| draft-ietf-regext-login-security-09.txt | draft-ietf-regext-login-security-10.txt | |||
|---|---|---|---|---|
| Network Working Group J. Gould | Network Working Group J. Gould | |||
| Internet-Draft M. Pozun | Internet-Draft M. Pozun | |||
| Intended status: Standards Track VeriSign, Inc. | Intended status: Standards Track VeriSign, Inc. | |||
| Expires: August 27, 2020 February 24, 2020 | Expires: August 29, 2020 February 26, 2020 | |||
| Login Security Extension for the Extensible Provisioning Protocol (EPP) | Login Security Extension for the Extensible Provisioning Protocol (EPP) | |||
| draft-ietf-regext-login-security-09 | draft-ietf-regext-login-security-10 | |||
| Abstract | Abstract | |||
| The Extensible Provisioning Protocol (EPP) includes a client | The Extensible Provisioning Protocol (EPP) includes a client | |||
| authentication scheme that is based on a user identifier and | authentication scheme that is based on a user identifier and | |||
| password. The structure of the password field is defined by an XML | password. The structure of the password field is defined by an XML | |||
| Schema data type that specifies minimum and maximum password length | Schema data type that specifies minimum and maximum password length | |||
| values, but there are no other provisions for password management | values, but there are no other provisions for password management | |||
| other than changing the password. This document describes an EPP | other than changing the password. This document describes an EPP | |||
| extension that allows longer passwords to be created and adds | extension that allows longer passwords to be created and adds | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 27, 2020. | This Internet-Draft will expire on August 29, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 | |||
| 2. Migrating to Newer Versions of This Extension . . . . . . . . 4 | 2. Migrating to Newer Versions of This Extension . . . . . . . . 4 | |||
| 3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. "[LOGIN-SECURITY]" Password . . . . . . . . . . . . . . . 6 | 3.2. "[LOGIN-SECURITY]" Password . . . . . . . . . . . . . . . 6 | |||
| 3.3. Dates and Times . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. Dates and Times . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 7 | 4. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. EPP <login> Command . . . . . . . . . . . . . . . . . . . 7 | 4.1. EPP <login> Command . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15 | 5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Login Security Extension Schema . . . . . . . . . . . . . 15 | 5.1. Login Security Extension Schema . . . . . . . . . . . . . 15 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 17 | 6.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6.2. EPP Extension Registry . . . . . . . . . . . . . . . . . 18 | 6.2. EPP Extension Registry . . . . . . . . . . . . . . . . . 18 | |||
| 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 18 | 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7.1. Verisign EPP SDK . . . . . . . . . . . . . . . . . . . . 19 | 7.1. Verisign EPP SDK . . . . . . . . . . . . . . . . . . . . 19 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| skipping to change at page 2, line 46 ¶ | skipping to change at page 2, line 46 ¶ | |||
| A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 22 | A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 22 | |||
| A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 22 | A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 22 | |||
| A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 22 | A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 22 | |||
| A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 22 | A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 22 | |||
| A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 23 | A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 23 | |||
| A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 23 | A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 23 | |||
| A.10. Change from REGEXT 05 to REGEXT 06 . . . . . . . . . . . 24 | A.10. Change from REGEXT 05 to REGEXT 06 . . . . . . . . . . . 24 | |||
| A.11. Change from REGEXT 06 to REGEXT 07 . . . . . . . . . . . 24 | A.11. Change from REGEXT 06 to REGEXT 07 . . . . . . . . . . . 24 | |||
| A.12. Change from REGEXT 07 to REGEXT 08 . . . . . . . . . . . 24 | A.12. Change from REGEXT 07 to REGEXT 08 . . . . . . . . . . . 24 | |||
| A.13. Change from REGEXT 08 to REGEXT 09 . . . . . . . . . . . 26 | A.13. Change from REGEXT 08 to REGEXT 09 . . . . . . . . . . . 26 | |||
