[regext] review of draft-ietf-regext-login-security-03
Martin Casanova <martin.casanova@switch.ch> Tue, 26 March 2019 17:56 UTC
Return-Path: <martin.casanova@switch.ch>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C37E7120798 for <regext@ietfa.amsl.com>; Tue, 26 Mar 2019 10:56:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utfFauUXzqmd for <regext@ietfa.amsl.com>; Tue, 26 Mar 2019 10:56:35 -0700 (PDT)
Received: from edge20.ethz.ch (edge20.ethz.ch [82.130.99.26]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FD921207B0 for <regext@ietf.org>; Tue, 26 Mar 2019 10:56:23 -0700 (PDT)
Received: from mailm117.d.ethz.ch (129.132.139.9) by edge20.ethz.ch (82.130.99.26) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 26 Mar 2019 18:55:13 +0100
Received: from [130.59.196.2] (130.59.196.2) by mailm117.d.ethz.ch (2001:67c:10ec:5602::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 26 Mar 2019 18:55:02 +0100
References: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch>
From: Martin Casanova <martin.casanova@switch.ch>
To: regext@ietf.org
X-Forwarded-Message-Id: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch>
Message-ID: <7597ff38-29ba-77e3-e093-524c5cb7123a@switch.ch>
Date: Tue, 26 Mar 2019 18:55:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <afac0d26-e054-54a3-306b-5ec5a49fd489@switch.ch>
Content-Type: multipart/alternative; boundary="------------10710CD172DAD947D9D6F4BC"
Content-Language: en-US
X-Originating-IP: [130.59.196.2]
X-ClientProxiedBy: mailm112.d.ethz.ch (2001:67c:10ec:5602::24) To mailm117.d.ethz.ch (2001:67c:10ec:5602::29)
X-TM-SNTS-SMTP: 6784FB127F464C3D2A5EC11826052DAD67E4EC82B9A1752D4BD5D99B69F58A1B2000:8
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/waY5KdNMTCLivJsP7eJ6WYpEUHs>
Subject: [regext] review of draft-ietf-regext-login-security-03
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 17:56:40 -0000
Jim Since we support that draft I started implementing and read it again more carefully. I have the following comments / feedback 1. (comment) Event type "cipher" or "tlsProtocol" : In case the client uses deprecated protocol or cipher we currently hang up the TLS connection immediately so there is no possibility to send a type "error" security event. At chapter 3.1 near "exDate" is written that "At expiry there MAY be an error to connect or MAY be an error to login." So in case of an error to connect you run in the same situation and will not be able to send back a "error" level event but thats OK. However it is useful to warn the client during a transition period when we know that we are going to disable a certain cipher or TLS protocol on a specific day in the future. 2 . (comment) Event type "newPw": Here we currently use 2306 "Parameter value policy error" and write in the <reason> of <extValue> element that the new password was too weak. I guess we would use the loginSec Event in the future in case the extension was specified at login whether the pw was changed via login-security extension or not. I know that you have foreseen draft-gould-regext-login-security-policy to query about password complexity but I think for convenience of the registrar it would still be nice to somehow include the password requirement in the response even if it is redundant. Otherwise one has to implement draft-gould-regext-login-security-policy at the same time or communicate the requirement out of band. maybe like that S: <loginSec:event S: type="newPW" S: value="expression: (?=.*\d)(?=.*[a-zA-Z])(?=.*[\x21-\x2F\x3A-\x40\x5B-\x60\x7B-\x7E]) (?!^\s+) (?!.*\s+$)(?!.*\s{2,})^[\x20-\x7e]{16,128}$" S: level="error"> S: New password does not meet complexity requirements S: </loginSec:event> Page 10: S: <result code="2200"> S: <msg>Authentication error</msg> Are you sure you want to return a 2200 and not a 2306 Parameter value policy error in this case (page 10). I don't see a reason why this should be another return code with or without extension. 3. (question) Event type "stat" : How often would you send back this event <loginSec:event type="stat" name="failedLogins" level="warning" value="100" duration="P1D"> Excessive invalid daily logins </loginSec:event> Only once with first successful login after the series of failed ones or for a whole day ? I suggest one time with first successful login. 4. (question) In chapter 4.1 EPP <login> Command is written .. internal contiguous whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 (space) is replaced with a single #x20 (space). .. Since this is "normal" XML parsing behavior should there not be reference to where this is described for general XML processing. (I don't know where that would be though) 5. (suggestion) The element <loginSec:userAgent> could be more structured to make it easier for the registry to parse the different fields and to give a hint to the registrar what information should be provided. Therefore I suggest child elements for example <os> Operating System <client> Client technology (eg. java) <version> Client software version (eg. 1.8.0) etc. Thanks Martin Casanova -- --- SWITCH Martin Casanova, Domain Applications Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 55, direct +41 44 268 16 25 martin.casanova@switch.ch,www.switch.ch Working for a better digital world
- [regext] review of draft-ietf-regext-login-securi… Martin Casanova
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Martin Casanova
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Martin Casanova
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James
- Re: [regext] review of draft-ietf-regext-login-se… Patrick Mevzek
- Re: [regext] review of draft-ietf-regext-login-se… Gould, James