Patrick,
The EPP RFC 5731 does support the explicit <domain:null> element to remove the authorization information, so there is an explicit mechanism available in the RFC to set the authorization information to NULL (the undefined value). For example, the following can be used to delete the authorization information: ... C: <domain:chg> C: <domain:authInfo> C: <domain:null/> C: </domain:authInfo> C: </domain:chg> ... Where there is no explicit element in the EPP RFCs to indicate not setting or unsetting the authorization information, the empty authorization information can be used for this purpose in a defined practice, such as draft-gould-regext-secure-authinfo-transfer. We need to ensure that the empty authorization information never matches the unset authorization information to protect the authorization of actions such as returning the full info response or executing a transfer request. Having discussion and agreement around the authorization information practice would help with the inconsistencies that you outlined in your follow-on message, and help increase the authorization information security. -- JG James Gould Distinguished Engineer [email protected] <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/[email protected]> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 12/20/19, 4:06 AM, "regext on behalf of Patrick Mevzek" <[email protected] on behalf of [email protected]> wrote: On Fri, Dec 20, 2019, at 03:50, Martin Casanova wrote: > I agree that hashing an empty String to match a not set authinfo is not > the way to go. We are using [null] values in the db for a not set > authinfo field. However I think you could argue that semantically and > empty XML tag is somewhat similar to a not filled db field being [null] I strongly disagree. It is the same thing as the difference in an RDBMS when you store "" (the empty string) or NULL (the undefined value). Those are two different things, and for good reason. <pw/> or <pw></pw> means an empty password, the empty string. No XML pw node means an undefined password, as the data is just not there, so unknown. Like said in other threads, this all shows to me that efforts should be put into finding now new ways to operate, without domain passwords as they became useless, instead of trying to fix with various warts the current situation. -- Patrick Mevzek [email protected] _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
_______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
