The Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer (draft-gould-regext-secure-authinfo-transfer) was posted to define a BCP for securing the authorization information using the existing EPP RFCs. The overall goal is to have strong, random authorization information values, that are short-lived, and that are either not stored or stored as cryptographic hash values. Review and feedback is appreciated.
Antoin and Jim, I would like to have 10 minutes to introduce and discuss this draft at the REGEXT meeting at IETF-105. Thanks, — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 6/25/19, 8:23 AM, "internet-dra...@ietf.org" <internet-dra...@ietf.org> wrote: A new version of I-D, draft-gould-regext-secure-authinfo-transfer-00.txt has been successfully submitted by James Gould and posted to the IETF repository. Name: draft-gould-regext-secure-authinfo-transfer Revision: 00 Title: Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer Document date: 2019-06-25 Group: Individual Submission Pages: 17 URL: https://www.ietf.org/internet-drafts/draft-gould-regext-secure-authinfo-transfer-00.txt Status: https://datatracker.ietf.org/doc/draft-gould-regext-secure-authinfo-transfer/ Htmlized: https://tools.ietf.org/html/draft-gould-regext-secure-authinfo-transfer-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-gould-regext-secure-authinfo-transfer Abstract: The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the use of authorization information to authorize a transfer. The authorization information is object-specific and has been defined in the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact Mapping, in RFC 5733, as password-based authorization information. Other authorization mechanisms can be used, but in practice the password-based authorization information has been used by the authorization information being set at the time of object create, managed with the object update, and used to authorize an object transfer request. What has not been fully considered is the security of the authorization information that includes the complexity of the authorization information, the time-to-live (TTL) of the authorization information, and where and how the authorization information is stored. This document defines an operational practice, using the EPP RFCs, that leverages the use of strong random authorization information values that are short-lived, that are not stored by the client, and that are stored using a cryptographic hash by the server to provide for secure authorization information used for transfers. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
