IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-regext-epp-registry-maintenance-16

Jody Kolker <jkolker@godaddy.com> Wed, 11 August 2021 14:22 UTC

Return-Path: <jkolker@godaddy.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E78D3A17F6; Wed, 11 Aug 2021 07:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secureservernet.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhGdtHanDNvx; Wed, 11 Aug 2021 07:22:01 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2135.outbound.protection.outlook.com [40.107.220.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48C543A17F4; Wed, 11 Aug 2021 07:21:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R6uezQsF652c8H+WpsK+COTwuyE6j19nBx1crRQX6r7VkymkQ9jw5zOrnzziig7TM6JeVXI2qfY9Ls/LjLd3aD+zTjk33+wwjO9z0O9gudPgW/tw26JDUsiB0Cs2aEscH3o9VlQ94ZNjZuShJobnpm7OAOkTjZ1u7xtyKf7aYQ66oNjxr/VhpDCW4yATm4uSTthoZemMdh7dihwh2mjM/RoT1L18OSl32TqAjcTlWHgUxlg0YGWfaBAJ/RrbeLjV2U1T+BBucGpQ0DxEwS0ghx+UNu/0Y07AW3/Sqt1bqSy47xWny9h4YP1tM85+sGdi4KUJjlG8lrVZC3qEFNY9JQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=epTLWvbPuZH26hD+UeSumdWZBURW+5Q75cz9WrN20FY=; b=LwSMWtrv71cIfcT/vapgMG9V6kxnR+Aw561nixyCEzyy1LaqzICvTjAyS75Gk3+BoJUOJd5kDWjuj2BkAmkbva0LBvqYcA3fbLwnN+G1xGuCJ0KW4z6efjZNBlNqp5ZOCcrGEcwI+AegX4ADDqFtTTHsj2xBa81DpsPLbPZWmnNdmL6s0wj1kQLidgWHmfAny+sQlRQEegxWP98VIs5/qZ+3Spr2ReB0laLRyLiVRyoJXsSen9+hkz4GYYkZM32TmP+Arja0S4HvNC+jYwQpgmiu0Ees1UgXl78NzpPvYcBsTUYjbzcgR0HOeo8QXwsmOOM10Mx861WvvbFsZBaRsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=godaddy.com; dmarc=pass action=none header.from=godaddy.com; dkim=pass header.d=godaddy.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureservernet.onmicrosoft.com; s=selector1-secureservernet-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=epTLWvbPuZH26hD+UeSumdWZBURW+5Q75cz9WrN20FY=; b=EOKwuuZl09ZuwSvaqrrkbz/J1LrUG54GH5XSJ5OeQor11fNs0HGTAoGctH7gPCh+BiYdDZg4soViXB9ryLAs9xlMq0SBQoQBinz5E+OLrodedEG5TNZkkfKqyqYjTkoftciU0M870r0jJ/iM8iaJPeXInIhEfNdM84ENATkRygw=
Received: from CH2PR02MB6357.namprd02.prod.outlook.com (2603:10b6:610:7::16) by CH2PR02MB6630.namprd02.prod.outlook.com (2603:10b6:610:7d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.14; Wed, 11 Aug 2021 14:21:53 +0000
Received: from CH2PR02MB6357.namprd02.prod.outlook.com ([fe80::6545:582b:9d89:f233]) by CH2PR02MB6357.namprd02.prod.outlook.com ([fe80::6545:582b:9d89:f233%4]) with mapi id 15.20.4394.023; Wed, 11 Aug 2021 14:21:52 +0000
From: Jody Kolker <jkolker@godaddy.com>
To: Melinda Shore <melinda.shore@nomountain.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-regext-epp-registry-maintenance.all@ietf.org" <draft-ietf-regext-epp-registry-maintenance.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-regext-epp-registry-maintenance-16
Thread-Index: AQHXjM69vAl1IvMh5U2JBzaqgCj9NatuXo5Q
Date: Wed, 11 Aug 2021 14:21:52 +0000
Message-ID: <CH2PR02MB6357CA6B2A51511B5EA6E6FCBFF89@CH2PR02MB6357.namprd02.prod.outlook.com>
References: <162847975484.5697.10348648212211041099@ietfa.amsl.com>
In-Reply-To: <162847975484.5697.10348648212211041099@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: nomountain.net; dkim=none (message not signed) header.d=none; nomountain.net; dmarc=none action=none header.from=godaddy.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8f7a5bab-e18c-4d6f-dec9-08d95cd35dad
x-ms-traffictypediagnostic: CH2PR02MB6630:
