draft-ietf-regext-login-security-03.txt   draft-ietf-regext-login-security-04.txt 
Network Working Group J. Gould Network Working Group J. Gould
Internet-Draft M. Pozun Internet-Draft M. Pozun
Intended status: Standards Track VeriSign, Inc. Intended status: Standards Track VeriSign, Inc.
Expires: February 6, 2020 August 5, 2019 Expires: April 2, 2020 September 30, 2019
Login Security Extension for the Extensible Provisioning Protocol (EPP) Login Security Extension for the Extensible Provisioning Protocol (EPP)
draft-ietf-regext-login-security-03 draft-ietf-regext-login-security-04
Abstract Abstract
The Extensible Provisioning Protocol (EPP) includes a client The Extensible Provisioning Protocol (EPP) includes a client
authentication scheme that is based on a user identifier and authentication scheme that is based on a user identifier and
password. The structure of the password field is defined by an XML password. The structure of the password field is defined by an XML
Schema data type that specifies minimum and maximum password length Schema data type that specifies minimum and maximum password length
values, but there are no other provisions for password management values, but there are no other provisions for password management
other than changing the password. This document describes an EPP other than changing the password. This document describes an EPP
extension that allows longer passwords to be created and adds extension that allows longer passwords to be created and adds
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 6, 2020. This Internet-Draft will expire on April 2, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 40 skipping to change at page 2, line 40
10.2. Informative References . . . . . . . . . . . . . . . . . 19 10.2. Informative References . . . . . . . . . . . . . . . . . 19
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 20 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 20 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 20
A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 20 A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 20
A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 20 A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 20
A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 20 A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 20
A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 20 A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 20
A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 20 A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 20
A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 21 A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 21
A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 21 A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 21
A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
This document describes an Extensible Provisioning Protocol (EPP) This document describes an Extensible Provisioning Protocol (EPP)
extension for enhancing the security of the EPP login command in EPP extension for enhancing the security of the EPP login command in EPP
RFC 5730. The enhancements include supporting longer passwords (or RFC 5730. The enhancements include supporting longer passwords (or
passphrases) than the 16-character maximum and providing a list of passphrases) than the 16-character maximum and providing a list of
security events in the login response. The password (current and security events in the login response. The password (current and
new) in EPP RFC 5730 can be overridden by the password included in new) in EPP RFC 5730 can be overridden by the password included in
skipping to change at page 4, line 43 skipping to change at page 4, line 43
"certificate": Identifies a client certificate expiry event, "certificate": Identifies a client certificate expiry event,
where the client certificate will expire at the "exDate" date where the client certificate will expire at the "exDate" date
and time. and time.
"cipher": Identifies the use of an insecure or deprecated TLS "cipher": Identifies the use of an insecure or deprecated TLS
cipher suite. cipher suite.
"tlsProtocol": Identifies the use of an insecure or deprecated "tlsProtocol": Identifies the use of an insecure or deprecated
TLS protocol. TLS protocol.
"newPW": The new password does not meet the server password "newPW": The new password does not meet the server password
complexity requirements. complexity requirements.
"stat": Provides a login security statistical warning that MUST "stat": Provides a login security statistical warning that MUST
set the "name" attribute to the name of the statistic. set the "name" attribute to the name of the statistic sub-
type.
"custom": Custom event type that MUST set the "name" attribute "custom": Custom event type that MUST set the "name" attribute
with the custom event type name. with the custom event type name.
"name": Used to define a sub-type when the "type" attribute is not "name": Used to define a sub-type when the "type" attribute is not
"custom" or the full type name when the "type" attribute is "custom" or the full type name when the "type" attribute is
"custom". "custom". The "name" attribute MUST be set when the "type"
attribute is "stat" or "custom".
"level": Defines the level of the event as either "warning" for a "level": Defines the level of the event as either "warning" for a
warning event that needs action, or "error" for an error event warning event that needs action, or "error" for an error event
that requires immediate action. that requires immediate action.
"exDate": Contains the date and time that a "warning" level has or "exDate": Contains the date and time that a "warning" level has or
will become an "error" level. At expiry there MAY be an error to will become an "error" level. At expiry there MAY be an error to
connect or MAY be an error to login. An example is an expired connect or MAY be an error to login. An example is an expired
certificate that will result in an error to connect or an expired certificate that will result in an error to connect or an expired
password that may result in a failed login. password that may result in a failed login.
