IETF Logo Mail Archive

Re: [regext] review of draft-ietf-regext-login-security-03

"Gould, James" <jgould@verisign.com> Tue, 09 April 2019 21:01 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37EB512045C for <regext@ietfa.amsl.com>; Tue, 9 Apr 2019 14:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAMJR-T7CavU for <regext@ietfa.amsl.com>; Tue, 9 Apr 2019 14:01:03 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 777D112043C for <regext@ietf.org>; Tue, 9 Apr 2019 14:01:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6606; q=dns/txt; s=VRSN; t=1554843665; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=IONtgrV2CzcTUH1wu99P4OtQiax0wP3ArtkpfxOyGuM=; b=pVqxXlBu7yO9PnmOwdjNPdOswc6Tkt9ReXSDRmNDQ6Ir2Me9jm6tmDmX hfvcIb8fmMjuCmLVVQcugsWTnblyqg3pKnmXoQRibKhP1ARUfVAW8fzSF 8OKIHuh+FyEGdO9UplDuFhHj9hOxw2YoA0Oa1ZLTIAyQZTdFcDlTDgpMx HxcBM/BuInLNro/W96iL0cHeqT6Ld9RkjTXBuOJ1pygSbGvka95U6g2mR htC6Kl597aKVeXqesrUWz+VPUUFGfoYcK5n76IPR7HYbc/3i8Z5Q0miXj K6BTXtCv0m/gcK8zfhqkaO9LDvCLZY6yG0090Sl4ycy7UdS22a4o1fBGK w==;
X-IronPort-AV: E=Sophos;i="5.60,330,1549929600"; d="scan'208";a="8063389"
IronPort-PHdr: 9a23:59eoFRB50nKlEf6sbJjjUyQJP3N1i/DPJgcQr6AfoPdwSP37psuwAkXT6L1XgUPTWs2DsrQY0rOQ6v2rADFdqdbZ6TZeKcQKD0dEwewt3CUYSPafDkP6KPO4JwcbJ+9lEGFfwnegLEJOE9z/bVCB6le77DoVBwmtfVEtfre9FYHdldm42P6v8JPPfQpImCC9YbRvJxmqsAndrMYbjZZ/Jqor1xfEonREd/lWyG5oOFmfmwrw6tqq8JNs7ihcp+gt+9JcXan/Yq81UaFWADM6Pm4v+cblrwPDTQyB5nsdVmUZjB9FCBXb4R/5Q5n8rDL0uvJy1yeGM8L2S6s0WSm54KdwVBDokiYHOCUn/2zRl8d9kbhUoBOlpxx43o7UfISYP+dwc6/BYd8XQ3dKU8BMXCJDH4y8dZMCAeofM+hFs4nzqVgArRW8CgaiBePg1jBGiXDt0K0myOshFB3K0BA6Et8MtnnfsdX7NL0VUeCw1KTEwzTNb/RL2Tf59YfEag0qr/WWUrJ1b8XR0kcjHB7Cg1WSpozlOC6V1uAQvGWA8epvS/ivi288qwFwrTivwN0ghZXOhoIQ013J8zhyzogyJd29UkF7YNikHYNOty6ELYt2Q9giQ2BnuCY8y70Gv4K0cDIWx5Qgwh7Tc/2HfJaU4hLtTuqRJi14hH1jdbmihBiy6VCtxvDgWsWuzVpHrCRInsPRun0N2RHf8MeKR/hl8ku8xTqDzR3f5+NYLUwuiKbWJJ0szqQtmpcQqUjDEDH5lUbqgKKTc0gr4Oul5uD8bbjjqJKQKZJ7hwD7P6s1nsGyAOY1Pw0AUmWV++mzybvu9lDjTrpQlP05iKzZvYjfJcQcu6G2HRdY0p0m6xajFzem18kYnWUfIFJFZh2Hi4/pNknTLf7kFfmznlSjni9kyf/HIrHtH4/BLmbfn7fmZ7Z981RQxxAuwtxF+ZJUEKoBIPTpVkDts9zYCwc1Mw2yw+n5FNVwzp4SVX6VDqOEMq7fv0WE6v8vLuSCfoMYtzXwJ+Ag5/H0jH85nVEdfbOu3ZsScH24HPtmI0KEYXron9gMCnkKsRQkTOzrk12CUDFTZ3CoU60g4TE7DZqqDZ3fSYC1nLyBwCC7E4VOZmBDEV2DDHDod5meVPcKdS2dPshhniYYWrimTo8rzQuuuxPiy7p7MurU/TUVtYj929h6+eLSmg0y+Cd1D8uDz2GNQXt4nmQSRz85j+hDphk30lKr3a9kivpUHtsV7PRMGE9uLZv0w+tmAtb+UQWHddCMHhLuCM+rDjwhUvowzsMAJUFnFJ/q2grO0Ce6H5cUmqCFQpsu/fSP8WL2IpM35HHb0KVlx3svR8ZUfyXyhKF46gzfL5DEiUSClqmsM68b2Xiepy+40WOSsRQAA0ZLWqLfUCVHaw==
X-IPAS-Result: A2EUAAAFB61c/zCZrQpiAxwBAQEEAQEHBAEBgVEHAQELAYFmgRKBKgqEBIgcjQglg12UaYE/Fx0IDwEYCwuDeEYCF4VsNAkNAQEDAQEBCAEBAQECAQECgQUMgjoiHDEcLwkBBQEBAQEBAScBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEIAggHNRIBARkBAQEDAQEhETobAgEIGAICEgEBEgICAiULFRACBAESgldLAYIEri6BL4VGhGyBCyUBi12BQT6BEScME4JMPoJhAQGBSxYXCiYBAgWCOzGCJgOKWoI5mHMDBgKIAodjhDeCY5F8i1OFVEMLjVsCBAIEBQIVgU+CD3AVOyoBgkEJhXCFFIU/cg0kjW4CBQgVgQqBIAEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 9 Apr 2019 17:01:01 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1713.004; Tue, 9 Apr 2019 17:01:01 -0400
From: "Gould, James" <jgould@verisign.com>
To: "pm@dotandco.com" <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] review of draft-ietf-regext-login-security-03
Thread-Index: AQHU7vypJBXqitQ6u0Gkh4VsF0Vlr6Y0ULOA
Date: Tue, 09 Apr 2019 21:01:01 +0000
Message-ID: <23C64725-1802-46B1-A371-9059F642E10A@verisign.com>
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch> <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch> <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com>
In-Reply-To: <cccbc3cd-1f45-4973-9606-544f1f04425b@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.7.190210
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2D4A63FA61DAAD4AA276E71E9FBABC49@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/tRrOnt628jVSXyjieW_4Kw6IeRs>
Subject: Re: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2019 21:01:07 -0000

