On Wed, Nov 13, 2019, at 08:37, Hollenbeck, Scott wrote:
> TLS protection is specified to avoid sending passwords in plaintext form.
Yes but this solves only the security in transit part, not security at rest.
These EPP frames are stored on both side of the connection, logged, added to
backups, etc.
This is needed for various troubleshooting needs, as well as disputes and so on.
Without any specific code filtering out the passwords out of the frame before
storage (which comes from its own edge cases because then it means you are
troubleshooting things based on data as stored not really as exchanged, even if
the difference in theory is well contained to specific parts), you then have
the password in clear in many places.
And not all registrars
maintain open persistent connections or some registries shut down active
connections
like each hour no matter what, which means a registrar may send dozens or
hundreds
or more login request per day.
> I agree that we should consider login security improvements over time
> as new options are available to us. It's always best to start a
> conversation by throwing a proposal out there for people to consider.
I am interested to work on this if anyone else is also. I might try to offer
a proposal at some point, not sure.
During discussions of this draft, I pointed to SASL for the extensibility it
provides,
but this was apparently not a good fit for this specific extension.
--
Patrick Mevzek
p...@dotandco.com
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