x-microsoft-antispam-prvs: <CH2PR02MB66302FD412818C5A033EE782BFF89@CH2PR02MB6630.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 61xoGfDyxlzdteZ/crv506k46FUyUaMKqCm/2/8pxtgbag+sn0TvsiGFfVut6WdD272T9w3+/J9ZK3yV0Gk/9uMWRxikJ3FefR+Nt6gnbwGRXcc8tzCGd6bziKzD70M32mEbcPion9pitScVSRy4pbL7+Aijims2l7gHYctpO9FtcCmEjrHOQrH6tFaqNXBIw+t9/e85mON9Q4T/Wwi3XkLuBDUq0D6IHAZsW+RcdpYJSDJ6oqvAoX1EOaAXw2EzanBqKAVylEGpJ1ZisadwvPwYaXc1GPu7fIo7yGx4/IUb9MSiOV/2uhPTAVIHAZzYG75KVezJnXNG6NsV8xIxzAkzsV1UKJ0ZaNY4Cwdvhk7eLb0AIwf5WbR1p46DgPo5un/tPxtiHPlanqbYcG5jRWQlt9rS9hqKoffZTjqo/zJoM0pd6Ku1F5n1Z95neHgi/OK5KNofE2tT3xGFu5ObXLsTq8cOj9/hgyDRs2rY0XeWWQ7xTLhhybu/4mVi5W3ysLi4NjZ6Jlbrs4se/QizPgQpcz3yKl6O4VQ8au/lhzrFvmllZJjlVgf96NCxoqe4kvhanQ1SwbOhUPDCqKIG0Z3jkPqRTZjjrXtalxNl2Mu+nNdqsDJLbeLEluQOxxNdvoCJKzF7JqNNx533jbgus7jDNmwTZLG6Qpfqp/PXegsCOYngua7CoQeci9k1FoHOGEF0OtIXLFXHPbG3uS3DV3fouvanxyntWuINLiBr02IlwpY6liZNhs5K9ZNBk/1H80AMQFrFIhPTcvm3aXsKC58uIloWHfsEx+HAvzMmwCc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR02MB6357.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(396003)(346002)(39860400002)(376002)(5660300002)(83380400001)(64756008)(66946007)(66446008)(86362001)(66476007)(66556008)(76116006)(2906002)(4326008)(52536014)(54906003)(8676002)(9686003)(71200400001)(110136005)(316002)(122000001)(38100700002)(478600001)(53546011)(7696005)(966005)(55016002)(33656002)(38070700005)(6506007)(186003)(26005)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: umWEfq9p2q+km6bB8928mXZXbiK6tQxkzJku/23SlX86hD/zynBdXtb+2t0Gj1WuTWKpczJcm/Vean+pV/rOTzwcgL/bFV5c3lCLNk2DNFgwVb8p0bXRoRKqsMRjLHI+rw8kuxIaKbCecmcC4obaeWTR+vIh87/1ZwH8ihXNDeyt13tVuDE2auPtGCkA59pXQoRvfy/kP+jDTcd/to7+ioSO5C5QA2ashcf83KNxLqcyyKXLCyANNgcw1mT5t2vwinS/4WYiLcOj1Xj6wkuPj/aMyMawbCtZpUY3BjyjLdqExVWv10AVKo0F3YTZdAOjdnuqnbb90UJcnkLM9OsPUPyg3FAUkqPNE1rCQkXXo1ekn+A8VzFfTq9c0w9jlt0mI30KP4TRu9wzfEx1lAOa0MGiHYbD8WNZ3Le9FFE6cDeE4ZOJt8txO2bO4c8YiYUvahvbkBDaO10mZKsvy9Ee0z0dqo7V27znwxSj5M2L7c4FYh6qIq5jLR8n+PMYsnuBDR0czldAnbmBgH9c1HLtKm7DZCtzNpyr0KCV7Crh469nfrNFtHDBIwzSakgzS5iHrDaXbbxiQmKTRRZoTHj27j9mFEhzFbe/TWeyiqlH31yk6JNtPA2xO1yvFUD+XZJe2bNRd/tKpunxR2GqgxzelzivRD2wCjYsl40Z4gsn3kydYxVA6h4/kYe5ZufE7EYqFap/a+NkJySGJnWSvalcEmi/BQnnU+h4qgr9l5AjxHSn9yPNlPv6j+J18TmW0iSgvIabm9BdjLNDOPJtc5wyeKksWXTpkHVl17M/teGgDtqZp+kfsB82b8OdfJ25MLqbkhvuWuwHv6RxPxNp2YmPs+a823MOBqsChX1V54aYViJsW62MiXvBCrCpGh8VGIlyudoKzdRrZUk1Qp3tFdiidZeRYoGjuhSh+F+cF7uD2CVx2vhJBCgxHIhWnemzG31rNBbd0x49Vhcf64sg7t45QS1zEeR8JyTG4Xh/9YmNnFREjIN0mLvoHKgpsBLBPnMVUDWMgrtTlLv0hsW7nMIw+5eeIpi0mvjY4cPfo+rTukM5TxmpU72PNd8xT5e5UfQ7EKS15+9ODZ7j9KJ541Lgck4gordkcop3U3WYJ183NX0Uy0FjUpvH7vqdSOO4qTN1bsIiymgfrU6r44Rk7sfQLMnZTwMn/8JrsRLLnQx+6tEEVPorvtNWTvEcTuRLOkHh6Rs/nOAwgAOzQo7UXrOk3KDstU3FL6ZOWXazX6IInnA1zv+LePMvfkULFGLrsNpRvQTFdJmgpELrpr8h80pyRMZkxRkbfmEreupi6waf6l4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: godaddy.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR02MB6357.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f7a5bab-e18c-4d6f-dec9-08d95cd35dad
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2021 14:21:52.7967 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d5f1622b-14a3-45a6-b069-003f8dc4851f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: D7dDy/X4keWxcnSqHiQVYIqVrYaHP7Qt0wfHbkOSNMUR3x5Zalj/bRdZvrctBsy3jiTBLFqOFe2Zdyte0O2B2w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR02MB6630
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0fVmBsrgQQoDb-D-8QuoyGVAiMo>
Subject: Re: [secdir] Secdir last call review of draft-ietf-regext-epp-registry-maintenance-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2021 14:22:07 -0000

