Re: [regext] CALL FOR ADOPTION: draft-gould-regext-secure-authinfo-transfer

Antoin Verschuren <ietf@antoin.nl> Fri, 14 February 2020 14:42 UTC

Return-Path: <ietf@antoin.nl>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67762120041 for <regext@ietfa.amsl.com>; Fri, 14 Feb 2020 06:42:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=antoin.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZOBWExgq-75G for <regext@ietfa.amsl.com>; Fri, 14 Feb 2020 06:42:54 -0800 (PST)
Received: from walhalla.antoin.nl (walhalla.antoin.nl [62.251.108.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F33A71200E6 for <regext@ietf.org>; Fri, 14 Feb 2020 06:42:53 -0800 (PST)
Received: by walhalla.antoin.nl (Postfix, from userid 5001) id 030322805C1; Fri, 14 Feb 2020 15:42:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=antoin.nl; s=walhalla; t=1581691372; bh=HrchOk8JY9a1H/2gx8nXiDKU4zSrt/Mkv5xQK5U1FGk=; h=From:Subject:Date:References:To:In-Reply-To:From; b=MJvLJszWMKfi8YSy2LahLDmN/jACtOQlebkubdjLHPIOUt3TE5nFuVWsqn+tG/F9h B3v9WlfBI6+CR0iS4FKRPje3uSpJdMZWZ5d58RLVy8gJVu0MGbNQ1gFnoeS06DPETz RxrzBx8iXjUUHqng0nEl9aPGxmLcGzuCIKfAgq54=
Received: from [IPv6:2001:985:b3c0:1:3553:14ba:de4e:655a] (unknown [IPv6:2001:985:b3c0:1:3553:14ba:de4e:655a]) by walhalla.antoin.nl (Postfix) with ESMTPSA id A963F2804B5 for <regext@ietf.org>; Fri, 14 Feb 2020 15:42:48 +0100 (CET)
From: Antoin Verschuren <ietf@antoin.nl>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CC3EBA30-EF97-479C-8255-028D48750A5E"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Fri, 14 Feb 2020 15:42:48 +0100
References: <3498D60D-AED3-448F-AA97-D5390E14938F@antoin.nl> <894ec029-7ef0-4c02-8b37-9872e8f5934b@www.fastmail.com> <3F25F2D6-1ACD-4E3A-BE45-36B5964AB571@elistx.com>
To: regext <regext@ietf.org>
In-Reply-To: <3F25F2D6-1ACD-4E3A-BE45-36B5964AB571@elistx.com>
Message-Id: <C3E9E7DC-9B16-44C9-A26F-AD61C39A5918@antoin.nl>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/wI3vVfbBed869FmEJc1xRPZyZCY>
Subject: Re: [regext] CALL FOR ADOPTION: draft-gould-regext-secure-authinfo-transfer
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 14:42:58 -0000

This call for adoption has ended with no objections.
The chairs therefor accepted this document as a Working Group Document.

For the WG: We still need a volunteer for this document to be the document shepherd. This is an excellent opportunity to get to know the IETF processes for new working group members, so please volunteer! No real technical insight about this draft is needed to volunteer, so don’t be shy. The only thing that you will need to do is to verify that all comments during WGLC and IESG review are attended to once the document reaches that state, and fill in a template about that process. This and all other things the chairs will help you with, but we need an independent document shepherd to state that the correct process was followed.

For the authors: Please resubmit the latest version of your draft with the following name:
draft-ietf-regext-secure-authinfo-transfer
We have pre-approved the publication of this draft as a WG document.

