Roman, Thank you for your review and feedback. My responses are embedded below.
-- JG James Gould Fellow Engineer jgo...@verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgo...@verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 4/20/21, 9:01 PM, "Roman Danyliw via Datatracker" <nore...@ietf.org> wrote: Roman Danyliw has entered the following ballot position for draft-ietf-regext-secure-authinfo-transfer-06: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://secure-web.cisco.com/1VV8y85TX0m3t3jgI4RNjjb0Quy0Ow32Z1RES5EH11g0mZTq_MIbj0u6XCX7wXInMUfBdyYOIvxMbrG9_GOAFq807KfCJLYVhXLCY8kKm2rnkudYl33wL1IuznsR2rz_7byLzNGDQT-zWOVjX6AjnHrHNiYyKzNHz9RbgD6cG70ln1q1wxwTYV2NkAy0bQ5o1g1PIP-9M3op_zoiFxt1-2TlfHMJrCes5S5FaTB_lT9hOoaW-EgXwpdGIFXQ2Wrmt/https%3A%2F%2Fwww.ietf.org%2Fiesg%2Fstatement%2Fdiscuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://secure-web.cisco.com/1on7N2bUhB-4-mEZa-0BhlWhzbLgiYtruDx_X8fzuM9DjsrP8myA57F5ks3pZ3hjng2KpxCJSS6XOfx-UTLdqf4IKgZYMhFgHNOUp1hKyKEYYM658T2P3W4wLzglaJce1BTcglpAPri0tMqIOTTJAtT9W_Vzf46hm4RzOKdO5RnB_PzB9J6zeT8uHex4JC0f9s2a8jONFdskDLKE8UXBsbCvGgtspURZmBeBgN8IRr8HhfzMbZoN0pqLvQzrZpy-q/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-regext-secure-authinfo-transfer%2F ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Per Section 4.3: -- Fully understanding that registrars and registries will set their own policies, are there any bounds that can be placed on the TTLs? Specifically, would there be a case that a registrar would have a policy where the TTL is measured in weeks or months? I ask because a best practice around storing password (credentials) at rest would be to use PBKDF2 (or other computational expensive hashes) rather than straight SHA-256 to prevent offline attack after compromise. JG - I don't foresee the need for a TTL be measured in weeks or months. The goal is to make the authorization information as short as possible to support the losing gaining registrar providing it to the registrant and the registrant providing it to the gaining registrar to submit the transfer request to the registry. I would see it being measured in hours or days. -- Section 4.1 was explicit in making suggestions about the bits of entropy in the authorization information. Is there additional guidance to provide on the size of the recommended salt? JG - There is no guidance in the draft related to the size of the salt. Do you see the need for guidance and do you have a recommendation for the guidance? ** Section 5.2. Editorial. First paragraph (“For an update command, …”) is duplicated twice. JG - That will be taken care of based on the feedback from Francesca Palombini. _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
