idnits 2.17.1 draft-ietf-regext-login-security-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 30, 2020) is 1547 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 930 == Missing Reference: 'LOGIN-SECURITY' is mentioned on line 266, but not defined -- Looks like a reference, but probably isn't: '2' on line 933 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Gould 3 Internet-Draft M. Pozun 4 Intended status: Standards Track VeriSign, Inc. 5 Expires: August 2, 2020 January 30, 2020 7 Login Security Extension for the Extensible Provisioning Protocol (EPP) 8 draft-ietf-regext-login-security-08 10 Abstract 12 The Extensible Provisioning Protocol (EPP) includes a client 13 authentication scheme that is based on a user identifier and 14 password. The structure of the password field is defined by an XML 15 Schema data type that specifies minimum and maximum password length 16 values, but there are no other provisions for password management 17 other than changing the password. This document describes an EPP 18 extension that allows longer passwords to be created and adds 19 additional security features to the EPP login command and response. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on August 2, 2020. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 57 2. Migrating to Newer Versions of This Extension . . . . . . . . 3 58 3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 4 59 3.1. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3.2. "[LOGIN-SECURITY]" Password . . . . . . . . . . . . . . . 6 61 3.3. Dates and Times . . . . . . . . . . . . . . . . . . . . . 6 62 4. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 7 63 4.1. EPP Command . . . . . . . . . . . . . . . . . . . 7 64 5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15 65 5.1. Login Security Extension Schema . . . . . . . . . . . . . 15 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 67 6.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 17 68 6.2. EPP Extension Registry . . . . . . . . . . . . . . . . . 18 69 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 18 70 7.1. Verisign EPP SDK . . . . . . . . . . . . . . . . . . . . 19 71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 72 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 73 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 74 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 75 10.2. Informative References . . . . . . . . . . . . . . . . . 21 76 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 21 77 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 21 78 A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 21 79 A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 21 80 A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 22 81 A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 22 82 A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 22 83 A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 22 84 A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 22 85 A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 23 86 A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 23 87 A.10. Change from REGEXT 05 to REGEXT 06 . . . . . . . . . . . 24 88 A.11. Change from REGEXT 06 to REGEXT 07 . . . . . . . . . . . 24 89 A.12. Change from REGEXT 07 to REGEXT 08 . . . . . . . . . . . 24 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 92 1. Introduction 94 This document describes an Extensible Provisioning Protocol (EPP) 95 extension for enhancing the security of the EPP login command in EPP 96 [RFC5730]. The enhancements include supporting longer passwords (or 97 passphrases) than the 16-character maximum and providing a list of 98 security events in the login response. The password (current and 99 new) in EPP [RFC5730] can be overridden by the password included in 100 the extension to extend past the 16-character maximum. The security 101 events supported include: password expiry, client certificate expiry, 102 insecure cipher, insecure TLS protocol, new password complexity, 103 login security statistical warning, and a custom event. The 104 attributes supported by the security events include identifying the 105 event type or sub-type, indicating the security level of warning or 106 error, a future or past-due expiration date, the value that resulted 107 in the event, the duration of the statistical event, and a free-form 108 description with an optional language. 