idnits 2.17.1 draft-gould-regext-login-security-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 17, 2018) is 2079 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 755 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Gould 3 Internet-Draft M. Pozun 4 Intended status: Standards Track VeriSign, Inc. 5 Expires: February 18, 2019 August 17, 2018 7 Login Security Extension for the Extensible Provisioning Protocol (EPP) 8 draft-gould-regext-login-security-02 10 Abstract 12 The Extensible Provisioning Protocol (EPP) includes a client 13 authentication scheme that is based on a user identifier and 14 password. The structure of the password field is defined by an XML 15 Schema data type that specifies minimum and maximum password length 16 values, but there are no other provisions for password management 17 other than changing the password. This document describes an EPP 18 extension that allows longer passwords to be created and adds 19 additional security features to the EPP login command and response. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on February 18, 2019. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 57 2. Migrating to Newer Versions of This Extension . . . . . . . . 3 58 3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 4 59 3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3.2. "[LOGIN-SECURITY]" Password . . . . . . . . . . . . . . . 5 61 3.3. Dates and Times . . . . . . . . . . . . . . . . . . . . . 6 62 4. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 6 63 4.1. EPP Command . . . . . . . . . . . . . . . . . . . 6 64 5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 13 65 5.1. Login Security Extension Schema . . . . . . . . . . . . . 13 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 67 6.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 15 68 6.2. EPP Extension Registry . . . . . . . . . . . . . . . . . 16 69 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 16 70 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 71 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 72 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 73 10.1. Normative References . . . . . . . . . . . . . . . . . . 17 74 10.2. Informative References . . . . . . . . . . . . . . . . . 17 75 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 17 76 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 17 77 A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 17 78 A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 18 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 81 1. Introduction 83 This document describes an Extensible Provisioning Protocol (EPP) 84 extension for enhancing the security of the EPP login command in EPP 85 RFC 5730. The enhancements include supporting longer passwords (or 86 passphrases) than the 16-character maximum and providing a list of 87 security events in the login response. The password (current and 88 new) in EPP RFC 5730 can be overridden by the password included in 89 the extension to extend past the 16-character maximum. The security 90 events supported include: password expiry, client certificate expiry, 91 insecure cipher, insecure TLS protocol, new pasword complexity, login 92 security statistical warning, and a custom event. The attributes 93 supported by the security events include identifying the event type 94 or sub-type, indicating the security level of warning or error, a 95 future or past-due expiration date, the value that resulted in the 96 event, the duration of the statistical event, and a free-form 97 description with an optional language. 99 1.1. Conventions Used in This Document 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 XML is case sensitive. Unless stated otherwise, XML specifications 106 and examples provided in this document MUST be interpreted in the 107 character case presented in order to develop a conforming 108 implementation. 110 In examples, "C:" represents lines sent by a protocol client and "S:" 111 represents lines returned by a protocol server. Indentation and 112 white space in examples are provided only to illustrate element 113 relationships and are not a REQUIRED feature of this protocol. 115 "loginSec-0.2" is used as an abbreviation for 116 "urn:ietf:params:xml:ns:epp:loginSec-0.2". The XML namespace prefix 117 "loginSec" is used, but implementations MUST NOT depend on it and 118 instead employ a proper namespace-aware XML parser and serializer to 119 interpret and output the XML documents. 121 2. Migrating to Newer Versions of This Extension 123 (Note to RFC Editor: remove this section before publication as an 124 RFC.) 126 Servers which implement this extension SHOULD provide a way for 127 clients to progressively update their implementations when a new 128 version of the extension is deployed. 130 Servers SHOULD (for a temporary migration period) provide support for 131 older versions of the extension in parallel to the newest version, 132 and allow clients to select their preferred version via the 133 element of the command. 