| A.14. Change from REGEXT 09 to REGEXT 10 . . . . . . . . . . . 27 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes an Extensible Provisioning Protocol (EPP) | This document describes an Extensible Provisioning Protocol (EPP) | |||
| extension for enhancing the security of the EPP login command in EPP | extension for enhancing the security of the EPP login command in EPP | |||
| [RFC5730]. The enhancements include supporting longer passwords (or | [RFC5730]. EPP [RFC5730] includes a maximum password length of 16 | |||
| passphrases) than the 16-character maximum and providing a list of | characters that inhibits implementing stronger password security | |||
| security events in the login response. The password (current and | policies with higher entropy. The enhancements include supporting | |||
| new) in EPP [RFC5730] can be overridden by the password included in | longer passwords (or passphrases) than the 16-character maximum and | |||
| the extension to extend past the 16-character maximum. The security | providing a list of security events in the login response. The | |||
| events supported include: password expiry, client certificate expiry, | password (current and new) in EPP [RFC5730] can be overridden by the | |||
| insecure cipher, insecure TLS protocol, new password complexity, | password included in the extension to extend past the 16-character | |||
| login security statistical warning, and a custom event. The | maximum. The security events supported include: password expiry, | |||
| attributes supported by the security events include identifying the | client certificate expiry, insecure cipher, insecure TLS protocol, | |||
| event type or sub-type, indicating the security level of warning or | new password complexity, login security statistical warning, and a | |||
| error, a future or past-due expiration date, the value that resulted | custom event. The attributes supported by the security events | |||
| in the event, the duration of the statistical event, and a free-form | include identifying the event type or sub-type, indicating the | |||
| description with an optional language. | security level of warning or error, a future or past-due expiration | |||
| date, the value that resulted in the event, the duration of the | ||||
| statistical event, and a free-form description with an optional | ||||
| language. | ||||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| XML is case sensitive. Unless stated otherwise, XML specifications | XML is case sensitive. Unless stated otherwise, XML specifications | |||
| skipping to change at page 27, line 5 ¶ | skipping to change at page 27, line 5 ¶ | |||
| Kaduk's discuss item, changed "It is recommended that the plain | Kaduk's discuss item, changed "It is recommended that the plain | |||
| text..." to "It is RECOMMENDED that the plain text..." and "If | text..." to "It is RECOMMENDED that the plain text..." and "If | |||
| non-ASCII characters are supported with the plain text password, | non-ASCII characters are supported with the plain text password, | |||
| then use a standard for passwords with international characters, | then use a standard for passwords with international characters, | |||
| such as the OpaqueString PRECIS profile in [RFC8265]." to "If | such as the OpaqueString PRECIS profile in [RFC8265]." to "If | |||
| non-ASCII characters are supported with the plain text password, | non-ASCII characters are supported with the plain text password, | |||
| then use a standard for passwords with international characters; | then use a standard for passwords with international characters; | |||
| the OpaqueString PRECIS profile in [RFC8265] is recommended in | the OpaqueString PRECIS profile in [RFC8265] is recommended in | |||
| the absence of other considerations." | the absence of other considerations." | |||
| A.14. Change from REGEXT 09 to REGEXT 10 | ||||
| 1. Based on feedback from Benjamin Kaduk, added the sentence "EPP | ||||
| [RFC5730] includes a maximum password length of 16 characters | ||||
| that inhibits implementing stronger password security policies | ||||
| with higher entropy." to the Introduction. | ||||
| Authors' Addresses | Authors' Addresses | |||
| James Gould | James Gould | |||
| VeriSign, Inc. | VeriSign, Inc. | |||
| 12061 Bluemont Way | 12061 Bluemont Way | |||
| Reston, VA 20190 | Reston, VA 20190 | |||
| US | US | |||
| Email: jgould@verisign.com | Email: jgould@verisign.com | |||
| URI: http://www.verisign.com | URI: http://www.verisign.com | |||
| End of changes. 7 change blocks. | ||||
| 17 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||