110 1.1. Conventions Used in This Document 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 114 "OPTIONAL" in this document are to be interpreted as described in BCP 115 14 [RFC2119] [RFC8174] when, and only when, they appear in all 116 capitals, as shown here. 118 XML is case sensitive. Unless stated otherwise, XML specifications 119 and examples provided in this document MUST be interpreted in the 120 character case presented in order to develop a conforming 121 implementation. 123 In examples, "C:" represents lines sent by a protocol client and "S:" 124 represents lines returned by a protocol server. Indentation and 125 white space in examples are provided only to illustrate element 126 relationships and are not a required feature of this protocol. 128 "loginSec-1.0" is used as an abbreviation for 129 "urn:ietf:params:xml:ns:epp:loginSec-1.0". The XML namespace prefix 130 "loginSec" is used, but implementations MUST NOT depend on it and 131 instead employ a proper namespace-aware XML parser and serializer to 132 interpret and output the XML documents. 134 "whitespace" is defined by the XML schema whiteSpace datatype in 135 [W3C.REC-xmlschema-2-20041028], which only includes the ASCII 136 whitespace characters #x9 (tab), #xA (linefeed), #xD (carriage 137 return), and #x20 (space). 139 2. Migrating to Newer Versions of This Extension 141 Servers which implement this extension SHOULD provide a way for 142 clients to progressively update their implementations when a new 143 version of the extension is deployed. A newer version of the 144 extension is expected to use an XML namespace with a higher version 145 number than the prior versions. 147 Servers SHOULD (for a temporary migration period up to server policy) 148 provide support for older versions of the extension in parallel to 149 the newest version, and allow clients to select their preferred 150 version via the element of the command. 152 If a client requests multiple versions of the extension at login, 153 then, when preparing responses to commands which do not include 154 extension elements, the server SHOULD only include extension elements 155 in the namespace of the newest version of the extension requested by 156 the client. 158 When preparing responses to commands which do include extension 159 elements, the server SHOULD only include extension elements for the 160 extension versions present in the command. 162 3. Object Attributes 164 This extension adds additional elements to [RFC5730] login command 165 and response. Only those new elements are described here. 167 3.1. Event 169 A security event, using the element, represents 170 either a warning or error identified by the server after the client 171 has connected and submitted the login command. The 172 element is contained in a list of one or more elements in the 173 element, so there MAY be multiple events 174 returned that provide information for the client to address. The 175 MAY include a free-form description. All of the 176 security events use a consistent set of attributes, where the exact 177 set of applicable attributes is based on the event type. The 178 supported set of element attributes include: 180 "type": A REQUIRED attribute that defines the type of security 181 event. The enumerated list of "type" values includes: 183 "password": Identifies a password expiry event, where the 184 password expires in the future or has expired based on the 185 "exDate" date and time. The "exDate" attribute MUST be set 186 with the password expiry date and time. 187 "certificate": Identifies a client certificate expiry event, 188 where the client certificate will expire at the "exDate" date 189 and time. The "exDate" attribute MUST be set with the 190 certificate expiry date and time. 192 "cipher": Identifies the use of an insecure or deprecated TLS 193 cipher suite. The "name" attribute MUST be set with the name 194 of the cipher suite, which is free-form and is not expected 195 to be parsed and automatically addressed by the client. An 196 example of cipher suite names can be found in the TLS Cipher 197 Suites of the Transport Layer Security (TLS) Parameters IANA 198 Registry [1]. 199 "tlsProtocol": Identifies the use of an insecure or deprecated 200 TLS protocol. The "name" attribute MUST be set with the name 201 of the TLS protocol, which is free-form and is not expected 202 to be parsed and automatically addressed by the client. 203 "newPW": The new password does not meet the server password 204 complexity requirements. 