135 If a client requests multiple versions of the extension at login, 136 then, when preparing responses to commands which do not include 137 extension elements, the server SHOULD only include extension elements 138 in the namespace of the newest version of the extension requested by 139 the client. 141 When preparing responses to commands which do include extension 142 elements, the server SHOULD only include extension elements for the 143 extension versions present in the command. 145 3. Object Attributes 147 This extension adds additional elements to [RFC5730] login command 148 and response. Only those new elements are described here. 150 3.1. Event 152 A security event, using the element, represents 153 either a warning or error identified by the server after the client 154 has connected and submitted the login command. There MAY be multiple 155 events returned that provides information for the client to address. 156 The MAY include a free form description. All of the 157 security events use a consistent set of attributes, where the exact 158 set of applicable attributes is based on the event type. The 159 supported set of element attributes include: 161 "type": A REQUIRED attribute that defines the type of security 162 event. The enumerated list of "type" values include: 164 "password": Identifies a password expiry event, where the 165 password expires in the future or has expired based on the 166 "exDate" date and time. 167 "certificate": Identifies a client certificate expiry event, 168 where the client certificate will expire at the "exDate" date 169 and time. 170 "cipher": Identifies the use of an insecure or deprecated TLS 171 cipher suite. 172 "tlsProtocol": Identifies the use of an insecure or deprecated 173 TLS protocol. 174 "newPw": The new password does not meet the server password 175 complexity requirements. 176 "stat": Provides a login security statistical warning that MUST 177 set the "name" of the statistic. 178 "custom": Custom event type that MUST set the "name" attribute 179 with the custom event type name. 180 "name": Used to define a sub-type or the type name when the "type" 181 attribute is "custom". 182 "level": Defines the level of the event as either "warning" for a 183 warning event that needs action, or "error" for an error event 184 that requires immediate action. 185 "exDate": Contains the date and time that a "warning" level has or 186 will become an "error" level. At expiry there MAY be an error to 187 connect or MAY be an error to login. An example is an expired 188 certificate that will result in a error to connect or an expired 189 password that may result in a failed login. 191 "value": Identifies the value that resulted in the login security 192 event. An example is the negotiated insecure cipher suite or the 193 negotiated insecure TLS protocol. 194 "duration": Defines the duration that a statistical event is 195 associated with. 196 "lang": Identifies the language of the free form description if the 197 negotiated language is something other than the default value of 198 "en" (English). 200 Example login security event for a password expiring in a week: 202 207 Password expiration soon 208 210 Example login security event for identifying 100 failed logins over 211 the last day, using the "stat" sub-type of "failedLogins": 213 219 Excessive invalid daily logins 220 222 3.2. "[LOGIN-SECURITY]" Password 224 The element MUST override the [RFC5730] element 225 only if the contains the predefined value of "[LOGIN-SECURITY]", 226 which is a constant value for the server to use the 227 element for the password. Similarly, the element 228 MUST override the [RFC5730] element only if the 229 contains the predefined value of "[LOGIN-SECURITY]", which is a 230 constant value for the server to use the element for 231 the new password. The "[LOGIN-SECURITY]" pre-defined string MUST be 232 supported by the server for the client to explicitly indicate to the 233 server whether to use element in place of the [RFC5730] 234 element or to use the in place of the [RFC5730] 235 element. 237 3.3. Dates and Times 239 Date and time attribute values MUST be represented in Universal 240 Coordinated Time (UTC) using the Gregorian calendar. The extended 241 date-time form using upper case "T" and "Z" characters defined in 242 [W3C.REC-xmlschema-2-20041028] MUST be used to represent date-time 243 values, as XML Schema does not support truncated date-time forms or 244 lower case "T" and "Z" characters. 246 4. EPP Command Mapping 248 A detailed description of the EPP syntax and semantics can be found 249 in the EPP core protocol specification [RFC5730]. 251 4.1. EPP Command 253 This extension defines additional elements to extend the EPP 254 command and response to be used in conjunction with [RFC5730]. 256 The EPP command is used to establish a session with an EPP 257 server. This extension overrides the password that is passed with 258 the [RFC5730] or the element as defined in Section 3.2. 259 A element is sent along with the [RFC5730] 260 command and contains the following child elements: 262 : OPTIONAL client user agent that identifies the 263 client software and platform used by the server to identify 264 functional or security constraints, current security issues, and 265 potential future functional or security issues for the client. 266 : OPTIONAL plain text password that is case sensitive, 267 has a minimum length of 6 characters, and has a maximum length 268 that is up to server policy. All leading and trailing whitespace 269 is removed, and all internal contiguous whitespace that includes 270 #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 271 (space) is replaced with a single #x20 (space). This element 272 MUST only be used if the [RFC5730] element is set to the 273 "[LOGIN-SECURITY]" value. 274 : OPTIONAL plain text new password that is case 275 sensitive, has a minimum length of 6 characters, and has a 276 maximum length that is up to server policy. All leading and 277 trailing whitespace is removed, and all internal contiguous 278 whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage 279 return), and #x20 (space) is replaced with a single #x20 (space). 280 This element MUST only be used if the [RFC5730] element 281 is set to the "[LOGIN-SECURITY]" value. 283 Example login command that uses the element instead of 284 the [RFC5730] element to establish the session and includes the 285 element: 287 C: 288 C: 289 C: 290 C: 291 C: ClientX 292 C: [LOGIN-SECURITY] 293 C: 294 C: 1.0 295 C: en 296 C: 297 C: 298 C: urn:ietf:params:xml:ns:obj1 299 C: urn:ietf:params:xml:ns:obj2 300 C: urn:ietf:params:xml:ns:obj3 301 C: 302 C: urn:ietf:params:xml:ns:epp:loginSec-0.2 303 C: 304 C: 305 C: 306 C: 307 C: 310 C: EPP SDK/1.0.0 311 C: (Java 1.7.0_15; x86_64 Mac OS X 10.11.6) 312 C: 313 C: this is a long password 314 C: 315 C: 316 C: ABC-12345 317 C: 318 C: 319 Example login command that uses the element instead of 320 the [RFC5730] element to establish the session, and uses the 321 element instead of the [RFC5730] element to 322 set the new password: 324 C: 325 C: 326 C: 327 C: 328 C: ClientX 329 C: [LOGIN-SECURITY] 330 C: [LOGIN-SECURITY] 331 C: 332 C: 1.0 333 C: en 334 C: 335 C: 336 C: urn:ietf:params:xml:ns:obj1 337 C: urn:ietf:params:xml:ns:obj2 338 C: urn:ietf:params:xml:ns:obj3 339 C: 340 C: urn:ietf:params:xml:ns:epp:loginSec-0.2 341 C: 342 C: 343 C: 344 C: 345 C: 348 C: this is a long password 349 C: 350 C: new password that is still long 351 C: 352 C: 353 C: 354 C: ABC-12345 355 C: 356 C: 357 Example login command that uses the [RFC5730] element to 358 establish the session, and uses the element instead 359 of the [RFC5730] element to set the new password: 361 C: 362 C: 363 C: 364 C: 365 C: ClientX 366 C: shortpassword 367 C: [LOGIN-SECURITY] 368 C: 369 C: 1.0 370 C: en 371 C: 372 C: 373 C: urn:ietf:params:xml:ns:obj1 374 C: urn:ietf:params:xml:ns:obj2 375 C: urn:ietf:params:xml:ns:obj3 376 C: 377 C: urn:ietf:params:xml:ns:epp:loginSec-0.2 378 C: 379 C: 380 C: 381 C: 382 C: 385 C: new password that is still long 386 C: 387 C: 388 C: 389 C: ABC-12345 390 C: 391 C: 393 Upon a completed login command (success or failed), the extension 394 MUST be included in the response based on the following conditions: 396 Client supports extension: client supports the extension based on 397 the element of the command. 398 At least one login security event: The server has identified at 399 least one login security event to communicate to the client. 401 The extension to the EPP response uses the 402 element that contains the following child elements: 404 : One or more elements defined in 405 Section 3.1. 407 Example EPP response to a successful login command where the password 408 will expire in a week: 410 S: 411 S: 412 S: 413 S: 414 S: Command completed successfully 415 S: 416 S: 417 S: 420 S: 425 S: Password expiring in a week 426 S: 427 S: 428 S: 429 S: 430 S: ABC-12345 431 S: 54321-XYZ 432 S: 433 S: 434 S: 435 Example EPP response to a failed login command where the password has 436 expired and the new password does not meet the server complexity 437 requirements: 439 S: 440 S: 441 S: 442 S: 443 S: Authentication error 444 S: 445 S: 446 S: 449 S: 453 S: Password has expired 454 S: 455 S: 458 S: New password does not meet complexity requirements 459 S: 460 S: 461 S: 462 S: 463 S: ABC-12345 464 S: 54321-XYZ 465 S: 466 S: 467 S: 469 Example EPP response to a successful login command where there is a 470 set of login security events: 472 S: 473 S: 474 S: 475 S: 476 S: Command completed successfully 477 S: 478 S: 479 S: 482 S: 487 S: Password expiration soon 488 S: 489 S: 493 S: 497 S: Non-PFS Cipher negotiated 498 S: 499 S: 503 S: Insecure TLS protocol negotiated 504 S: 505 S: 511 S: Excessive invalid daily logins 512 S: 513 S: 517 S: A custom login security event occured 518 S: 519 S: 520 S: 521 S: 522 S: ABC-12345 523 S: 54321-XYZ 524 S: 525 S: 526 S: 528 5. Formal Syntax 530 One schema is presented here that is the EPP Login Security Extension 531 schema. 