On Tue, Nov 12, 2019, at 19:57, Martin Thomson wrote: > For a protocol of this nature, it seems like alternative methods could > be developed. And if passwords are unavoidable for usability reasons I > can't see right now, then the CFRG is developing password-based > authentication protocols that might be suitable for this. Or there are > protocols like OAuth that might allow for delegation.
I agree, there is no reason for this protocol to have clear text passwords (both login and domain associated ones, I do not know any registry using contact passwords but it may exist). For the domain part, there is a separate discussion, as a draft emerged to handle transfers but still using plain text passwords. I put on the table an alternate proposal that works without any domain password whatsoever. So I think "no password" is a reachable goal there, but it is a separate discussion from this draft. As for the login we are discussing here, I agree we could/should/may do better/differently. That may be a topic of discussion for other/later drafts. I was not a 100% fan of this proposal exactly because I agree with the goal (improving current state of security) but not with the mean (I think we must go further than just allowing longer passwords, just this adds only marginal extra security by itself). -- Patrick Mevzek p...@dotandco.com _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