205 "stat": Provides a login security statistical warning that MUST 206 set the "name" attribute to the name of the statistic sub- 207 type. 208 "custom": Custom event type that MUST set the "name" attribute 209 with the custom event type name. 210 "name": Used to define a sub-type when the "type" attribute is not 211 "custom" or the full type name when the "type" attribute is 212 "custom". The "name" attribute MUST be set when the "type" 213 attribute is "stat" or "custom". The possible set of "name" 214 values, by event type, can be discovered / negotiated out of band 215 to EPP or using a separate EPP extension designed to provide 216 server policy information to the client. 217 "level": Defines the level of the event as either "warning" for a 218 warning event that needs action, or "error" for an error event 219 that requires immediate action. 220 "exDate": Contains the date and time that a "warning" level has or 221 will become an "error" level. At expiry there MAY be a 222 connection failure or MAY be a login failure. An example is an 223 expired certification that will result in a connection failure or 224 an expired password that may result in a login failure. 225 "value": Identifies the value that resulted in the login security 226 event. An example is the negotiated insecure cipher suite or the 227 negotiated insecure TLS protocol. 228 "duration": Defines the duration that a statistical event is 229 associated with, ending when the login command was received. The 230 format of the duration is defined by the duration primitive 231 datatype in section 3.2.6 of [W3C.REC-xmlschema-2-20041028]. 232 "lang": Identifies the negotiated language of the free-form 233 description. The format of the language is defined by the 234 language primitive datatype in section 3.3.3 of 235 [W3C.REC-xmlschema-2-20041028]. The default is "en" (English). 237 Example login security event for password expiration, where the 238 current date is 2020-03-25: 240 245 Password expiration soon 246 248 Example login security event for identifying 100 failed logins over 249 the last day, using the "stat" sub-type of "failedLogins": 251 257 Excessive invalid daily logins 258 260 3.2. "[LOGIN-SECURITY]" Password 262 When the [RFC5730] element contains the predefined value of 263 "[LOGIN-SECURITY]", the element overrides the 264 element, which is a constant value for the server to use the 265 element for the password. Similarly, when the 266 [RFC5730] element contains the predefined value of "[LOGIN- 267 SECURITY]", the element overrides the 268 element, which is a constant value for the server to use the 269 element for the new password. The "[LOGIN- 270 SECURITY]" pre-defined string MUST be supported by the server for the 271 client to explicitly indicate to the server whether to use 272 element in place of the [RFC5730] element or to 273 use the in place of the [RFC5730] element. 274 The server MUST NOT allow the client to set the password to the value 275 "[LOGIN-SECURITY]". 277 3.3. Dates and Times 279 Date and time attribute values MUST be represented in Universal 280 Coordinated Time (UTC) using the Gregorian calendar. The extended 281 date-time form using upper case "T" and "Z" characters defined in 282 [W3C.REC-xmlschema-2-20041028] MUST be used to represent date-time 283 values, as XML Schema does not support truncated date-time forms or 284 lower case "T" and "Z" characters. 286 4. EPP Command Mapping 288 A detailed description of the EPP syntax and semantics can be found 289 in the EPP core protocol specification [RFC5730]. 291 4.1. EPP Command 293 This extension defines additional elements to extend the EPP 294 command and response to be used in conjunction with [RFC5730]. 296 The EPP command is used to establish a session with an EPP 297 server. This extension overrides the password that is passed with 298 the [RFC5730] or the element as defined in Section 3.2. 299 A element is sent along with the [RFC5730] 300 command and MUST contain at least one of the following child 301 elements: 303 : OPTIONAL client user agent information that 304 identifies the client application software, technology, and 305 operating system used by the server to identify functional or 306 security constraints, current security issues, and potential 307 future functional or security issues for the client. The server 308 may use the information for real-time identification and client 309 notification of security issues, such as keying off of the client 310 application software for executing security rule checks. The 311 server may capture the information to identify future security 312 policy issues, such as deprecating or removing TLS cipher suites 313 or TLS protocols. The element MUST contain 314 at least one of the following child