Re: [regext] AD review for draft-ietf-regext-login-security-04
"Gould, James" <jgould@verisign.com> Tue, 29 October 2019 19:15 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A321209FB; Tue, 29 Oct 2019 12:15:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSUx6deb90dY; Tue, 29 Oct 2019 12:15:40 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D733A1209DD; Tue, 29 Oct 2019 12:15:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=47890; q=dns/txt; s=VRSN; t=1572376540; h=from:to:cc:subject:date:message-id:mime-version; bh=Jg7eiW5V3AJjXVsRgfmDorDeiSImybmmnhqGnetvGCA=; b=VwhUPI/kuERg3x5E0q6wZPZRFcOpprGj+RLWS8SafPXMqr8UgOWiWGWK RtuRDY9E7M7pFZI8Pqa5jZC/Gc6IXyxHTiEb3wN6aZUWPsCoiEHy3Owcs x7z9jVySC28S8my0gQHf3QQV2cRAAJ5owVxi4/97D+MoxT8eCwmCh914n r0KCpF8zXLL/29ke8AXP9k8x7lXHG8Uvar7fwa4pGMZBHdR2BgJNUjtn2 e6Q49yVScirs0m1ibJvmTznk7qRQlG5ivmNuOEQ1T6Il0J9g6QXdP9wr9 Ei4VxPvSKuz/vxEOr3bWMJHRjE4ZlhrJsq9lvOpF+rVXnNGzM2nZBn++D g==;
X-IronPort-AV: E=Sophos;i="5.68,245,1569297600"; d="png'150?scan'150,208,217,150";a="8666077"
IronPort-PHdr: 9a23:uhS+XhYeSZf0FjxDNjGKHk3/LSx+4OfEezUN459isYplN5qZps66Zx7h7PlgxGXEQZ/co6odzbaP6Oa5ATVLuM/R+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAi4oAnLq8UanZZuJqksxhfUoXZDZvhby35vKV+PhRj3+92+/IRk8yReuvIh89BPXKDndKkmTrJWESorPXkt6MLkqRfMQw2P5mABUmoNiRpHHxLF7BDhUZjvtCbxq/dw1zObPc3ySrA0RCii4qJ2QxLmlCsLKzg0+3zMh8dukKxUvg6upx1nw47Vfo6VMuZ+frjAdt8eXGZNQ9pdWzBEDo66coABDfcOPfxAoof9uVUAsAe+CwevCuzhyz9HmnD50LYg0+g9FAHLxhAsEsgMvXnSsd77NL0SUeewzKTQwznNbvRW2Sr56IfVahwqvPWCUqh1ccXP0kkjGR7Og1KSqYzqODOVy+ANvHWA4up+S+2vkW8nqxpwojigwMcgkJXGhoUQyl3d8yhy3Yg7Jdq9SEFhYN6kFoNdtz+EOItsQ8MiWGBouCk8yr0Hv560YDIGx4ggxx7ac/CHcpaH4g7tVOqLJjd4nn1ldbSijBix6Uit0vDwWtWu3FpXrCdInMPAum0N2hHd8MSKRf9w8l+81TqTzQzf9+NJLVwumabGJJMswaQ8mocQvEjbEC/5hkb7gLOTe0gh4Oel6ODqba7jq5KSKYN7lwDzP6E1lcG7AOk1MA0DUmaV9Om+ybLu+1DyTq9Qgf0siKbZtYjXJcEcpqGkHQBYyp0j6xOjDze+19QYgGUHIEpFeB2Zi4jpPEnDLe3kA/mnnlijkC9lyf/HMbH9HJnBNGbDn6vmfbZn805Q0hA8ws1F65JKELEBO/TzVlXtu9zfCx81Kw20w+D5B9Vhzo4SRH6DDrWEPK7Qv1KE/P8jLumCaYMPtzvwL+Ap5/v0gn84nV8dc7Op3ZwSaH2gHPRmLEKZYWfogtgcCmoKoBQxTPbriF2ZUD5TaHCyU7gg6TE8DYKqFZ3DSZy1gLydwCe7GYVbaXtcBVCWC3fpd4GEVOkNaC2JOMBsiSALVb+kS485yBGuqBH1y6B9IurT4C0Yuorp1MJp6O3LiREy6Tt0AtyA3GGXVW50kH8ISyY33K9hvUx9xE6P0bJmjPxXC9NS6O9JXh4+NZ7bwOx6CtbyVhvaftiXVFmmX8+mATAtTtMx2dMBeUJ9G9G5gxDCwSWqH7EVm6aMBJwu/aLWx2LxKNply3bayKkhiEErQtFROm2pmKF++BTTCpXIk0qHi6aqe74Q3CnX9GeMniKyuxRyWRRqQO3hUHEVbwOCp93j/FLGQr6kAJwsNQ5Z1NKPMO1NcNK/yR0MSO3qNsibYm+tlSKqCBmF1q/JaI3lemNYxyjWFVIFjxFV9HKCHQkzGinnpHjRRnQ6GUjmbV+p8ORipjahQ0A53x3Pa0pu1rzw4RMemOadV+JV17YAkCYstzsyG0yyiYH4Ed2F8kBOe7hYbZd1wl5C2HmT/1h/MZu9K6xKmFMEch92sEWo3BJyXNYT2fM2pW8nmVIhYZmT10lMInbBhcj9
X-IPAS-Result: A2FyAADWjrhd/zGZrQpiAxoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBfYEcWIEYgTEKhB6OWoIdJYMMXpVDgSsXJQkBAQEBAQEBAQEDAQMBIwwBAQKEPgIXg2c4EwIMAQEBBAEBAQEBBQMBAQEChiAMgjspAWIvCQEyAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQIIBzQZBzUSAQEdAQIBAwUBHQIIATkLBxIBBgIRAwECBgEBAQ4BAQgBBgMCBAUQAQ4MFAkKBAENBAEGCIJJSwGDBpdGmnx1gTKEOQETQYUzEIE2jCmBQT6BEScME4JMPoJiAgMBgUUCLQkBFQgJAQIFgkEygiwEjQU7gjeFPIESgSeMF4JmhwEDB4IkhXkBgRaBTYdYcYQkgjxyhmWPSY0LgTSHL32RHwIEAgQFAhWBaYF7cBU7KgGCQQlHEBSDEheDUIUUhT90CQMBJI1PDRWBDTBeAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 29 Oct 2019 15:15:39 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Tue, 29 Oct 2019 15:15:39 -0400
From: "Gould, James" <jgould@verisign.com>
To: Barry Leiba <barryleiba@computer.org>, "draft-ietf-regext-login-security.all@ietf.org" <draft-ietf-regext-login-security.all@ietf.org>
CC: "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] AD review for draft-ietf-regext-login-security-04
