Alexey, Thank you for your review and feedback. My responses are embedded below.
-- JG James Gould Distinguished Engineer [email protected] <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/[email protected]> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 1/23/20, 5:59 AM, "Alexey Melnikov via Datatracker" <[email protected]> wrote: Alexey Melnikov has entered the following ballot position for draft-ietf-regext-login-security-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for this document. I have several small comments similar to what was raised by Roman and Ben: 1) In 4.1: <loginSec:userAgent>: OPTIONAL client user agent that identifies the client application software, technology, and operating system used by the server to identify functional or security constraints, current security issues, and potential future functional or security issues for the client. The <loginSec:userAgent> element MUST contain at least one of the following child elements: <loginSec:app>: OPTIONAL name of the client application software with version if available, such as the name of the client SDK "EPP SDK 1.0.0". <loginSec:tech>: OPTIONAL technology used for the client software with version if available, such as "Java 11.0.2". <loginSec:os>: OPTIONAL client operating system used with version if available, such as "x86_64 Mac OS X 10.11.6". Is there a registry of allowed values or at least some instructions how to construct these values? There are probably several existing IETF registries that can be reused. JG - I'm not aware of any registries that exist that describes how to construct these values. I believe to address Roman's, Ben's and your feedback, I will provide an example of how to construct these values. If these values are not supposed to be used by servers for anything other than logging (i.e. if they can't be used to work around bugs), then the document needs to say that. JG - The servers can leverage this information for more than logging; although logging is the most common use case. The most useful element for identification is the <loginSec:app>, where if there is a known client application such as an EPP SDK, the server can key off of the EPP SDK version to proactively identify potential security issues to report back to the client. The server may already know the client application patterns or can identify the client application patterns using the logs to create rules for specific clients applications. The additional <loginSec:tech> and <loginSec:os> elements are useful to identify future security policy issues, such as deprecating or removing TLS cipher suites or TLS protocols. The short answer to your question is that the server can utilize the elements for logging and for driving security event rules, but this is beyond the scope of the extension specification. 2) In the same section: <loginSec:pw>: OPTIONAL plain text password that is case sensitive, has a minimum length of 6 characters, and has a maximum length that is up to server policy. All leading and trailing whitespace is removed, and all internal contiguous whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 (space) is replaced with a single #x20 (space). This element MUST only be used if the [RFC5730] <pw> element is set to the "[LOGIN-SECURITY]" value. What is the definition of "whitespace"? Does this only include characters listed above or does it also include other Unicode characters (e.g. Unicode whitespace property)? If the former, then instead of using "whitespace that includes ..." use something like "whitespace is defined as one of ..." JG - The definition of "whitespace" is based on the definition for XML schema whiteSpace (https://www.w3.org/TR/xmlschema11-2/#rf-whiteSpace), which does not include non-ASCII whitespace. Validating XML parsers will apply the XML schema whitespace rules defined for the XML Schema "token" type (https://www.w3.org/TR/xmlschema11-2/#token), which is explicitly included in the description of the <loginSec:pw> element based on feedback from the working group. I don't recommend use of non-ASCII characters for passwords, but I don't believe the extension should disallow it. <loginSec:newPW>: OPTIONAL plain text new password that is case sensitive, has a minimum length of 6 characters, and has a maximum length that is up to server policy. All leading and trailing whitespace is removed, and all internal contiguous whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 (space) is replaced with a single #x20 (space). This element MUST only be used if the [RFC5730] <newPW> element is set to the "[LOGIN-SECURITY]" value. As above. JG - Same answer as for the <loginSec:pw> element above. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- 8. Security Considerations The extension leaves the password (<pw> element) and new password (<newPW> element) minimum length beyond 6 characters and the maximum length up to sever policy. Typo: sever -> server JG - I found this as well upon further review, so it will be addressed. _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
