Re: [regext] draft-ietf-regexy-login-security

"Patrick Mevzek" <pm@dotandco.com> Wed, 13 November 2019 20:37 UTC

Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95C1A1200B4 for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:37:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=Sh1ad+Ph; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wNJs4FL5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnIGrekYsc73 for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:37:57 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68BC312087B for <regext@ietf.org>; Wed, 13 Nov 2019 12:37:55 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id ABB6D21F82 for <regext@ietf.org>; Wed, 13 Nov 2019 15:37:54 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Wed, 13 Nov 2019 15:37:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=w+fmKc6DfqmeLE094v+i7YqOKQ6Mcj4 9jb15mEwoO4I=; b=Sh1ad+Ph12i3DLqLTzXE7k9zv0ERUyBhO1Uj0dJPMi5KfRV eXQLkM+yVtsTKjxgjDfIRFnesph0X70evCI57O6H5bo4+b97NJD1+aYVP4sBny5Z ixo7BcuBhHgTnhtBGFZISiCzP99mWLWTlulin4zXW31YY5/8jw656O4BCrbI5o/J vk3oIK8UZqXFSJZyCd6YtC9q/6WdugQLxOBy+tsZOLnhqsIUtCx3yLRYzSCoB9O5 5hWv77Jap1pGwhyw5Q3E/gdevcgBQt4VBBv7ZLbtXfO+eYqJBdBxIo9l9GWNoef3 d4m8EzMJcr5Chs/l6wIHlkzJBVGdo5HE4yPrbXw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=w+fmKc 6DfqmeLE094v+i7YqOKQ6Mcj49jb15mEwoO4I=; b=wNJs4FL5x8z3mZldd9lKYj BgXrI0q2X4lSrkwc05KzIkPDqsfKgedGB/bXybHn6keu2TCWOcbFzFCAIghz6uIL 5YdHrWhU49It0OpvhfdS8NIBw8j2u/0MsMUTl+r7Llvs/u13r1yPNLvx1ap6w5Lf LEKnKGUSuoenFdTLMI4GSDujuGaE5Uea5old73ohKFL/4S9yhSR57pX+jOCZmGqF 3A2L5ynzmiLlQW/WtAom26Alsfci/xhxWGilu2DZePa0fneTy/hANWx4Au1BHGSI Bsc4JfgkzHGpzV9DYssQbhrxLfyXpXzEBHg1VFHADt9H66rG3DU6Gd0zAbCsueqQ ==
X-ME-Sender: <xms:omnMXXZwzoWrC1JQ-G7fZN8Gv-hKgIXp_KrJbSE7izuzc_epM9ZLKBc_R6g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudefuddgudeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdfrrghtrhhitghkucfovghviigvkhdfuceophhmsegu ohhtrghnuggtohdrtghomheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpmhesughoth grnhgutghordgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:omnMXbTZCHV8BvHIbSKqmj0Ywvgc4XVU7_-oGXb6KD5EbGGICBkdcA> <xmx:omnMXXh6eOpYeFefOxIdLJP9EyMqc8TYI-GT7z51ErvMOp-yHHNBVA> <xmx:omnMXfvElhaxmO6-TerWTv-qSIFkm0PUS9Tu5opPqi6J0VzupXMfXg> <xmx:omnMXdE-vpqx49Lx8O9YtWsz-ukR3cYw0Vfua0MnHYBkwsLpZOau1g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 38262C200A4; Wed, 13 Nov 2019 15:37:54 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-557-g34fce02-fmstable-20191113v1
Mime-Version: 1.0
Message-Id: <49944836-1844-450a-bc49-14aeefa5d2cb@www.fastmail.com>
In-Reply-To: <28ca30c867da482088214cb27268e50e@verisign.com>
References: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com> <78c95628e8f84901b7230f6674ee3120@verisign.com> <94e5e1f6-bd74-43ac-bef7-4d95ab91439e@www.fastmail.com> <28ca30c867da482088214cb27268e50e@verisign.com>
Date: Wed, 13 Nov 2019 15:37:34 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/y4VjarZtw2IylWeGxD3bKaleHjw>
Subject: Re: [regext] draft-ietf-regexy-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 20:37:59 -0000


On Wed, Nov 13, 2019, at 15:13, Hollenbeck, Scott wrote:
> I don't think that local storage of sensitive information, such as 
> passwords, is a *protocol* issue per se.

"Interestingly" on another proposal (to handle transfers) when I said
it is absolutely not a protocol/interoperability issue how the passwords
are chosen or stored by the registry, I was replied that it is definitively a
protocol issue and that the draft should be discussed by the working group!

I do not see how one password (the client one) can be not a protocol issue,
but another one (the domain ones) can be. They are both exchanged in plain text
and hence are sensitive information where the protocol should be so defined that
it could work without having to exchange this sensitive information at all.

None are protocol/interoperability issues in a way, and none should be sent in clear
(no matter what the transport; and do remember that EPP ought to be transport
agnostic, and there were attempts in the past to have it over SMTP for example,
in fact at least one registry has it that way nowadays...)

-- 
  Patrick Mevzek
  pm@dotandco.com