Thread-Index: AQHVjo0/NonxcYWQe0mJc3tyCLYHVw==
Date: Tue, 29 Oct 2019 19:15:39 +0000
Message-ID: <DAB825B6-F9BA-4B39-9273-1FA4DCE53882@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.e.190909
x-originating-ip: [10.170.148.18]
Content-Type: multipart/related; boundary="_004_DAB825B6F9BA4B3992731FA4DCE53882verisigncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/xJHZUIyPfSSUczmYpITa1_dyHbk>
Subject: Re: [regext] AD review for draft-ietf-regext-login-security-04
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 19:15:44 -0000
Barry, Thank you for the review and feedback. I provide my responses to your feedback inline below. I will post draft-ietf-regext-login-security-05 with the changes based on your feedback. -- JG [cid:image001.png@01D255E2.EB933A30] James Gould Distinguished Engineer jgould@Verisign.com<applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com<http://verisigninc.com/> From: regext <regext-bounces@ietf.org> on behalf of Barry Leiba <barryleiba@computer.org> Date: Tuesday, October 29, 2019 at 12:10 AM To: "draft-ietf-regext-login-security.all@ietf.org" <draft-ietf-regext-login-security.all@ietf.org> Cc: "regext@ietf.org" <regext@ietf.org> Subject: [regext] AD review for draft-ietf-regext-login-security-04 I have mostly editorial comments that I hope you’ll consider, but that will not block anything. My comment below for Section 4.1 is, though, something I want to discuss before I start last call. — Section 1.1 — Please use the new BCP 14 boilerplate and references; see RFC 8174 JG – That will be fixed. In examples, "C:" represents lines sent by a protocol client and "S:" represents lines returned by a protocol server. Indentation and white space in examples are provided only to illustrate element relationships and are not a REQUIRED feature of this protocol. This is not a BCP 14 key word, and should be “required” in lower case. JG – That will be changed. — Section 2 — For other similar regext documents, ADs have suggested that the compatibility/migration recommendations be left in the document for publication, rather than asking the RFC Editor to remove them. Unless there’s a good reason not to publish this section, please remove the request to the RFC Editor. JG – I will remove the note to the RFC Editor so that the section remains. — Section 3.1 — There MAY be multiple events returned that provides information for the client to address. “provide” JG – This will be fixed. The <loginSec:event> MAY include a free form description. There should be a hyphen in “free-form” here and elsewhere when it’s used as a modifier. JG – This will be fixed. There are two occurrences of “free form” that will be changed to “free-form” in section 3.1. The enumerated list of "type" values include: “includes” JG – “include:” will be changed to “includes:”. "password": Identifies a password expiry event, where the password expires in the future or has expired based on the "exDate" date and time. "certificate": Identifies a client certificate expiry event, where the client certificate will expire at the "exDate" date and time.. Why are these worded differently? Is there a reason they do not both say, << where the [thing] has expired or will expire at the “exDate” date and time. >> ? JG – The wording is different, since if the certificate expires, the connection will fail prior to getting to the login command. If the password expires, the client can execute the login command and therefore the server can include the security event post the expiry of the password in the login response. Therefore the server