Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

[Patrick Mevzek]

On Mon, Jun 11, 2018, at 21:57, Gould, James wrote:
> Patrick,
> 
> 
> 
> > JG - Thanks, I'll take a closer look at the PRECIS framework in RFC 7564
> 
> > and 8265.
> 
> 
> 
> Please also look at the SASL framework (RFC4422 and RFC4616 for its 
> PLAIN version which is basically what we have currently) : this allows 
> to decouple authentication needs to the underlying application/protocol, 
> which also address Pieter remark about other ways to authenticate.
> 
> 
> 
> JG - I don’t believe there is any desire to switch from using the 
> variant of the PLAIN SASL mechanism [RFC4616] defined in the existing 
> EPP RFC [RFC5730].

I do not know. My main point was more around: if we decide to put more energy 
into "securing" EPP better, providing more options than just plain text 
passwords (as asked by Pieter also I think) would be now a good time to think 
about, and if we go towards some "extensibility"  in authentication frameworks, 
why not just build on existing RFCs?

-- 
  Patrick Mevzek

___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

[Patrick Mevzek]

On Mon, Jun 11, 2018, at 19:43, Gould, James wrote:
> In thinking about decreasing the minimum from 8 to 1, I have a concern 
> that we're going to support a minimum that is below the existing RFC 
> 5730 of 6 characters.  I believe it would be best for the Login Security 
> Extension to at least support the existing 6 character minimum with the 
> added language that Scott proposed “Servers SHOULD enforce minimum and 
> maximum password length requirements that are appropriate for their 
> operating environment. One example of a guideline for password length 
> policies can be found in  [reference here]".  Scott's 
> language can be added to the Security Considerations section of the 
> draft.
> 
> Let me know if this will work.  

I do not oppose that if this is the consensus but I still see it as pointless 
to provide *any* specific minimum limit here, and I do not see the problem with 
going lower than RFC5730 since this extension is optional and, hopefully, if it 
is used it means the relevant registry has decided to put more energy and work 
around security measures so you could hope they would deal with this minimum 
issue gracefully (that is enforcing something higher than 6, and not lower, if 
they do define the space of characters allowed too).

-- 
  Patrick Mevzek

___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] Proposed Revision to our Charter

[Andrew Newton]

Thanks for the clarification, Roger.

The file formats seem like appropriate work to me. That said, the
wording of the proposed charter seemed to indicate to me there was a
broader motivation. If there is such, it be best if it were stated.

-andy

On Wed, Jun 13, 2018 at 11:52 AM, Roger D Carney  wrote:
> Good Morning,
>
>
>
> I was definitely not thinking of two working groups.
>
>
>
> The focus of the WG is EPP and RDAP extensions. The additional suggested
> wording just adds on the ability to take on relevant (as determined by WG
> and AD) work (e.g. Third Party DNS Operator…). My suggestion was not to
> exclude, but to provide more focused wording. Maybe that wording is better,
> change the entire sentence to state: “The working group may also take on
> relevant (as determined by WG and AD) work, beyond the EPP and RDAP
> protocols.”
>
>
>
> Andy, I think your original question that you posted earlier in the week is
> what needs to be answered first, paraphrasing “what is the motivation for
> this change”. Several others I think have basically asked the same question.
>
>
>
> I don’t think I was the one asking for the charter change but here are my
> thoughts on why I see a change being beneficial.
>
>
>
> To me this started with the proposed Third Party DNS Operator document. At
> one point the Charter was updated to add in this specific item (our current
> Charter). Then over the past year some discussions were had on standardizing
> the files that registries and registrars share (Unavailable Names,
> Non-Standard/Premium Domain Fees, Invoicing) which lead into the discussion
> of standardizing the storage of these files and other items (reporting comes
> to mind). Today different registries have different web portals and ftp
> sites to get this information from and different registrars request the
> information in different formats. Many registries and registrars have agreed
> that they would like to see a much better experience here. These topics do
> not fit into the EPP/RDAP focus of our current charter but the people with
> the most interest and expertise in these ideas are in this WG.
>
>
>
>
>
> Thanks
>
> Roger
>
>
>
>
>
> -Original Message-
> From: Andrew Newton [mailto:a...@hxr.us]
> Sent: Wednesday, June 13, 2018 9:45 AM
> To: Roger D Carney 
> Cc: Registration Protocols Extensions 
> Subject: Re: [regext] Proposed Revision to our Charter
>
>
>
> On Wed, Jun 13, 2018 at 10:35 AM, Roger D Carney 
> wrote:
>
>> Good Morning,
>
>>
>
>>
>
>>
>
>> I agree with those saying this new wording seems a bit broad, what if
>
>> "...related to the operation of Internet identifier registries..." was
>
>> changed to "...related to the operation of Internet domain name
>
>> registration systems..."?
>
>
>
> What about RIRs? Or would you suggest we split REGEXT into two working
> groups?
>
>
>
> -andy
>
>
> ___
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext
>

___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

[regext] I-D Action: draft-ietf-regext-tmch-func-spec-04.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Registration Protocols Extensions WG of the 
IETF.

Title   : ICANN TMCH functional specifications
Author  : Gustavo Lozano
Filename: draft-ietf-regext-tmch-func-spec-04.txt
Pages   : 62
Date: 2018-06-13

Abstract:
   This document describes the requirements, the architecture and the
   interfaces between the ICANN Trademark Clearinghouse (TMCH) and
   Domain Name Registries as well as between the ICANN TMCH and Domain
   Name Registrars for the provisioning and management of domain names
   during Sunrise and Trademark Claims Periods.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-regext-tmch-func-spec/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-regext-tmch-func-spec-04
https://datatracker.ietf.org/doc/html/draft-ietf-regext-tmch-func-spec-04

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-regext-tmch-func-spec-04


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] Proposed Revision to our Charter

[Gould, James]

Broadening the charter beyond EPP and RDAP would enable the WG to take on the 
file format drafts that relate to the domain industry and should involve the 
same REGEXT participants, which include:


  1.  Data Escrow
 *   Registry Data Escrow Specifications - 
draft-arias-noguchi-registry-data-escrow
 *   Domain Name Registration Data (DNRD) Objects Mapping - 
draft-arias-noguchi-dnrd-objects-mapping
  2.  Bulk Data
 *   Data Set File Format - draft-gould-regext-dataset

—

JG

[cid:image001.png@01D255E2.EB933A30]

James Gould
Distinguished Engineer
jgo...@verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com

From: regext  on behalf of Roger Carney 

Date: Wednesday, June 13, 2018 at 11:53 AM
To: Registration Protocols Extensions 
Subject: [EXTERNAL] Re: [regext] Proposed Revision to our Charter


Good Morning,



I was definitely not thinking of two working groups.



The focus of the WG is EPP and RDAP extensions. The additional suggested 
wording just adds on the ability to take on relevant (as determined by WG and 
AD) work (e.g. Third Party DNS Operator…). My suggestion was not to exclude, 
but to provide more focused wording. Maybe that wording is better, change the 
entire sentence to state: “The working group may also take on relevant (as 
determined by WG and AD) work, beyond the EPP and RDAP protocols.”



Andy, I think your original question that you posted earlier in the week is 
what needs to be answered first, paraphrasing “what is the motivation for this 
change”. Several others I think have basically asked the same question.



I don’t think I was the one asking for the charter change but here are my 
thoughts on why I see a change being beneficial.



To me this started with the proposed Third Party DNS Operator document. At one 
point the Charter was updated to add in this specific item (our current 
Charter). Then over the past year some discussions were had on standardizing 
the files that registries and registrars share (Unavailable Names, 
Non-Standard/Premium Domain Fees, Invoicing) which lead into the discussion of 
standardizing the storage of these files and other items (reporting comes to 
mind). Today different registries have different web portals and ftp sites to 
get this information from and different registrars request the information in 
different formats. Many registries and registrars have agreed that they would 
like to see a much better experience here. These topics do not fit into the 
EPP/RDAP focus of our current charter but the people with the most interest and 
expertise in these ideas are in this WG.





Thanks

Roger





-Original Message-
From: Andrew Newton [mailto:a...@hxr.us]
Sent: Wednesday, June 13, 2018 9:45 AM
To: Roger D Carney 
Cc: Registration Protocols Extensions 
Subject: Re: [regext] Proposed Revision to our Charter



On Wed, Jun 13, 2018 at 10:35 AM, Roger D Carney 
mailto:rcar...@godaddy.com>> wrote:

> Good Morning,

>

>

>

> I agree with those saying this new wording seems a bit broad, what if

> "...related to the operation of Internet identifier registries..." was

> changed to "...related to the operation of Internet domain name

> registration systems..."?



What about RIRs? Or would you suggest we split REGEXT into two working groups?



-andy
___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] Proposed Revision to our Charter

[Roger D Carney]

Good Morning,



I was definitely not thinking of two working groups.



The focus of the WG is EPP and RDAP extensions. The additional suggested 
wording just adds on the ability to take on relevant (as determined by WG and 
AD) work (e.g. Third Party DNS Operator…). My suggestion was not to exclude, 
but to provide more focused wording. Maybe that wording is better, change the 
entire sentence to state: “The working group may also take on relevant (as 
determined by WG and AD) work, beyond the EPP and RDAP protocols.”



Andy, I think your original question that you posted earlier in the week is 
what needs to be answered first, paraphrasing “what is the motivation for this 
change”. Several others I think have basically asked the same question.



I don’t think I was the one asking for the charter change but here are my 
thoughts on why I see a change being beneficial.



To me this started with the proposed Third Party DNS Operator document. At one 
point the Charter was updated to add in this specific item (our current 
Charter). Then over the past year some discussions were had on standardizing 
the files that registries and registrars share (Unavailable Names, 
Non-Standard/Premium Domain Fees, Invoicing) which lead into the discussion of 
standardizing the storage of these files and other items (reporting comes to 
mind). Today different registries have different web portals and ftp sites to 
get this information from and different registrars request the information in 
different formats. Many registries and registrars have agreed that they would 
like to see a much better experience here. These topics do not fit into the 
EPP/RDAP focus of our current charter but the people with the most interest and 
expertise in these ideas are in this WG.





Thanks

Roger





-Original Message-
From: Andrew Newton [mailto:a...@hxr.us]
Sent: Wednesday, June 13, 2018 9:45 AM
To: Roger D Carney 
Cc: Registration Protocols Extensions 
Subject: Re: [regext] Proposed Revision to our Charter



On Wed, Jun 13, 2018 at 10:35 AM, Roger D Carney 
mailto:rcar...@godaddy.com>> wrote:

> Good Morning,

>

>

>

> I agree with those saying this new wording seems a bit broad, what if

> "...related to the operation of Internet identifier registries..." was

> changed to "...related to the operation of Internet domain name

> registration systems..."?



What about RIRs? Or would you suggest we split REGEXT into two working groups?



-andy
___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] Proposed Revision to our Charter

[Andrew Newton]

On Wed, Jun 13, 2018 at 10:35 AM, Roger D Carney  wrote:
> Good Morning,
>
>
>
> I agree with those saying this new wording seems a bit broad, what if
> "...related to the operation of Internet identifier registries..." was
> changed to "...related to the operation of Internet domain name registration
> systems..."?

What about RIRs? Or would you suggest we split REGEXT into two working groups?

-andy

___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] Proposed Revision to our Charter

[Roger D Carney]

Good Morning,



I agree with those saying this new wording seems a bit broad, what if 
"...related to the operation of Internet identifier registries..." was changed 
to "...related to the operation of Internet domain name registration 
systems"?





Thanks

Roger







-Original Message-
From: regext [mailto:regext-boun...@ietf.org] On Behalf Of James Galvin
Sent: Friday, June 08, 2018 8:52 AM
To: Registration Protocols Extensions 
Subject: [regext] Proposed Revision to our Charter



As we have discussed in at least the last two IETF meetings, we would like to 
propose broadening the responsibility of this working group to cover the 
standards related generally to Internet Identifier systems.



