| draft-ietf-regext-login-security-05.txt | draft-ietf-regext-login-security-06.txt | |||
|---|---|---|---|---|
| Network Working Group J. Gould | Network Working Group J. Gould | |||
| Internet-Draft M. Pozun | Internet-Draft M. Pozun | |||
| Intended status: Standards Track VeriSign, Inc. | Intended status: Standards Track VeriSign, Inc. | |||
| Expires: May 1, 2020 October 29, 2019 | Expires: May 22, 2020 November 19, 2019 | |||
| Login Security Extension for the Extensible Provisioning Protocol (EPP) | Login Security Extension for the Extensible Provisioning Protocol (EPP) | |||
| draft-ietf-regext-login-security-05 | draft-ietf-regext-login-security-06 | |||
| Abstract | Abstract | |||
| The Extensible Provisioning Protocol (EPP) includes a client | The Extensible Provisioning Protocol (EPP) includes a client | |||
| authentication scheme that is based on a user identifier and | authentication scheme that is based on a user identifier and | |||
| password. The structure of the password field is defined by an XML | password. The structure of the password field is defined by an XML | |||
| Schema data type that specifies minimum and maximum password length | Schema data type that specifies minimum and maximum password length | |||
| values, but there are no other provisions for password management | values, but there are no other provisions for password management | |||
| other than changing the password. This document describes an EPP | other than changing the password. This document describes an EPP | |||
| extension that allows longer passwords to be created and adds | extension that allows longer passwords to be created and adds | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 1, 2020. | This Internet-Draft will expire on May 22, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 42 ¶ | skipping to change at page 2, line 42 ¶ | |||
| Appendix A. Change History . . . . . . . . . . . . . . . . . . . 20 | Appendix A. Change History . . . . . . . . . . . . . . . . . . . 20 | |||
| A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 20 | A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 20 | |||
| A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 20 | A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 20 | |||
| A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 20 | A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 20 | |||
| A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 20 | A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 20 | |||
| A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 20 | A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 20 | |||
| A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 21 | A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 21 | |||
| A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 21 | A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 21 | |||
| A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 22 | A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 22 | |||
| A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 22 | A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | A.10. Change from REGEXT 05 to REGEXT 06 . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes an Extensible Provisioning Protocol (EPP) | This document describes an Extensible Provisioning Protocol (EPP) | |||
| extension for enhancing the security of the EPP login command in EPP | extension for enhancing the security of the EPP login command in EPP | |||
| RFC 5730. The enhancements include supporting longer passwords (or | [RFC5730]. The enhancements include supporting longer passwords (or | |||
| passphrases) than the 16-character maximum and providing a list of | passphrases) than the 16-character maximum and providing a list of | |||
| security events in the login response. The password (current and | security events in the login response. The password (current and | |||
| new) in EPP RFC 5730 can be overridden by the password included in | new) in EPP [RFC5730] can be overridden by the password included in | |||
| the extension to extend past the 16-character maximum. The security | the extension to extend past the 16-character maximum. The security | |||
| events supported include: password expiry, client certificate expiry, | events supported include: password expiry, client certificate expiry, | |||
| insecure cipher, insecure TLS protocol, new pasword complexity, login | insecure cipher, insecure TLS protocol, new pasword complexity, login | |||
| security statistical warning, and a custom event. The attributes | security statistical warning, and a custom event. The attributes | |||
| supported by the security events include identifying the event type | supported by the security events include identifying the event type | |||
| or sub-type, indicating the security level of warning or error, a | or sub-type, indicating the security level of warning or error, a | |||
| future or past-due expiration date, the value that resulted in the | future or past-due expiration date, the value that resulted in the | |||
| event, the duration of the statistical event, and a free-form | event, the duration of the statistical event, and a free-form | |||
| description with an optional language. | description with an optional language. | |||
| skipping to change at page 3, line 44 ¶ | skipping to change at page 3, line 45 ¶ | |||
| "loginSec" is used, but implementations MUST NOT depend on it and | "loginSec" is used, but implementations MUST NOT depend on it and | |||
| instead employ a proper namespace-aware XML parser and serializer to | instead employ a proper namespace-aware XML parser and serializer to | |||
| interpret and output the XML documents. | interpret and output the XML documents. | |||
| 2. Migrating to Newer Versions of This Extension | 2. Migrating to Newer Versions of This Extension | |||
| Servers which implement this extension SHOULD provide a way for | Servers which implement this extension SHOULD provide a way for | |||
| clients to progressively update their implementations when a new | clients to progressively update their implementations when a new | |||
| version of the extension is deployed. | version of the extension is deployed. | |||
| Servers SHOULD (for a temporary migration period) provide support for | Servers SHOULD (for a temporary migration period up to server policy) | |||
| older versions of the extension in parallel to the newest version, | provide support for older versions of the extension in parallel to | |||
| and allow clients to select their preferred version via the | the newest version, and allow clients to select their preferred | |||
| <svcExtension> element of the <login> command. | version via the <svcExtension> element of the <login> command. | |||
| If a client requests multiple versions of the extension at login, | If a client requests multiple versions of the extension at login, | |||
| then, when preparing responses to commands which do not include | then, when preparing responses to commands which do not include | |||
| extension elements, the server SHOULD only include extension elements | extension elements, the server SHOULD only include extension elements | |||
| in the namespace of the newest version of the extension requested by | in the namespace of the newest version of the extension requested by | |||
| the client. | the client. | |||
| When preparing responses to commands which do include extension | When preparing responses to commands which do include extension | |||
| elements, the server SHOULD only include extension elements for the | elements, the server SHOULD only include extension elements for the | |||
| extension versions present in the command. | extension versions present in the command. | |||
| skipping to change at page 22, line 47 ¶ | skipping to change at page 22, line 47 ¶ | |||
| "en" (English). | "en" (English). | |||
| 8. In section 3.1, change example description from "Example login | 8. In section 3.1, change example description from "Example login | |||
| security event for a password expiring in a week:" to "Example | security event for a password expiring in a week:" to "Example | |||
| login security event for password expiration, where the current | login security event for password expiration, where the current | |||
| date is 2018-03-25:". | date is 2018-03-25:". | |||
| 9. In section 4.1, change "Example EPP response to a successful | 9. In section 4.1, change "Example EPP response to a successful | |||
| login command where the password will expire in a week:" to | login command where the password will expire in a week:" to | |||
| "Example EPP response to a successful login command on | "Example EPP response to a successful login command on | |||
| 2018-03-25, where the password will expire in a week:". | 2018-03-25, where the password will expire in a week:". | |||
| A.10. Change from REGEXT 05 to REGEXT 06 | ||||
| Updates based on the review by Brian Carpenter, that include: | ||||
| 1. In section 1, change the references to RFC 5730 to use links. | ||||
| 2. In section 2, change "(for a temporary migration period)" to | ||||
| "(for a temporary migration period up to server policy)". | ||||
| Authors' Addresses | Authors' Addresses | |||
| James Gould | James Gould | |||
| VeriSign, Inc. | VeriSign, Inc. | |||
| 12061 Bluemont Way | 12061 Bluemont Way | |||
| Reston, VA 20190 | Reston, VA 20190 | |||
| US | US | |||
| Email: jgould@verisign.com | Email: jgould@verisign.com | |||
| URI: http://www.verisign.com | URI: http://www.verisign.com | |||
| Matthew Pozun | Matthew Pozun | |||
| End of changes. 9 change blocks. | ||||
| 10 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||