can only warn the client of an expired certificate in the login response prior to its expiry, but the server can inform the client of an expired password in the login response prior to or after the expiry of the password. "lang": Identifies the language of the free form description if the negotiated language is something other than the default value of "en" (English). This seems to imply that it should never be set to “en”. If that isn’t what’s meant, it might be better said as, << Identifies the language of the free-form description. The default is “en” (English). >>. JG – This language was borrowed from the various EPP RFCs include RFC 5731. There is no intent to disallow inclusion of the “lang” attribute if the value is “en”. I’ll change it based on your proposed language to make it clearer, but with “negotiated language” instead of “language”, since the greeting and the login command negotiate the language to use. Example login security event for a password expiring in a week: There’s no context for “in a week.” How about this?: << Example login security event for password expiration, where the current date is 2018-03-26: >> (And similarly for the related example in Section 4.1.) JG – Yes, that will cover future dates, I’ll make the change. I believe the correct current date is 2018-03-25 for an expiry on 2018-04-01 in a week. I’ll make a similar change for the example in section 4.1. — Section 4.1 — <loginSec:pw>: OPTIONAL plain text password that is case sensitive, has a minimum length of 6 characters, and has a maximum length that is up to server policy. All leading and trailing whitespace is removed, and all internal contiguous whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 (space) is replaced with a single #x20 (space). This element MUST only be used if the [RFC5730] <pw> element is set to the "[LOGIN-SECURITY]" value. Two things here: 1. Are there any limitations on valid characters other than the four mentioned? Is there any server policy involved? JG – There are no additional constraints for valid characters in the draft or in RFC 5730. The constraints defined in the draft are based on the selection of the XML schema “token” type, which matches the type in RFC 5730. The XML schema “token” type constraints are explicitly defined in the draft based on feedback from the Working Group. Server policy will define the specific password constraints (e.g., characters, minimum length, maximum length, restricted words) for the server. An example is the use of draft-gould-regext-login-security-policy to define the password rules in EPP. 2. What is the reason for collapsing those, four characters, and not allowing a password to actually contain, say, a tab, or three consecutive spaces? What about all the other Unicode characters that represent spaces in various forms, or zero-length characters? JG – One goal of the draft is remove the 16 character maximum constraint in RFC 5730 while supporting the same XML schema type of “token”. The trimming and collapsing of whitespace is a feature of the XML schema “token” type that exists today based on what’s defined in RFC 5730. — Barry On Fri, Oct 25, 2019 at 9:44 AM James Galvin via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: James Galvin has requested publication of draft-ietf-regext-login-security-04 as Proposed Standard on behalf of the REGEXT working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/
- [regext] Publication has been requested for draft… James Galvin via Datatracker
- [regext] AD review for draft-ietf-regext-login-se… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek