about connection issues or delayed payment (wish to check > authorization information even before taking the payment and starting > the transfer), etc. > > > > As is, this document will create interoperability problems in part > because it does not even define an extension visible at greeting. > > Without that, how could an EPP client know if the server follows > point 4.1 for example, which is even more troublesome because of its MAY? > > Without a clear indication, a client can continue sending a > password, and see its domain:create command be rejected, without even > knowing why (error reporting is not something sufficiently > standardized and stable across all registries for a client to base > itself on). > > > > > Things like that: > > > > > > > The operational practice will not require the client > > > > to store the authorization information and will > require the > > > > server to store the authorization information using a > > > > cryptographic hash. > > > > > > How the password is stored and handled at the registry is > completely > > > out of EPP scope. It could as well be symmetrically > encrypted, and I fail > > > to see even how this can be enforceable (how will you verify > remotely > > > how the registry stores the password?), as it is not > protocol related. > > > > > > JG - Why would the storage and handling of the authorization > > > information be out of EPP scope? > > > > Imagine a registry storing passwords as plain text and another > storing it encrypted through some clever mechanism deriving the key > from other registrars data (like its EPP password, that one never > being needed to echo back, so could be stored as an hash). > > > > What does that change for EPP? > > Absolutely nothing. > > > > > Do you agree that a cryptographic > > > hash is more secure than using an encrypted value? > > > > Irrelevant to EPP. The EPP schema clearly mandates for the > passwords (both login and authInfo) to be exchanged in clear text > (encapsulated in TLS of course). > > One can see now that things should be done differently, and I > could agree there. > > But this has no relationship with how the registry stores it. > > > > > JG - It's not meant to take into account all cases that exist today, > > > > That will then remain a big problem for me, as an implementer. > > > > > So in my views the current password based model per domain > has died, > > > and other solutions have to be searched for. Maybe there is > space to pursue > > > in solutions around OTP frameworks. > > > > > > JG - You may want to take a stab at defining an alternative > mechanism. > > > I believe that EPP does not need to be extended to make the > > > authorization information secure for transfers. > > > > Aside, remember that the current EPP schema already allows for > authorization to happen, not only by providing the domain authInfo but > instead the authInfo of a related contact (and its ROID to be able to > pinpoint it). > > > > And I seem to remember at least one registry to allow that. So > definitively rare but not 0 either. > > > > > Any ideas that you have to improve it would be greatly appreciated. > > > > Maybe, but for me this work is not a good fit inside this working > group or even the IETF. It may be a better fit for some ICANN groups, > in order to deliver some "consensus policies" document (but > remembering also at the same time that there is a world outside of > gTLDs....). In my view the whole process around transfers (and not > just talking here about the EPP transfer command) should be reviewed > and reworked. > > > > -- > > Patrick Mevzek > > pm@dotandco.com > > > > _______________________________________________ > > regext mailing list > > regext@ietf.org > > https://www.ietf.org/mailman/listinfo/regext > > > > _______________________________________________ > > regext mailing list > > regext@ietf.org > > https://www.ietf.org/mailman/listinfo/regext > > > > > _______________________________________________ > regext mailing list > regext@ietf.org > https://www.ietf.org/mailman/listinfo/regext -- --- SWITCH Martin Casanova, Domain Applications Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 55, direct +41 44 268 16 25 martin.casanova@switch.ch, www.switch.ch Working for a better digital world
- [regext] FW: New Version Notification for draft-g… Gould, James
- Re: [regext] New Version Notification for draft-g… Gavin Brown
- Re: [regext] New Version Notification for draft-g… Gould, James
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek
- Re: [regext] FW: New Version Notification for dra… Gavin Brown
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek
- Re: [regext] FW: New Version Notification for dra… Gould, James
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek
- Re: [regext] FW: New Version Notification for dra… Jody Kolker
- Re: [regext] FW: New Version Notification for dra… Gould, James
- Re: [regext] FW: New Version Notification for dra… Gould, James
- Re: [regext] FW: New Version Notification for dra… Martin Casanova
- Re: [regext] FW: New Version Notification for dra… Patrick Mevzek