elements: 316 : OPTIONAL name of the client application software 317 with version if available, such as the name of the client SDK 318 "EPP SDK 1.0.0". The element value can be 319 created by appending the version number to the name of the 320 application software, such as the Augmented Backus-Naur Form 321 (ABNF) grammar [RFC5234] format: 323 app = name SP version 324 name = 1*VCHAR 325 version = 1*VCHAR 326 : OPTIONAL technology used for the client 327 software with version if available, such as "Vendor Java 328 11.0.6". The element value can be created by 329 including the technology vendor, technology name, and 330 technology version, such as the Augmented Backus-Naur Form 331 (ABNF) grammar [RFC5234] format: 333 tech = vendor SP name SP version 334 vendor = 1*VCHAR 335 name = 1*VCHAR 336 version = 1*VCHAR 337 : OPTIONAL client operating system used with 338 version if available, such as "x86_64 Mac OS X 10.15.2". The 339 element value can be created by including the 340 operating system architecture, operating system name, and 341 operating system version, such as the Augmented Backus-Naur 342 Form (ABNF) grammar [RFC5234] format: 344 os = arch SP name SP version 345 arch = 1*VCHAR 346 name = 1*VCHAR 347 version = 1*VCHAR 348 : OPTIONAL plain text password that is case sensitive, 349 has a minimum length of 6 characters, and has a maximum length 350 that is up to server policy. All leading and trailing whitespace 351 is removed, and all internal contiguous whitespace that includes 352 #x9 (tab), #xA (linefeed), #xD (carriage return), and #x20 353 (space) is replaced with a single #x20 (space). This element 354 MUST only be set if the [RFC5730] element is set to the 355 "[LOGIN-SECURITY]" value. 356 : OPTIONAL plain text new password that is case 357 sensitive, has a minimum length of 6 characters, and has a 358 maximum length that is up to server policy. All leading and 359 trailing whitespace is removed, and all internal contiguous 360 whitespace that includes #x9 (tab), #xA (linefeed), #xD (carriage 361 return), and #x20 (space) is replaced with a single #x20 (space). 362 This element MUST only be set if the [RFC5730] element is 363 set to the "[LOGIN-SECURITY]" value. 365 It is recommended that the plain text password in the 366 and elements use printable ASCII characters #x20 367 (space) - #x7E (~), with high entropy, such as 128 bits. If non- 368 ASCII characters are supported with the plain text password, then use 369 a standard for passwords with international characters, such as the 370 OpaqueString PRECIS profile in [RFC8265]. 372 Example login command that uses the element instead of 373 the [RFC5730] element to establish the session and includes the 374 element: 376 C: 377 C: 378 C: 379 C: 380 C: ClientX 381 C: [LOGIN-SECURITY] 382 C: 383 C: 1.0 384 C: en 385 C: 386 C: 387 C: urn:ietf:params:xml:ns:obj1 388 C: urn:ietf:params:xml:ns:obj2 389 C: urn:ietf:params:xml:ns:obj3 390 C: 391 C: urn:ietf:params:xml:ns:epp:loginSec-1.0 392 C: 393 C: 394 C: 395 C: 396 C: 399 C: 400 C: EPP SDK 1.0.0 401 C: Vendor Java 11.0.6 402 C: x86_64 Mac OS X 10.15.2 403 C: 404 C: this is a long password 405 C: 406 C: 407 C: ABC-12345 408 C: 409 C: 410 Example login command that uses the element instead of 411 the [RFC5730] element to establish the session, and uses the 412 element instead of the [RFC5730] element to 413 set the new password: 415 C: 416 C: 417 C: 418 C: 419 C: ClientX 420 C: [LOGIN-SECURITY] 421 C: [LOGIN-SECURITY] 422 C: 423 C: 1.0 424 C: en 425 C: 426 C: 427 C: urn:ietf:params:xml:ns:obj1 428 C: urn:ietf:params:xml:ns:obj2 429 C: urn:ietf:params:xml:ns:obj3 430 C: 431 C: urn:ietf:params:xml:ns:epp:loginSec-1.0 432 C: 433 C: 434 C: 435 C: 436 C: 439 C: this is a long password 440 C: 441 C: new password that is still long 442 C: 443 C: 444 C: 445 C: ABC-12345 446 C: 447 C: 448 Example login command that uses the [RFC5730] element to 449 establish the session, and uses the element instead 450 of the [RFC5730] element to set the new password: 452 C: 453 C: 454 C: 455 C: 456 C: ClientX 457 C: shortpassword 458 C: [LOGIN-SECURITY] 459 C: 460 C: 1.0 461 C: en 462 C: 463 C: 464 C: urn:ietf:params:xml:ns:obj1 465 C: urn:ietf:params:xml:ns:obj2 466 C: urn:ietf:params:xml:ns:obj3 467 C: 468 C: urn:ietf:params:xml:ns:epp:loginSec-1.0 469 C: 470 C: 471 C: 472 C: 473 C: 476 C: new password that is still long 477 C: 478 C: 479 C: 480 C: ABC-12345 481 C: 482 C: 484 Upon a completed login command (success or failed), the extension 485 MUST be included in the response when both of the following 486 conditions hold: 488 Client supports extension: The client supports the extension based 489 on the element of the command. 