Patrick,

The password expression can be included in the error response using the human readable message per registry policy, which will work for troubleshooting purposes only, since the human readable message should not be parsed by the client.  The login security extension is not well suited for communicating policy information, which is the point of draft-gould-regext-login-security-policy.  The password policy information can be formally communicated via draft-gould-regext-login-security-policy over EPP or using an out-of-band mechanism.        

Supporting other forms of authentication is best handled via a separate extension of EPP (e.g., protocol extension).  The purpose of draft-ietf-regext-login-security is primarily to address the password length limitation in EPP RFC 5730. 
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 4/9/19, 1:50 PM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:

    On Tue, Mar 26, 2019, at 12:56, Martin Casanova wrote:
    > I know that you have foreseen draft-gould-regext-login-security-policy 
    > to query about password complexity but I think for convenience of the 
    > registrar it would still be nice to somehow include the password 
    > requirement in the response even if it is redundant. Otherwise one has 
    > to implement draft-gould-regext-login-security-policy at the same time 
    > or communicate the requirement out of band.
    > 
    >  maybe like that
    > 
    >    S:        <loginSec:event
    >    S:          type="newPW"
    >    S:          value="expression: 
    > (?=.*\d)(?=.*[a-zA-Z])(?=.*[\x21-\x2F\x3A-\x40\x5B-\x60\x7B-\x7E]) 
    > (?!^\s+) (?!.*\s+$)(?!.*\s{2,})^[\x20-\x7e]{16,128}$"
    >    S:          level="error">
    >    S:          New password does not meet complexity requirements
    >    S:        </loginSec:event>
    > Page 10:
    > 
    >    S:    <result code="2200">
    >    S:      <msg>Authentication error</msg>
    
    It may be nice to try giving back all the requirements... except that you can
    not always express all of them with a regular expression for once, and because
    there are different flavors of regular expressions for another reason,
    two points I already raised on the "policy" extension.
    
    Some registries may have requirements like: at least one letter and at least one
    digit and at least one "special" character.
    While this may still be done by a regex, it will not be nice (as you need to consider at the same time the range of characters allowed and the constraints on length), and yet there may
    be even harder cases, like "no sequence of repeating characters" 
    or like "at least 2 "special" character, but not twice the same one".
    
    Aside, there is RFC 7613 "Preparation, Enforcement, and Comparison of Internationalized Strings
                      Representing Usernames and Passwords" and it may be a good idea to reference it or derive from it. Note specifically sections 3.5 and 4.2.2 (that touches the other point raised about handling spaces, etc.)
    
    
    And I do not even touch things like:
    - checking if the password does not contain a known word for some definition of word in some dictionaries
    - checking if the password does not match any given leaked passwords (why not? some websites are already adding in their signup/login process a check if the password is among the list of leaked ones)
    - not reusing one of the X previously used password, or one of the previous passwords slightly changed like reversed or appended with 1, etc.
    
    Also, related, I would be interested into works that goes into the direction of not having to exchange the password in the clear at all (even if we are inside TLS), because the server does not need to have the client to send it, just to make sure it can prove it has it, and there are various mechanims existing for that (but they may be complicated to port to EPP as they may need further exchanges besides our current greeting/login).
    Like SRP and the example of RFC5054 "Using the Secure Remote Password (SRP) Protocol for TLS Authentication".
    
    Or at least, like I suggested on the policy extension, but that was not meant with a lot of enthusiasm, to implement SASL instead of the current purely login+password, so that at least other methods of authentication could be plugged in.
    
    -- 
      Patrick Mevzek
      pm@dotandco.com
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email