--- 1/draft-ietf-regext-login-security-03.txt	2019-09-30 15:13:05.641597444 -0700
+++ 2/draft-ietf-regext-login-security-04.txt	2019-09-30 15:13:05.685598557 -0700
@@ -1,18 +1,18 @@
 
 Network Working Group                                           J. Gould
 Internet-Draft                                                  M. Pozun
 Intended status: Standards Track                          VeriSign, Inc.
-Expires: February 6, 2020                                 August 5, 2019
+Expires: April 2, 2020                                September 30, 2019
 
 Login Security Extension for the Extensible Provisioning Protocol (EPP)
-                  draft-ietf-regext-login-security-03
+                  draft-ietf-regext-login-security-04
 
 Abstract
 
    The Extensible Provisioning Protocol (EPP) includes a client
    authentication scheme that is based on a user identifier and
    password.  The structure of the password field is defined by an XML
    Schema data type that specifies minimum and maximum password length
    values, but there are no other provisions for password management
    other than changing the password.  This document describes an EPP
    extension that allows longer passwords to be created and adds
@@ -26,21 +26,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at https://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on February 6, 2020.
+   This Internet-Draft will expire on April 2, 2020.
 
 Copyright Notice
 
    Copyright (c) 2019 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (https://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -75,20 +75,21 @@
      10.2.  Informative References . . . . . . . . . . . . . . . . .  19
      10.3.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  20
    Appendix A.  Change History . . . . . . . . . . . . . . . . . . .  20
      A.1.  Change from 00 to 01  . . . . . . . . . . . . . . . . . .  20
      A.2.  Change from 01 to 02  . . . . . . . . . . . . . . . . . .  20
      A.3.  Change from 02 to 03  . . . . . . . . . . . . . . . . . .  20
      A.4.  Change from 03 to REGEXT 00 . . . . . . . . . . . . . . .  20
      A.5.  Change from REGEXT 00 to REGEXT 01  . . . . . . . . . . .  20
      A.6.  Change from REGEXT 01 to REGEXT 02  . . . . . . . . . . .  21
      A.7.  Change from REGEXT 02 to REGEXT 03  . . . . . . . . . . .  21
+     A.8.  Change from REGEXT 03 to REGEXT 04  . . . . . . . . . . .  22
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  22
 
 1.  Introduction
 
    This document describes an Extensible Provisioning Protocol (EPP)
    extension for enhancing the security of the EPP login command in EPP
    RFC 5730.  The enhancements include supporting longer passwords (or
    passphrases) than the 16-character maximum and providing a list of
    security events in the login response.  The password (current and
    new) in EPP RFC 5730 can be overridden by the password included in
@@ -173,26 +174,28 @@
        "certificate":  Identifies a client certificate expiry event,
            where the client certificate will expire at the "exDate" date
            and time.
        "cipher":  Identifies the use of an insecure or deprecated TLS
            cipher suite.
        "tlsProtocol":  Identifies the use of an insecure or deprecated
            TLS protocol.
        "newPW":  The new password does not meet the server password
            complexity requirements.
        "stat":  Provides a login security statistical warning that MUST
-           set the "name" attribute to the name of the statistic.
+           set the "name" attribute to the name of the statistic sub-
+           type.
        "custom":  Custom event type that MUST set the "name" attribute
            with the custom event type name.
    "name":  Used to define a sub-type when the "type" attribute is not
        "custom" or the full type name when the "type" attribute is
-       "custom".
+       "custom".  The "name" attribute MUST be set when the "type"
+       attribute is "stat" or "custom".
 
    "level":  Defines the level of the event as either "warning" for a
        warning event that needs action, or "error" for an error event
        that requires immediate action.
    "exDate":  Contains the date and time that a "warning" level has or
        will become an "error" level.  At expiry there MAY be an error to
        connect or MAY be an error to login.  An example is an expired
        certificate that will result in an error to connect or an expired
        password that may result in a failed login.
    "value":  Identifies the value that resulted in the login security
@@ -592,40 +591,47 @@
       -->
      <complexType name="loginSecType">
        <sequence>
          <element name="userAgent"
            type="loginSec:userAgentType" minOccurs="0" />
          <element name="pw"
            type="loginSec:pwType" minOccurs="0" />
          <element name="newPW"
            type="loginSec:pwType" minOccurs="0" />
        </sequence>
-
      </complexType>
-
      <simpleType name="pwType">
        <restriction base="token">
          <minLength value="6" />
+
        </restriction>
      </simpleType>
-
      <complexType name="userAgentType">
+       <choice>
        <sequence>
          <element name="app"
-           type="token" minOccurs="0" />
+             type="token" />
          <element name="tech"
            type="token" minOccurs="0" />
          <element name="os"
            type="token" minOccurs="0" />
        </sequence>
+         <sequence>
+           <element name="tech"
+             type="token" />
+           <element name="os"
+             type="token" minOccurs="0" />
+         </sequence>
+         <element name="os"
+           type="token" />
+       </choice>
      </complexType>
-
      <!-- Login response extension elements -->
      <element name="loginSecData"
        type="loginSec:loginSecDataType" />
      <complexType name="loginSecDataType">
        <sequence>
          <element name="event"
            type="loginSec:eventType"
            minOccurs="1" maxOccurs="unbounded" />
        </sequence>
      </complexType>
@@ -920,20 +923,33 @@
            to read 'The <loginSec:userAgent> element MUST contain at
            least one of the following child elements:'.
    4.  Revised the description of the <loginSec:userAgent> to match the
        child elements that can be passed, by changing "client software"
        to "client application software" and change "language" to
        "technology".
    5.  Changed the XML namespace from
        urn:ietf:params:xml:ns:epp:loginSec-0.4 to
        urn:ietf:params:xml:ns:epp:loginSec-1.0.
 
+A.8.  Change from REGEXT 03 to REGEXT 04
+
+   Updates based on the review by Joseph Yee, that include:
+
+   1.  Update the definition of the "stat" security event type to
+       reference sub-type to match the language for the "name"
+       attribute.
+   2.  Added the sentence 'The "name" attribute MUST be set when the
+       "type" attribute is "stat" or "custom".' to the definition of the
+       "name" attribute for clarity.
+   3.  Update the definition of the "userAgentType" in the XML schema to
+       require at least one sub-element using a <choice> element.
+
 Authors' Addresses
 
    James Gould
    VeriSign, Inc.
    12061 Bluemont Way
    Reston, VA  20190
    US
 
    Email: jgould@verisign.com
    URI:   http://www.verisign.com