533 The formal syntax presented here is a complete schema representation 534 of the object mapping suitable for automated validation of EPP XML 535 instances. The BEGIN and END tags are not part of the schema; they 536 are used to note the beginning and ending of the schema for URI 537 registration purposes. 539 5.1. Login Security Extension Schema 541 BEGIN 542 543 550 553 554 556 557 558 Extensible Provisioning Protocol v1.0 559 Login Security Extension Schema. 560 561 563 564 566 569 570 571 573 576 578 579 581 582 583 584 585 587 588 590 593 594 595 597 598 600 601 602 603 605 606 608 609 610 612 614 615 616 618 621 622 623 624 625 626 627 628 629 630 631 633 636 637 638 639 640 641 643 646 647 END 649 6. IANA Considerations 651 6.1. XML Namespace 653 This document uses URNs to describe XML namespaces and XML schemas 654 conforming to a registry mechanism described in [RFC3688]. The 655 following URI assignment is requested of IANA: 657 Registration request for the loginSec namespace: 659 URI: urn:ietf:params:xml:ns:epp:loginSec-0.2 660 Registrant Contact: IESG 661 XML: None. Namespace URIs do not represent an XML specification. 663 Registration request for the loginSec XML schema: 665 URI: urn:ietf:params:xml:schema:epp:loginSec-0.2 666 Registrant Contact: IESG 667 XML: See the "Formal Syntax" section of this document. 669 6.2. EPP Extension Registry 671 The EPP extension described in this document should be registered by 672 the IANA in the EPP Extension Registry described in [RFC7451]. The 673 details of the registration are as follows: 675 Name of Extension: "Login Security Extension for the Extensible 676 Provisioning Protocol (EPP)" 678 Document status: Standards Track 680 Reference: (insert reference to RFC version of this document) 682 Registrant Name and Email Address: IESG, 684 TLDs: Any 686 IPR Disclosure: None 688 Status: Active 690 Notes: None 692 7. Implementation Status 694 Note to RFC Editor: Please remove this section and the reference to 695 RFC 7942 [RFC7942] before publication. 697 TBD 699 8. Security Considerations 701 The extension leaves the password ( element) and new password 702 ( element) minimum length beyond 6 characters and the maximum 703 length up to sever policy. The server SHOULD enforce minimum and 704 maximum length requirements that are appropriate for their operating 705 environment. One example of a guideline for password length policies 706 can be found in section 5 of NIST Special Publication 800-63B [1]. 708 The extension provides an extensible list of login security events to 709 inform clients of connection and login warnings and errors. 711 9. Acknowledgements 713 The authors wish to thank the following persons for their feedback 714 and suggestions: 716 o Patrick Mevzek 717 o Scott Hollenbeck 719 10. References 721 10.1. Normative References 723 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 724 Requirement Levels", BCP 14, RFC 2119, 725 DOI 10.17487/RFC2119, March 1997, . 728 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 729 DOI 10.17487/RFC3688, January 2004, . 732 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 733 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 734 . 736 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 737 Code: The Implementation Status Section", BCP 205, 738 RFC 7942, DOI 10.17487/RFC7942, July 2016, 739 . 741 [W3C.REC-xmlschema-2-20041028] 742 Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes 743 Second Edition", World Wide Web Consortium Recommendation 744 REC-xmlschema-2-20041028, October 2004, 745 . 747 10.2. Informative References 749 [RFC7451] Hollenbeck, S., "Extension Registry for the Extensible 750 Provisioning Protocol", RFC 7451, DOI 10.17487/RFC7451, 751 February 2015, . 753 10.3. URIs 755 [1] https://pages.nist.gov/800-63-3/sp800-63b.html 757 Appendix A. Change History 759 A.1. Change from 00 to 01 761 1. Based on the feedback from Patrick Mevzek and a proposal from 762 Scott Hollenbeck, changed the minimum length of the password from 763 8 to 6, revised the description of the password, and added text 764 in the Security Considerations section for the server password 765 length policy. 767 A.2. Change from 01 to 02 769 1. Changed the XML namespace from urn:ietf:params:xml:ns:loginSec- 770 0.2 to urn:ietf:params:xml:ns:epp:loginSec-0.2, and changed the 771 XML schema registration from urn:ietf:params:xml:ns:loginSec-0.2 772 to urn:ietf:params:xml:schema:epp:loginSec-0.2 based on a request 773 from IANA with draft-ietf-regext-allocation-token. 775 Authors' Addresses 777 James Gould 778 VeriSign, Inc. 779 12061 Bluemont Way 780 Reston, VA 20190 781 US 783 Email: jgould@verisign.com 784 URI: http://www.verisign.com 786 Matthew Pozun 787 VeriSign, Inc. 788 12061 Bluemont Way 789 Reston, VA 20190 790 US 792 Email: mpozun@verisign.com 793 URI: http://www.verisign.com