draft-ietf-regext-login-security-08.txt		draft-ietf-regext-login-security-09.txt
	Network Working Group J. Gould		Network Working Group J. Gould
	Internet-Draft M. Pozun		Internet-Draft M. Pozun
	Intended status: Standards Track VeriSign, Inc.		Intended status: Standards Track VeriSign, Inc.
	Expires: August 2, 2020 January 30, 2020		Expires: August 27, 2020 February 24, 2020
	Login Security Extension for the Extensible Provisioning Protocol (EPP)		Login Security Extension for the Extensible Provisioning Protocol (EPP)
	draft-ietf-regext-login-security-08		draft-ietf-regext-login-security-09
	Abstract		Abstract
	The Extensible Provisioning Protocol (EPP) includes a client		The Extensible Provisioning Protocol (EPP) includes a client
	authentication scheme that is based on a user identifier and		authentication scheme that is based on a user identifier and
	password. The structure of the password field is defined by an XML		password. The structure of the password field is defined by an XML
	Schema data type that specifies minimum and maximum password length		Schema data type that specifies minimum and maximum password length
	values, but there are no other provisions for password management		values, but there are no other provisions for password management
	other than changing the password. This document describes an EPP		other than changing the password. This document describes an EPP
	extension that allows longer passwords to be created and adds		extension that allows longer passwords to be created and adds
	skipping to change at page 1, line 37 ¶		skipping to change at page 1, line 37 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on August 2, 2020.		This Internet-Draft will expire on August 27, 2020.
	Copyright Notice		Copyright Notice
	Copyright (c) 2020 IETF Trust and the persons identified as the		Copyright (c) 2020 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect		carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must		to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of		include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as		the Trust Legal Provisions and are provided without warranty as
	described in the Simplified BSD License.		described in the Simplified BSD License.
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
	1.1. Conventions Used in This Document . . . . . . . . . . . . 3		1.1. Conventions Used in This Document . . . . . . . . . . . . 3
	2. Migrating to Newer Versions of This Extension . . . . . . . . 3		2. Migrating to Newer Versions of This Extension . . . . . . . . 4
	3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 4		3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 4
	3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 4		3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 4
	3.2. "[LOGIN-SECURITY]" Password . . . . . . . . . . . . . . . 6		3.2. "[LOGIN-SECURITY]" Password . . . . . . . . . . . . . . . 6
	3.3. Dates and Times . . . . . . . . . . . . . . . . . . . . . 6		3.3. Dates and Times . . . . . . . . . . . . . . . . . . . . . 6
	4. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 7		4. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 7
	4.1. EPP <login> Command . . . . . . . . . . . . . . . . . . . 7		4.1. EPP <login> Command . . . . . . . . . . . . . . . . . . . 7
	5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15		5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15
	5.1. Login Security Extension Schema . . . . . . . . . . . . . 15		5.1. Login Security Extension Schema . . . . . . . . . . . . . 15
	6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17		6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
	6.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 17		6.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 17
	skipping to change at page 2, line 45 ¶		skipping to change at page 2, line 45 ¶
	A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 22		A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 22
	A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 22		A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 22
	A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 22		A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 22
	A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 22		A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 22
	A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 22		A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 22
	A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 23		A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 23
	A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 23		A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 23
	A.10. Change from REGEXT 05 to REGEXT 06 . . . . . . . . . . . 24		A.10. Change from REGEXT 05 to REGEXT 06 . . . . . . . . . . . 24
	A.11. Change from REGEXT 06 to REGEXT 07 . . . . . . . . . . . 24		A.11. Change from REGEXT 06 to REGEXT 07 . . . . . . . . . . . 24
	A.12. Change from REGEXT 07 to REGEXT 08 . . . . . . . . . . . 24		A.12. Change from REGEXT 07 to REGEXT 08 . . . . . . . . . . . 24
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26		A.13. Change from REGEXT 08 to REGEXT 09 . . . . . . . . . . . 26
			Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
	1. Introduction		1. Introduction
	This document describes an Extensible Provisioning Protocol (EPP)		This document describes an Extensible Provisioning Protocol (EPP)
	extension for enhancing the security of the EPP login command in EPP		extension for enhancing the security of the EPP login command in EPP
	[RFC5730]. The enhancements include supporting longer passwords (or		[RFC5730]. The enhancements include supporting longer passwords (or
	passphrases) than the 16-character maximum and providing a list of		passphrases) than the 16-character maximum and providing a list of
	security events in the login response. The password (current and		security events in the login response. The password (current and
	new) in EPP [RFC5730] can be overridden by the password included in		new) in EPP [RFC5730] can be overridden by the password included in
	the extension to extend past the 16-character maximum. The security		the extension to extend past the 16-character maximum. The security
	skipping to change at page 8, line 37 ¶		skipping to change at page 8, line 40 ¶
	"[LOGIN-SECURITY]" value.		"[LOGIN-SECURITY]" value.