Hi Melinda,

Thanks for the detailed review of the document.  We have made the suggested updates below and incorporated the changes into the document at https://github.com/seitsu/registry-epp-maintenance/blob/master/draft-ietf-regext-epp-registry-maintenance.txt with an added reference to RFC 5730 regarding security considerations.  

We will publish the document with additional changes after our AD requests publication.

Please let us know if anything else is needed.

Thanks,
Jody Kolker.

-----Original Message-----
From: Melinda Shore via Datatracker <noreply@ietf.org> 
Sent: Sunday, August 8, 2021 10:29 PM
To: secdir@ietf.org
Cc: draft-ietf-regext-epp-registry-maintenance.all@ietf.org; last-call@ietf.org; regext@ietf.org
Subject: Secdir last call review of draft-ietf-regext-epp-registry-maintenance-16

Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad@.



Reviewer: Melinda Shore
Review result: Has Issues

The security considerations section is scanty - transport security is not described at all, nor is the question of defense against a malicious actor spoofing a server.  It may be the case that there are, in fact, mitigations in common use but they are not spelled out in this draft nor in RFC 5730 (and I’ll be the first to admit that I may have missed something).  Because of this I do have reservations about progressing the document towards publication.

Section 3.3: Is it the case that if an element is not explicitly identified as optional, it’s mandatory?  If that’s the case you may want to mention that in the first paragraph of this section

Nits:

There’s occasionally some unidiomatic English (for example, “The command mappings described here are specifically for the use to notify [ … ]” rather than, for example, “The command mappings described here are specifically used to notify [ … ]”, “The information on a [ … ]” rather than “The information about a [ … ], etc.),

Section 1, first paragraph:  It’s actually not very clear about what registries are informing registrars.  It may be clearer to start with something along the lines of “Registries usually inform registrars of maintenance activities in different ways.”

v2.23.0 | Report a Bug | By Email