Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Thu, Jun 14, 2018, at 15:12, Gould, James wrote: > We can consider alternative authentication options if there is a > concrete proposal and the proposal does provide a security enhancement. It has alreay been proposed to be able to use non-plain passwords authentication > I > reviewed

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

> JG - I don’t believe there is any desire to switch from using the > variant of the PLAIN SASL mechanism [RFC4616] defined in the existing > EPP RFC [RFC5730]. I do not know. My main point was more around: if we decide to put more energy into "securing" EPP better, providing

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick, Based on the feedback provided thus far, it looks like setting the minimum to the RFC 5730 of 6 with Scott's added language as the way forward. Thanks, — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

I have nothing to add. Just letting know I share the same opinion. -- Pieter Vandepitte Product Expert +32 16 28 49 70 www.dnsbelgium.be On 14/06/18 00:45, "regext on behalf of Patrick Mevzek" wrote: On Mon, Jun 11, 2018, at 19:43, Gould,

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Mon, Jun 11, 2018, at 21:57, Gould, James wrote: > Patrick, > > > > > JG - Thanks, I'll take a closer look at the PRECIS framework in RFC 7564 > > > and 8265. > > > > Please also look at the SASL framework (RFC4422 and RFC4616 for its > PLAIN version which is basically what

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Mon, Jun 11, 2018, at 19:43, Gould, James wrote: > In thinking about decreasing the minimum from 8 to 1, I have a concern > that we're going to support a minimum that is below the existing RFC > 5730 of 6 characters. I believe it would be best for the Login Security > Extension to at

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

-Original Message- > From: regext On Behalf Of Gould, James > Sent: Monday, June 11, 2018 1:44 PM > To: Gavin Brown ; Patrick Mevzek > ; regext@ietf.org > Subject: [EXTERNAL] Re: [regext] FW: New Version Notification for draft- > gould-regext-login

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick, > JG - Thanks, I'll take a closer look at the PRECIS framework in RFC 7564 > and 8265. Please also look at the SASL framework (RFC4422 and RFC4616 for its PLAIN version which is basically what we have currently) : this allows to decouple authentication needs to the

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Works for me, Jim. Scott > -Original Message- > From: regext On Behalf Of Gould, James > Sent: Monday, June 11, 2018 1:44 PM > To: Gavin Brown ; Patrick Mevzek > ; regext@ietf.org > Subject: [EXTERNAL] Re: [regext] FW: New Version Notification for draft- > gould-reg

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Hi, In thinking about decreasing the minimum from 8 to 1, I have a concern that we're going to support a minimum that is below the existing RFC 5730 of 6 characters. I believe it would be best for the Login Security Extension to at least support the existing 6 character minimum with the added

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Scott & Gavin, Thanks for weighing in. I can make Scott's proposed text and schema change with the appropriate . Thanks Patrick for bringing up the topic. — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

+1. On 11/06/2018 14:49, Patrick Mevzek wrote: > On Mon, Jun 11, 2018, at 15:17, Hollenbeck, Scott wrote: >> [SAH] Jim, keep in mind that the security guidelines you mentioned are >> just that – *guidelines* published by a particular entity that may or >> may not be appropriate for use in

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Mon, Jun 11, 2018, at 15:17, Hollenbeck, Scott wrote: > [SAH] Jim, keep in mind that the security guidelines you mentioned are > just that – *guidelines* published by a particular entity that may or > may not be appropriate for use in different operating environments. I’d > be inclined to

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

From: regext On Behalf Of Gould, James Sent: Monday, June 11, 2018 9:01 AM To: Patrick Mevzek ; regext@ietf.org Subject: [EXTERNAL] Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt It was 6 before and apparently we "need" to upgrade to 8 now.

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

It was 6 before and apparently we "need" to upgrade to 8 now. I am quite sure than in 5 years we would want to increase 8 to 10 and so on, this is purely Moore's law. So to ease future maintenance I am just saying: remove this arbitrary limit in the protocol, since it is a policy decision

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Wed, Jun 6, 2018, at 15:02, Gould, James wrote: > JG - I don't view the 8 minimum as a "sacred cow" that would require the > next iteration of the extension to increase it. It was 6 before and apparently we "need" to upgrade to 8 now. I am quite sure than in 5 years we would want to increase

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick, My comments are embedded below. — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com On 6/6/18, 3:07 AM, "regext on behalf of Patrick Mevzek" wrote: On Tue, Jun 5, 2018, at

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick, Thanks, I include my comments embedded below. — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com On 6/6/18, 2:55 AM, "regext on behalf of Patrick Mevzek" wrote:

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Tue, Jun 5, 2018, at 17:11, Gould, James wrote: > JG - The reason for a '[LOGIN-SECURITY]' constant value in RFC 5730 [..] Yes, but my comment was both to propose other values than this string and even alternate mechanisms. Please have a look and let me know. > There may be a better

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick and Pieter, Thanks for your review of the extension and your feedback. I include comments to the feedback below. — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com On 6/5/18,

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick, Thanks for your review of the extension and your feedback. I include comments to the feedback below. — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com On 6/5/18, 1:32 AM,

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

On Tue, Jun 5, 2018, at 09:26, Pieter Vandepitte wrote: > I follow the concerns of Patrick, > > I'm neither a fan of the [LOGIN-SECURITY]. Isn't it enough to specify > that a server MUST ignore the value of if the loginSec extension is > used? That could be a solution too, and would work

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

I follow the concerns of Patrick, I'm neither a fan of the [LOGIN-SECURITY]. Isn't it enough to specify that a server MUST ignore the value of if the loginSec extension is used? I don't know if I overlooked it, but it seems that there's only support for password based login and provisioning.