> -----Original Message----- > From: regext <regext-boun...@ietf.org> On Behalf Of Patrick Mevzek > Sent: Wednesday, November 13, 2019 3:33 PM > To: regext@ietf.org > Subject: [EXTERNAL] Re: [regext] draft-ietf-regexy-login-security > > On Wed, Nov 13, 2019, at 15:13, Hollenbeck, Scott wrote: > > > I don't think that local storage of sensitive information, such as > > passwords, is a *protocol* issue per se. It does make sense to note > > that it's a bad idea to do that in the Security Considerations > > sections of RFCs where passwords are exchanged as part of a protocol > > interaction, but it's not an interoperability issue. An even better > > idea is to recommend "better" practices in those Security > > Considerations sections. > > It is not a protocol issue per se, but if the protocol is so designed that > they > are definitively not exchanged as plain text (even over a transport protecting > them), then it becomes not an issue anymore at all, as there is no more > sensitive information to deal with. > One stone, two birds. > > Remember that the first step to secure information is just making sure you > handle as little sensitive information as needed, and then secure the rest. > > Having clear text passwords at the protocol level is definitively not a MUST > for the protocol to work correctly, the protocol could work with other ways > to authenticate, eliminating the sensitive part of the information exchanged.
Agreed! As I said earlier: "I agree that we should consider login security improvements over time as new options are available to us." Remember, EPP is now 20 years old. There are almost certainly better ways of addressing this topic than we had at our disposal in 1999. All it takes is an Internet-Draft, or a note to the mailing list, to start exploring alternatives. Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