490 At least one login security event: The server has identified at 491 least one login security event to communicate to the client. 493 The extension to the EPP response uses the 494 element that contains the following child elements: 496 : One or more elements defined in 497 Section 3.1. 499 Example EPP response to a successful login command on 2020-03-25, 500 where the password will expire in a week: 502 S: 503 S: 504 S: 505 S: 506 S: Command completed successfully 507 S: 508 S: 509 S: 512 S: 517 S: Password expiring in a week 518 S: 519 S: 520 S: 521 S: 522 S: ABC-12345 523 S: 54321-XYZ 524 S: 525 S: 526 S: 527 Example EPP response to a failed login command where the password has 528 expired and the new password does not meet the server complexity 529 requirements: 531 S: 532 S: 533 S: 534 S: 535 S: Authentication error 536 S: 537 S: 538 S: 541 S: 545 S: Password has expired 546 S: 547 S: 550 S: New password does not meet complexity requirements 551 S: 552 S: 553 S: 554 S: 555 S: ABC-12345 556 S: 54321-XYZ 557 S: 558 S: 559 S: 561 Example EPP response to a successful login command where there is a 562 set of login security events: 564 S: 565 S: 566 S: 567 S: 568 S: Command completed successfully 569 S: 570 S: 571 S: 574 S: 579 S: Password expiration soon 580 S: 581 S: 585 S: 589 S: Non-PFS Cipher negotiated 590 S: 591 S: 595 S: Insecure TLS protocol negotiated 596 S: 597 S: 603 S: Excessive invalid daily logins 604 S: 605 S: 609 S: A custom login security event occured 610 S: 611 S: 612 S: 613 S: 614 S: ABC-12345 615 S: 54321-XYZ 616 S: 617 S: 618 S: 620 5. Formal Syntax 622 The EPP Login Security Extension schema is presented here. 624 The formal syntax presented here is a complete XML schema 625 representation of the object mapping suitable for automated 626 validation of EPP XML instances. The BEGIN and END tags are not part 627 of the XML schema; they are used to note the beginning and ending of 628 the XML schema for URI registration purposes. 630 5.1. Login Security Extension Schema 632 BEGIN 633 634 640 643 644 645 646 Extensible Provisioning Protocol v1.0 647 Login Security Extension Schema. 648 649 650 651 654 655 656 658 660 662 663 664 665 666 667 669 670 671 672 673 675 677 679 680 681 683 685 686 688 689 690 691 693 694 695 698 699 700 701 702 703 704 706 708 710 712 714 716 718 719 720 721 724 725 726 727 728 729 730 731 732 733 734 735 738 739 740 741 742 743 744 747 748 END 750 6. IANA Considerations 752 6.1. XML Namespace 754 This document uses URNs to describe XML namespaces and XML schemas 755 conforming to a registry mechanism described in [RFC3688]. The 756 following URI assignment is requested of IANA: 758 Registration request for the loginSec namespace: 760 URI: urn:ietf:params:xml:ns:epp:loginSec-1.0 761 Registrant Contact: IESG 762 XML: None. Namespace URIs do not represent an XML specification. 764 Registration request for the loginSec XML schema: 766 URI: urn:ietf:params:xml:schema:epp:loginSec-1.0 767 Registrant Contact: IESG 768 XML: See the "Formal Syntax" section of this document. 770 6.2. EPP Extension Registry 772 The EPP extension described in this document should be registered by 773 the IANA in the EPP Extension Registry described in [RFC7451]. The 774 details of the registration are as follows: 776 Name of Extension: "Login Security Extension for the Extensible 777 Provisioning Protocol (EPP)" 779 Document status: Standards Track 781 Reference: (insert reference to RFC version of this document) 783 Registrant Name and Email Address: IESG, 785 TLDs: Any 787 IPR Disclosure: None 789 Status: Active 791 Notes: None 793 7. Implementation Status 795 Note to RFC Editor: Please remove this section and the reference to 796 RFC 7942 [RFC7942] before publication. 798 This section records the status of known implementations of the 799 protocol defined by this specification at the time of posting of this 800 Internet-Draft, and is based on a proposal described in RFC 7942 801 [RFC7942]. The description of implementations in this section is 802 intended to assist the IETF in its decision processes in progressing 803 drafts to RFCs. Please note that the listing of any individual 804 implementation here does not imply endorsement by the IETF. 805 Furthermore, no effort has been spent to verify the information 806 presented here that was supplied by IETF contributors. This is not 807 intended as, and must not be construed to be, a catalog of available 808 implementations or their features. Readers are advised to note that 809 other implementations may exist. 