On Tue, Jun 5, 2018, at 17:13, Gould, James wrote:
>
> On Tue, Jun 5, 2018, at 09:26, Pieter Vandepitte wrote:
> > I follow the concerns of Patrick,
> >
> > I'm neither a fan of the [LOGIN-SECURITY]. Isn't it enough to specify
> > that a server MUST ignore the value of <pw> if the loginSec extension
> is
> > used?
>
> That could be a solution too, and would work for further versions.
>
> JG - I included the basis for the use of the '[LOGIN-SECURITY]' constant
> value in my original response, which I copied below for quick reference:
[..]
> Any ideas with a better constant value or mechanism is greatly appreciated.
Please see my other email where I discuss this point and I provide other ideas
and also alternative mechanisms.
> There is already a VeriSign EPP extension for 2 factors auth, I do
> not find it online anymore but I implemented it and it was for
> namespaces:
> http://www.verisign.com/epp/authExt-1.0
> 'http://www.verisign.com/epp/authSession-1.0
> but it was more for domain:update operations.
>
> JG - The 2 factor auth extensions (authSession and authExt) were not
> targeted for registrar login, but meant to be used to protect objects
> (e.g., domains) using a registrant second factor (OTP).
Yes, I know.
The point was to say there are alternate mechanisms and like Pieter suggested,
if we are up to "beefing up" handling of login in EPP we might as well take the
opportunity to enlarge the scope and take into account other mechanisms... like
2FA.
> These
> extensions were never published.
They were at some point (and they where implemented) and they are still
available on various places such as
http://www.freepatentsonline.com/y2012/0174198.html
--
Patrick Mevzek
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