"value": Identifies the value that resulted in the login security "value": Identifies the value that resulted in the login security
skipping to change at page 15, line 4 skipping to change at page 14, line 49
--> -->
<complexType name="loginSecType"> <complexType name="loginSecType">
<sequence> <sequence>
<element name="userAgent" <element name="userAgent"
type="loginSec:userAgentType" minOccurs="0" /> type="loginSec:userAgentType" minOccurs="0" />
<element name="pw" <element name="pw"
type="loginSec:pwType" minOccurs="0" /> type="loginSec:pwType" minOccurs="0" />
<element name="newPW" <element name="newPW"
type="loginSec:pwType" minOccurs="0" /> type="loginSec:pwType" minOccurs="0" />
</sequence> </sequence>
</complexType> </complexType>
<simpleType name="pwType"> <simpleType name="pwType">
<restriction base="token"> <restriction base="token">
<minLength value="6" /> <minLength value="6" />
</restriction> </restriction>
</simpleType> </simpleType>
<complexType name="userAgentType"> <complexType name="userAgentType">
<sequence> <choice>
<element name="app" <sequence>
type="token" minOccurs="0" /> <element name="app"
<element name="tech" type="token" />
type="token" minOccurs="0" /> <element name="tech"
type="token" minOccurs="0" />
<element name="os"
type="token" minOccurs="0" />
</sequence>
<sequence>
<element name="tech"
type="token" />
<element name="os"
type="token" minOccurs="0" />
</sequence>
<element name="os" <element name="os"
type="token" minOccurs="0" /> type="token" />
</sequence> </choice>
</complexType> </complexType>
<!-- Login response extension elements --> <!-- Login response extension elements -->
<element name="loginSecData" <element name="loginSecData"
type="loginSec:loginSecDataType" /> type="loginSec:loginSecDataType" />
<complexType name="loginSecDataType"> <complexType name="loginSecDataType">
<sequence> <sequence>
<element name="event" <element name="event"
type="loginSec:eventType" type="loginSec:eventType"
minOccurs="1" maxOccurs="unbounded" /> minOccurs="1" maxOccurs="unbounded" />
</sequence> </sequence>
</complexType> </complexType>
skipping to change at page 16, line 23 skipping to change at page 16, line 24
<restriction base="token"> <restriction base="token">
<enumeration value="password" /> <enumeration value="password" />
<enumeration value="certificate" /> <enumeration value="certificate" />
<enumeration value="cipher" /> <enumeration value="cipher" />
<enumeration value="tlsProtocol" /> <enumeration value="tlsProtocol" />
<enumeration value="newPW" /> <enumeration value="newPW" />
<enumeration value="stat" /> <enumeration value="stat" />
<enumeration value="custom" /> <enumeration value="custom" />
</restriction> </restriction>
</simpleType> </simpleType>
<!-- <!--
Enumerated list of levels. Enumerated list of levels.
--> -->
<simpleType name="levelEnum"> <simpleType name="levelEnum">
<restriction base="token"> <restriction base="token">
<enumeration value="warning" /> <enumeration value="warning" />
<enumeration value="error" /> <enumeration value="error" />
</restriction> </restriction>
</simpleType> </simpleType>
<!-- <!--
End of schema. End of schema.
--> -->
</schema> </schema>
END END
6. IANA Considerations 6. IANA Considerations
6.1. XML Namespace 6.1. XML Namespace
This document uses URNs to describe XML namespaces and XML schemas This document uses URNs to describe XML namespaces and XML schemas
skipping to change at page 22, line 5 skipping to change at page 22, line 5
to read 'The <loginSec:userAgent> element MUST contain at to read 'The <loginSec:userAgent> element MUST contain at
least one of the following child elements:'. least one of the following child elements:'.
4. Revised the description of the <loginSec:userAgent> to match the 4. Revised the description of the <loginSec:userAgent> to match the
child elements that can be passed, by changing "client software" child elements that can be passed, by changing "client software"
to "client application software" and change "language" to to "client application software" and change "language" to
"technology". "technology".
5. Changed the XML namespace from 5. Changed the XML namespace from
urn:ietf:params:xml:ns:epp:loginSec-0.4 to urn:ietf:params:xml:ns:epp:loginSec-0.4 to
urn:ietf:params:xml:ns:epp:loginSec-1.0. urn:ietf:params:xml:ns:epp:loginSec-1.0.
A.8. Change from REGEXT 03 to REGEXT 04
Updates based on the review by Joseph Yee, that include:
1. Update the definition of the "stat" security event type to
reference sub-type to match the language for the "name"
attribute.
2. Added the sentence 'The "name" attribute MUST be set when the
"type" attribute is "stat" or "custom".' to the definition of the
"name" attribute for clarity.
3. Update the definition of the "userAgentType" in the XML schema to
require at least one sub-element using a <choice> element.
Authors' Addresses Authors' Addresses
James Gould James Gould
VeriSign, Inc. VeriSign, Inc.
12061 Bluemont Way 12061 Bluemont Way
Reston, VA 20190 Reston, VA 20190
US US
Email: jgould@verisign.com Email: jgould@verisign.com
URI: http://www.verisign.com URI: http://www.verisign.com
 End of changes. 16 change blocks. 
18 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/