811 According to RFC 7942 [RFC7942], "this will allow reviewers and 812 working groups to assign due consideration to documents that have the 813 benefit of running code, which may serve as evidence of valuable 814 experimentation and feedback that have made the implemented protocols 815 more mature. It is up to the individual working groups to use this 816 information as they see fit". 818 7.1. Verisign EPP SDK 820 Organization: Verisign Inc. 822 Name: Verisign EPP SDK 824 Description: The Verisign EPP SDK includes both a full client 825 implementation and a full server stub implementation of draft-ietf- 826 regext-login-security. 828 Level of maturity: Development 830 Coverage: All aspects of the protocol are implemented. 832 Licensing: GNU Lesser General Public License 834 Contact: jgould@verisign.com 836 URL: https://www.verisign.com/en_US/channel-resources/domain- 837 registry-products/epp-sdks 839 8. Security Considerations 841 The Security Considerations of [RFC5730] apply in this document, and 842 this document enhances these considerations. 844 The extension leaves the password ( element) and new password 845 ( element) minimum length greater than 6 characters and the 846 maximum length up to server policy. The server SHOULD enforce 847 minimum and maximum length requirements that are appropriate for 848 their operating environment. One example of a guideline for password 849 length policies can be found in section 5 of NIST Special Publication 850 800-63B [2]. 852 The client SHOULD NOT decrease the security of a new password by 853 decreasing the length of the current password. For example, a client 854 with a 20 character password set using the extension, should not use 855 the login command in [RFC5730] without using the extension, to set a 856 new password that is less than or equal to 16 characters. 858 The extension provides an extensible list of login security events to 859 inform clients of connection and login warnings and errors. The 860 server returning of security events to unauthenticated users needs to 861 take into account the security/privacy issues of returning 862 information to potential attackers. 864 The user agent information represents the client system of a system- 865 to-system interface, so the user agent information MUST NOT provide 866 any ability to track individual users or classes of users. 868 9. Acknowledgements 870 The authors wish to thank the following persons for their feedback 871 and suggestions: 873 o Martin Casanova 874 o Scott Hollenbeck 875 o Barry Leiba 876 o Patrick Mevzek 877 o Joseph Yee 879 10. References 881 10.1. Normative References 883 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 884 Requirement Levels", BCP 14, RFC 2119, 885 DOI 10.17487/RFC2119, March 1997, 886 . 888 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 889 DOI 10.17487/RFC3688, January 2004, 890 . 892 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 893 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 894 . 896 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 897 Code: The Implementation Status Section", BCP 205, 898 RFC 7942, DOI 10.17487/RFC7942, July 2016, 899 . 901 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 902 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 903 May 2017, . 905 [W3C.REC-xmlschema-2-20041028] 906 Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes 907 Second Edition", World Wide Web Consortium Recommendation 908 REC-xmlschema-2-20041028, October 2004, 909 . 911 10.2. Informative References 913 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 914 Specifications: ABNF", STD 68, RFC 5234, 915 DOI 10.17487/RFC5234, January 2008, 916 . 918 [RFC7451] Hollenbeck, S., "Extension Registry for the Extensible 919 Provisioning Protocol", RFC 7451, DOI 10.17487/RFC7451, 920 February 2015, . 922 [RFC8265] Saint-Andre, P. and A. Melnikov, "Preparation, 923 Enforcement, and Comparison of Internationalized Strings 924 Representing Usernames and Passwords", RFC 8265, 925 DOI 10.17487/RFC8265, October 2017, 926 . 928 10.3. URIs 930 [1] https://www.iana.org/assignments/tls-parameters/tls- 931 parameters.xhtml#tls-parameters-4 933 [2] https://pages.nist.gov/800-63-3/sp800-63b.html 935 Appendix A. Change History 937 [[RFC Editor: Please remove this section.]] 939 A.1. Change from 00 to 01 941 1. Based on the feedback from Patrick Mevzek and a proposal from 942 Scott Hollenbeck, changed the minimum length of the password from 943 8 to 6, revised the description of the password, and added text 944 in the Security Considerations section for the server password 945 length policy. 