Regards,

Jim and Antoin




> Op 7 feb. 2020, om 15:42 heeft James Galvin <galvin@elistx.com> het volgende geschreven:
> 
> Speaking with Chair hat on:
> 
> Your message starts by suggesting that this work does not belong in this working group but then moves towards discussing a solution for work that belongs in this working group.
> 
> As the CALL FOR ADOPTION comes to a close, the chairs are leaning towards interpreting your message as agreement there is work that could be done.  Note that adopting the document does not guarantee that it will be published by this working group; that will be decided as part of the discussion and review.
> 
> Is this okay with you?  If not, please do take some time to clarify your position.
> 
> Thanks,
> 
> Antoin and Jim
> 
> 
> 
> 
> 
> On 28 Jan 2020, at 2:28, Patrick Mevzek wrote:
> 
>> On Fri, Jan 24, 2020, at 09:51, Antoin Verschuren wrote:
>>> This is a formal adoption request for Extensible Provisioning Protocol
>>> (EPP) Secure Authorization Information for Transfer:
>>> https://datatracker.ietf.org/doc/draft-gould-regext-secure-authinfo-transfer/
>>> 
>>> Please review this draft to see if you think it is suitable for
>>> adoption by REGEXT, and comment to the list, clearly stating your view.
>> 
>> While the subject of transfers between registrars might need work,
>> I am not convinced this working group is the appropriate place for that,
>> as in particular this document seems to mostly impose directives on registries
>> and how they should handle and store domain passwords which is for me
>> off topic for EPP as a protocol, and transfer issues cover points that are
>> not completely technical but also business related, including the
>> specific security model in which we want to work.
>> (one might note that multiple procedure specify a transfer "undo" procedure,
>> while this does not exist technically anywhere in EPP land...)
>> 
>> As discussed in other threads, I am more leaning towards a ground up discussion
>> on passwords attached to domains, and if other models can exist here.
>> So I think work should instead go in that direction, which is then
>> really completely EPP related, while discussions on passwords size, complexity,
>> entropy, storage, TTLs, and so on as found in this draft are for me clearly
>> out of scope of both the working group and EPP related specifications.
>> 
>> The authInfo node was defined from the ground up to be extensible,
>> and we should leverage that to put into place better mechanisms than
>> current plain text passwords.
>> 
>> I also fear discussions may forget there are already today other models than
>> the "common" gTLD one that the draft tries to change,
>> and I would like to make sure they are taken
>> into account when drafting a solution.
>> Among others, some registries use a "push" transfer model (so no
>> passwords needed at all any more) and other registries basically do not
>> let registrars set/handle passwords anymore, the first step of a transfer
>> is the loosing registrar to ask the registry to generate a password that
>> is in fact directly sent to the registrant, who in turn will input it
>> at the gaining registrar (with some time window limits).
>> 
>> Also while things should be left separate to be really able to produce
>> new ideas, transfer issues can not be tackled without at least looking
>> a little around RDDS and specifically RDAP, and around laws such
>> as the GDPR from EU land, because this has the direct consequence
>> for example that some registries do not continue to collect contacts,
>> or none besides the registrant.
>> 
>> PS: as an exercise I reviewed how a batch of registries currently reply
>> to domain:info queries in the following case:
>> - registrar is not sponsoring registrar, and not providing authInfo
>> - registrar is not sponsoring registrar, and providing invalid authInfo
>> - registrar is not sponsoring registrar, and providing correct authInfo
>> - domain does not exist and registrar is providing authInfo
>> - domain does not exist and registrar is not providing authInfo
>> 
>> Results vary a lot, even when just looking at the EPP return code.
>> Also the content of <infData> can change, and differ - even outside of the password
>> - between sponsoring and non sponsoring registrars.
>> There is clearly no standardization here and this directly impacts
>> how transfers can be done by registrars
>> (on issues for example of being able to test the password without
>> really starting the transfer, or to know the current nameservers
>> attached to the domain, or its expiration, etc.)
>> 
>> -- 
>>  Patrick Mevzek
>>  pm@dotandco.com
>> 
>> _______________________________________________
>> regext mailing list
>> regext@ietf.org
>> https://www.ietf.org/mailman/listinfo/regext
> 
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext