Greetings from Seoul!
At one of the last Centr meetings we came up with a clarifying question
about the domain:info response.
Today many implementations use the domain:authInfo as a token for domain
transfer.
That makes domain:authInfo really sensitive. Basically it puts it in the
same class as passwords.
As we have all learned in the past, passwords should be saved as salted
hashes.
But this makes it impossible to return the domain:authInfo to the client.
RFC 5731 makes the auth:pw part in the domain:info report optional in the
xml schema. But the text in section 3.1.2 says
- An OPTIONAL <domain:authInfo> element that contains authorization
information associated with the domain object. This element MUST
only be returned if the querying client is the current sponsoring
client or if the client supplied valid authorization information
with the command.
Does this mean that it is ok to never return domain:authInfo?
/Ulrich
--
Ulrich Wisser
ulr...@wisser.se
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