947 A.2. Change from 01 to 02 949 1. Changed the XML namespace from urn:ietf:params:xml:ns:loginSec- 950 0.3 to urn:ietf:params:xml:ns:epp:loginSec-0.3, and changed the 951 XML schema registration from urn:ietf:params:xml:ns:loginSec-0.3 952 to urn:ietf:params:xml:schema:epp:loginSec-0.3 based on a request 953 from IANA with draft-ietf-regext-allocation-token. 955 A.3. Change from 02 to 03 957 1. Updates based on the review by Patrick Mevzek, that include: 959 1. Fix the inconsistent case for newPW, that required a global 960 change in the draft text and an update to the XML schema to 961 "urn:ietf:params:xml:ns:loginSec-0.3". 962 2. Changed "contains the following child elements" to "MUST 963 contain at least one of the following child elements", 964 section "EPP Command" to ensure that an empty 965 element is not passed. 966 3. Add "The client SHOULD NOT decrease the security of a new 967 password by decreasing the length of the current password." 968 along with an example to the "Security Considerations" 969 section. 971 A.4. Change from 03 to REGEXT 00 973 1. Changed to regext working group draft by changing draft-gould- 974 regext-login-security to draft-ietf-regext-login-security. 976 A.5. Change from REGEXT 00 to REGEXT 01 978 1. Changed the element to be structured with 979 the , , and sub- 980 elements. This was based on the feedback from Martin Casanova. 981 This resulted in the need to change the XML namespace from 982 urn:ietf:params:xml:ns:epp:loginSec-0.3 to 983 urn:ietf:params:xml:ns:epp:loginSec-0.4. 985 A.6. Change from REGEXT 01 to REGEXT 02 987 1. Updated the Implementation Status section from "TBD" to include 988 the Verisign EPP SDK implementation. 990 A.7. Change from REGEXT 02 to REGEXT 03 992 1. Revised the description of the "duration" attribute to clarify 993 that it ends when the login command was received and to clarify 994 the format, based on the feedback from Martin Casanova. 995 2. Revised the sentence 'Upon a completed login command (success or 996 failed), the extension MUST be included in the response based on 997 the following conditions:' to 'Upon a completed login command 998 (success or failed), the extension MUST be included in the 999 response based on both of the following conditions:' based on the 1000 feedback from Patrick Mevzek. 1001 3. Updates based on the review by Joseph Yee, that include: 1003 1. Revised the description of the "name" 1004 attribute read 'Used to define a sub-type when the "type" 1005 attribute is not "custom" or the full type name when the 1006 "type" attribute is "custom"'. The definition of the "stat" 1007 type was updated to 'Provides a login security statistical 1008 warning that MUST set the "name" attribute to the name of the 1009 statistic.' 1010 2. Added the following sentence 'The server MUST NOT allow the 1011 client to set the password to the value "[LOGIN-SECURITY]".' 1012 to address the corner case where the constant is used as the 1013 password. 1014 3. Revised the description of the element 1015 to read 'The element MUST contain at 1016 least one of the following child elements:'. 1017 4. Revised the description of the to match the 1018 child elements that can be passed, by changing "client software" 1019 to "client application software" and change "language" to 1020 "technology". 1021 5. Changed the XML namespace from 1022 urn:ietf:params:xml:ns:epp:loginSec-0.4 to 1023 urn:ietf:params:xml:ns:epp:loginSec-1.0. 1025 A.8. Change from REGEXT 03 to REGEXT 04 1027 Updates based on the review by Joseph Yee, that include: 1029 1. Update the definition of the "stat" security event type to 1030 reference sub-type to match the language for the "name" 1031 attribute. 1032 2. Added the sentence 'The "name" attribute MUST be set when the 1033 "type" attribute is "stat" or "custom".' to the definition of the 1034 "name" attribute for clarity. 1035 3. Update the definition of the "userAgentType" in the XML schema to 1036 require at least one sub-element using a element. 1038 A.9. Change from REGEXT 04 to REGEXT 05 1040 Updates based on the review by Barry Leiba, that include: 1042 1. In section 1.1, updated to use BCP 14 boilerplate and references 1043 as defined in RFC 8174. 1044 2. In section 1.1, change "REQUIRED" to "required". 1045 3. Keep the "Migration to Newer Versions of This Extension" section 1046 by removing the note for removal to the RFC Editor. 