Patrick, Thanks, I include my comments embedded below. — JG
James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 6/6/18, 2:55 AM, "regext on behalf of Patrick Mevzek" <regext-boun...@ietf.org on behalf of p...@dotandco.com> wrote: On Tue, Jun 5, 2018, at 17:13, Gould, James wrote: > > On Tue, Jun 5, 2018, at 09:26, Pieter Vandepitte wrote: > > I follow the concerns of Patrick, > > > > I'm neither a fan of the [LOGIN-SECURITY]. Isn't it enough to specify > > that a server MUST ignore the value of <pw> if the loginSec extension is > > used? > > That could be a solution too, and would work for further versions. > > JG - I included the basis for the use of the '[LOGIN-SECURITY]' constant > value in my original response, which I copied below for quick reference: [..] > Any ideas with a better constant value or mechanism is greatly appreciated. Please see my other email where I discuss this point and I provide other ideas and also alternative mechanisms. JG - Thanks, I'll take a closer look at the other ideas and alternative mechanisms that you provided in the other email. > There is already a VeriSign EPP extension for 2 factors auth, I do > not find it online anymore but I implemented it and it was for > namespaces: > http://www.verisign.com/epp/authExt-1.0 > 'http://www.verisign.com/epp/authSession-1.0 > but it was more for domain:update operations. > > JG - The 2 factor auth extensions (authSession and authExt) were not > targeted for registrar login, but meant to be used to protect objects > (e.g., domains) using a registrant second factor (OTP). Yes, I know. The point was to say there are alternate mechanisms and like Pieter suggested, if we are up to "beefing up" handling of login in EPP we might as well take the opportunity to enlarge the scope and take into account other mechanisms... like 2FA. JG - EPP already uses a second factor with the use of the client certificate with two-way SSL. Is there the need to consider another second factor for a system-to-system protocol like EPP? Is there a driving reason and benefit in considering additional authentication methods for inclusion in the Login Security Extension? > These > extensions were never published. They were at some point (and they where implemented) and they are still available on various places such as http://www.freepatentsonline.com/y2012/0174198.html JG - I don't remember creating formal extension specifications or publishing them. -- Patrick Mevzek _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext