Hi Rubens, Jim (btw is it now Jim or James?), and Quoc,
thanks for you responses.
On 19.04.2019 15:55, Gould, James wrote:
> I mirror Rubens response, that there exists system-to-system multi-factor
> authentication for EPP with user name/password, client certificate, and
> client IP. Does the definition of another second factor, such as TOTP in RFC
> 6238, applicable to EPP? Michael, are you proposing the use of TOTP for EPP
> and do you have a concrete use case that you can share?
I was not proposing any technique. I think the RFC should leave that to
the implementing registry. Nevertheless, yes I thought about TOTP when
writing my e-mail. I'm also aware that this does not fit EPP
out-of-the-box. As you say, it was designed having humans not machines
in mind. So there would have to be some adjustments to make that work.
However, you are all right, of course, that with IP whitelisting there
is already a good second factor of which I hadn't thought of.
Certificates on the other hand are not a secure factor as almost anybody
can obtain a valid certificate.
So, I concur that we already have a second factor and probably don't
need a third one in the new extension.
Best regards,
Michael
--
____________________________________________________________________
| |
| knipp | Knipp Medien und Kommunikation GmbH
------- Technologiepark
Martin-Schmeisser-Weg 9
44227 Dortmund
Germany
Dipl.-Informatiker Fon: +49 231 9703-0
Fax: +49 231 9703-200
Dr. Michael Bauland SIP: [email protected]
Software Development E-mail: [email protected]
Register Court:
Amtsgericht Dortmund, HRB 13728
Chief Executive Officers:
Dietmar Knipp, Elmar Knipp
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