Attached you will find a proposed revision to our charter that would allow this.



Please review and provide any comments or concerns to the mailing list.



There is a PDF that shows the changes to the charter and a text file of the 
proposed new charter with the changes already incorporated.



Thanks,



Antoin and Jim
___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

[Marc Groeneweg]

Jim,

It should work for us too. And indeed, the minimum from the current login as 
already accepted as default, so why not hold on to this...

Regards,
Marc

On 11/06/2018, 20:11, "regext on behalf of Hollenbeck, Scott" 
 wrote:

Works for me, Jim.

Scott

> -Original Message-
> From: regext  On Behalf Of Gould, James
> Sent: Monday, June 11, 2018 1:44 PM
> To: Gavin Brown ; Patrick Mevzek
> ; regext@ietf.org
> Subject: [EXTERNAL] Re: [regext] FW: New Version Notification for draft-
> gould-regext-login-security-00.txt
>
> Hi,
>
> In thinking about decreasing the minimum from 8 to 1, I have a concern
> that we're going to support a minimum that is below the existing RFC 5730
> of 6 characters.  I believe it would be best for the Login Security
> Extension to at least support the existing 6 character minimum with the
> added language that Scott proposed “Servers SHOULD enforce minimum and
> maximum password length requirements that are appropriate for their
> operating environment. One example of a guideline for password length
> policies can be found in  [reference here]".  Scott's language
> can be added to the Security Considerations section of the draft.
>
> Let me know if this will work.
>
> Thanks,
>
> —
>
> JG
>
>
>
> James Gould
> Distinguished Engineer
> jgo...@verisign.com
>
> 703-948-3271
> 12061 Bluemont Way
> Reston, VA 20190
>
> Verisign.com 
>
> On 6/11/18, 10:00 AM, "Gould, James"  wrote:
>
> Scott & Gavin,
>
> Thanks for weighing in.  I can make Scott's proposed text and schema
> change with the appropriate .  Thanks Patrick for bringing up
> the topic.
>
> —
>
> JG
>
>
>
> James Gould
> Distinguished Engineer
> jgo...@verisign.com
>
> 703-948-3271
> 12061 Bluemont Way
> Reston, VA 20190
>
> Verisign.com 
>
> On 6/11/18, 9:55 AM, "regext on behalf of Gavin Brown"  boun...@ietf.org on behalf of gavin.br...@centralnic.com> wrote:
>
> +1.
>
> On 11/06/2018 14:49, Patrick Mevzek wrote:
> > On Mon, Jun 11, 2018, at 15:17, Hollenbeck, Scott wrote:
> >> [SAH] Jim, keep in mind that the security guidelines you
> mentioned are
> >> just that – *guidelines* published by a particular entity that
> may or
> >> may not be appropriate for use in different operating
> environments. I’d
> >> be inclined to loosen the Schema to conform to other
> possibilities and
> >> include an informational reference with text along the lines of
> “Servers
> >> SHOULD enforce minimum and maximum password length requirements
> that are
> >> appropriate for their operating environment. One example of a
> guideline
> >> for password length policies can be found in 
> [reference
> >> here]”. A minimum length of 1 would ensure that the field can’t
> be
> >> blank, and the server can check if whatever is provided lines
> up with
> >> expectations for clients.
> >
> > That sound perfect to me. Thanks Scott for the text.
> >
>
> --
> Gavin Brown
> Chief Technology Officer
> CentralNic Group plc (LSE:CNIC)
> Innovative, Reliable and Flexible Registry Services
> for ccTLD, gTLD and private domain name registries
> https://www.centralnic.com/
> +44.7548243029
>
> CentralNic Group plc is a company registered in England and Wales
> with
> company number 8576358. Registered Offices: 35-39 Moorgate,
> London,
> EC2R 6AR.
>
>
>
>
>
> ___
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext
___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext


___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext