We’d be _very interested_ in seeing a standardized, end-to-end registry-locking
model. Specifically, one in which the registrant signs change requests, and the
registry validates the signatures, and nobody in the registrar path is involved
in any way.
Lack of end-to-end protection was one of the key weaknesses attacked in this
campaign.
We had “registrar lock” enabled prior to the attack (but it was inapplicable);
we went through the “registry lock” process after the attack had already begun,
and we were very, very unimpressed. As currently implemented, it would not have
successfully defended against the attack, since it involves both shared secrets
and registrar-registry trust, which were both compromised. Neither is
necessary, both weaken the security of the process.
-Bill
> On Feb 24, 2019, at 23:26, Alexander Mayrhofer <alexander.mayrho...@nic.at>
> wrote:
>
> Antoin, all,
>
> for now this is more a question / request to the group, rather than a
> specific agenda slot request – but:
>
> In the light of the recent attacks on registration interfaces, do we want to
> take a fresh look at standardization of “Registry Lock” / “Security Lock”.
> There’s some previous work on this topic (see
> https://tools.ietf.org/html/draft-wallstrom-epp-registrant-problem-statement-00).
> As Patrick pointed out, there’s also some IPR considerations in this area
> (See his blog post at
> http://www.circleid.com/posts/20150603_registry_lock_or_epp_with_two_factor_authentication/).
>
> I constantly hear from registrars that “Security Lock” (our product name)
> would be much more attractive if there wasn’t a myriad of different processes
> at each registry – so my take is that there’s room for standardization (which
> probably goes beyond the pure EPP extension). I’m also hearing some fellow
> ccTLD colleages are interesting in a common “profile”.
> Would regext be the right spot for such a discussion? If yes, would it be
> interesting to hold a 20 minutes slot in Prague? Or even a Bar-BoF before we
> “report back” to the working group?
>
> Best,
> Alex
>
>
> Von: regext <regext-boun...@ietf.org> Im Auftrag von Antoin Verschuren
> Gesendet: Sonntag, 24. Februar 2019 14:43
> An: Registration Protocols Extensions <regext@ietf.org>
> Betreff: [regext] Preliminary agenda for Prague, and call for agenda items
>
> Hi all,
>
> Please find the preliminary agenda for Prague attached.
> I hope I captured everyone that has requested time to speak. If not, let the
> chairs know.
> We still have a little bit of time left on the agenda, so if you have urgent
> agenda items, let us know as well.
> If you are on the agenda, start preparing ;-)
>
>
>
>
>
> Regards, Jim and Antoin
>
> - --
> Antoin Verschuren
>
> Tweevoren 6, 5672 SB Nuenen, NL
> M: +31 6 37682392
>
>
>
>
>
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
