Dear REGEXT Working Group, We just uploaded the 02 versions of the draft. You can find it here https://datatracker.ietf.org/doc/draft-zzn-authcodesec/
We appreciate your feedback from the past and here are our answers to the questions you raised. 1. Question: "Registrars still need to have control over the transfer process" Answer: we address it by letting the registrar be the first supported signer. 2. Question: "Complexity arises from managing signing keys and performing signature generation" Answer: we address it by making ECDSA Curve P-256 with SHA-256 the first supported algorithm, which is widely adopted in DNSSEC, SSL/TLS, JWT, and FIDO. We believe while managing signing keys and performing signature generation is complex, it also brings benefits to reduce complexity such as those legacy security measures due to shared secrets. 3. Question: "ICANN is already introducing more secured transfer process such as making authcode more short-lived" Answer: this is a good direction, but we believe that this is a separate issue from the one we are addressing, which is allowing asymmetric cryptographic signatures to be used for transfer authorization. Short-lived authcodes are still plaintext shared secret and vulnerable to interception, misuse, and lack of auditability. 4. Question: "What is the key exchange mechanism?" Answer: one way to do it is via DNSSEC or HTTPS's existing key exchange mechanism. Another way is to use a pre-shared key like using EPP to publish them to the registry and other verifying parties. We look forward to your feedback on this. 5. Question: "If losing registrar doesn't know which gaining registrar this domain is transferring to, how does it sign?" Answer: similar to when checks can be signed without a pay-to, the losing registrar can sign and approve a transfer authorization to "arbitrary" gaining registrar such as leaving the gaining registrar field empty, if we want to support it. The draft continues our work to enhance transfer security while respecting existing operational practices. This version is still an early draft for early feedback. Best regards, Zainan Victor Zhou Namefi
_______________________________________________ regext mailing list -- [email protected] To unsubscribe send an email to [email protected]