	<loginSec:newPW>: OPTIONAL plain text new password that is case		<loginSec:newPW>: OPTIONAL plain text new password that is case
	sensitive, has a minimum length of 6 characters, and has a		sensitive, has a minimum length of 6 characters, and has a
	maximum length that is up to server policy. All leading and		maximum length that is up to server policy. All leading and
	trailing whitespace is removed, and all internal contiguous		trailing whitespace is removed, and all internal contiguous
	whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage		whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage
	return), and #x20 (space) is replaced with a single #x20 (space).		return), and #x20 (space) is replaced with a single #x20 (space).
	This element MUST only be set if the [RFC5730] <newPW> element is		This element MUST only be set if the [RFC5730] <newPW> element is
	set to the "[LOGIN-SECURITY]" value.		set to the "[LOGIN-SECURITY]" value.
	It is recommended that the plain text password in the <loginSec:pw>		It is RECOMMENDED that the plain text password in the <loginSec:pw>
	and <loginSec:newPw> elements use printable ASCII characters #x20		and <loginSec:newPw> elements use printable ASCII characters #x20
	(space) - #x7E (~), with high entropy, such as 128 bits. If non-		(space) - #x7E (~), with high entropy, such as 128 bits. If non-
	ASCII characters are supported with the plain text password, then use		ASCII characters are supported with the plain text password, then use
	a standard for passwords with international characters, such as the		a standard for passwords with international characters; the
	OpaqueString PRECIS profile in [RFC8265].		OpaqueString PRECIS profile in [RFC8265] is recommended in the
			absence of other considerations.
	Example login command that uses the <loginSec:pw> element instead of		Example login command that uses the <loginSec:pw> element instead of
	the [RFC5730] <pw> element to establish the session and includes the		the [RFC5730] <pw> element to establish the session and includes the
	<loginSec:userAgent> element:		<loginSec:userAgent> element:
	C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>		C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
	C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">		C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
	C: <command>		C: <command>
	C: <login>		C: <login>
	C: <clID>ClientX</clID>		C: <clID>ClientX</clID>
	skipping to change at page 26, line 36 ¶		skipping to change at page 26, line 36 ¶
	security events to unauthenticated users needs to take into		security events to unauthenticated users needs to take into
	account the security/privacy issues of returning information		account the security/privacy issues of returning information
	to potential attackers." to the end of the last paragraph.		to potential attackers." to the end of the last paragraph.
	14. In section 8, change "minimum length beyond 6 characters" to		14. In section 8, change "minimum length beyond 6 characters" to
	"minimum length greater than 6 characters".		"minimum length greater than 6 characters".
	15. In section 8, add the sentence "The user agent information		15. In section 8, add the sentence "The user agent information
	represents the client system of a system-to-system		represents the client system of a system-to-system
	interface, so the user agent information MUST NOT provide		interface, so the user agent information MUST NOT provide
	any ability to track individual users or classes of users."		any ability to track individual users or classes of users."
			A.13. Change from REGEXT 08 to REGEXT 09
			1. Based on feedback from Barry Leiba in responding to Benjamin
			Kaduk's discuss item, changed "It is recommended that the plain
			text..." to "It is RECOMMENDED that the plain text..." and "If
			non-ASCII characters are supported with the plain text password,
			then use a standard for passwords with international characters,
			such as the OpaqueString PRECIS profile in [RFC8265]." to "If
			non-ASCII characters are supported with the plain text password,
			then use a standard for passwords with international characters;
			the OpaqueString PRECIS profile in [RFC8265] is recommended in
			the absence of other considerations."
	Authors' Addresses		Authors' Addresses
	James Gould		James Gould
	VeriSign, Inc.		VeriSign, Inc.
	12061 Bluemont Way		12061 Bluemont Way
	Reston, VA 20190		Reston, VA 20190
	US		US
	Email: jgould@verisign.com		Email: jgould@verisign.com
	URI: http://www.verisign.com		URI: http://www.verisign.com
End of changes. 9 change blocks.
	9 lines changed or deleted		24 lines changed or added
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/