Roman Danyliw has entered the following ballot position for draft-ietf-regext-secure-authinfo-transfer-06: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-regext-secure-authinfo-transfer/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Per Section 4.3: -- Fully understanding that registrars and registries will set their own policies, are there any bounds that can be placed on the TTLs? Specifically, would there be a case that a registrar would have a policy where the TTL is measured in weeks or months? I ask because a best practice around storing password (credentials) at rest would be to use PBKDF2 (or other computational expensive hashes) rather than straight SHA-256 to prevent offline attack after compromise. -- Section 4.1 was explicit in making suggestions about the bits of entropy in the authorization information. Is there additional guidance to provide on the size of the recommended salt? ** Section 5.2. Editorial. First paragraph (“For an update command, …”) is duplicated twice. _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