1048 4. In section 3.1, change "MAY be multiple events returned that 1049 provides information" to "MAY be multiple events returned that 1050 provide information". 1051 5. In section 3.1, change "free form" to "free-form". 1052 6. In section 3.1, change "The enumerated list of "type" values 1053 include:" to "The enumerated list of "type" values includes:". 1054 7. In section 3.1, change "Identifies the language of the free-form 1055 description if the negotiated language is something other than 1056 the default value of "en" (English)." to "Identifies the 1057 negotiated language of the free-form description. The default is 1058 "en" (English). 1059 8. In section 3.1, change example description from "Example login 1060 security event for a password expiring in a week:" to "Example 1061 login security event for password expiration, where the current 1062 date is 2018-03-25:". 1063 9. In section 4.1, change "Example EPP response to a successful 1064 login command where the password will expire in a week:" to 1065 "Example EPP response to a successful login command on 1066 2018-03-25, where the password will expire in a week:". 1068 A.10. Change from REGEXT 05 to REGEXT 06 1070 Updates based on the review by Brian Carpenter, that include: 1072 1. In section 1, change the references to RFC 5730 to use links. 1073 2. In section 2, change "(for a temporary migration period)" to 1074 "(for a temporary migration period up to server policy)". 1076 A.11. Change from REGEXT 06 to REGEXT 07 1078 1. Updates based on feedback from Barry Leiba, added recommendations 1079 on the characters used for the plain text password. Recommended 1080 the use of printable ASCII passwords and if non-ASCII characters 1081 are supported, to use a standard for passwords with international 1082 characters, such as the OpaqueString PRECIS profile in [RFC8265]. 1083 2. Based on the feedback from Carlos Pignataro, added "[[RFC Editor: 1084 Please remove this section.]]" to the "Change History" section. 1086 A.12. Change from REGEXT 07 to REGEXT 08 1088 1. Based on feedback from Eric Vyncke during the IESG review, 1089 changed [RFC8174] from the informative references into the 1090 normative references. 1091 2. Based on feedback from Alissa Cooper during the IESG review, 1092 changed the sentence "One schema is presented here that is the 1093 EPP Login Security Extension schema." in section 5 to "The EPP 1094 Login Security Extension schema is presented here.". 1095 3. Changed "sever policy" to "server policy" in section 8. 1097 4. Updates based on feedback from Roman Danyliw during the IESG 1098 review: 1100 1. Changed "pasword" to "password" in section 1. 1101 2. In section 3.1, added a reference to section 3.3.3 of 1102 [W3C.REC-xmlschema-2-20041028] for the format of the "lang" 1103 attribute. Added the corresponding section (3.2.6) for the 1104 "duration" attribute. 1105 3. Added the "XML" prefix for each reference to "schema" in the 1106 introduction of section 5. 1107 4. Added the leading sentence "The Security Considerations of 1108 [RFC5730] apply in this document, and this document enhances 1109 these considerations." to section 8. 1110 5. Added the sentence 'The possible set of "name" values, by 1111 event type, can be discovered / negotiated out of band to EPP 1112 or using a separate EPP extension designed to provide server 1113 policy information to the client.' to the description of the 1114 "name" attribute. 1115 6. Added a description of how to create the , 1116 , and values using ABNF. 1117 5. Updates based on feedback from Alexey Melnikov during the IESG 1118 review: 1120 1. Added a description of "whitespace" to section 1.1. 1121 2. Added a description of the usage of the user agent 1122 information in section 4.1. 1123 6. Updates based on feedback from Benjamin Kaduk during the IESG 1124 review: 1126 1. Added "A newer version of the extension is expected to use 1127 an XML namespace with a higher version number than the prior 1128 versions." to the first paragraph of section 2. 1129 2. In section 3.1, replace the sentence "There MAY be multiple 1130 events returned that provide information for the client to 1131 address." with "The element is contained in 1132 a list of one or more elements in the 1133 element, so there MAY be multiple 1134 events returned that provide information for the client to 1135 address." 1136 3. In section 3.1, for the "exDate" attribute, replace the 1137 sentence "At expiry there MAY be an error to connect or MAY 1138 be an error to login." with "At expiry there MAY be a 1139 connection failure or MAY be a login failure." and a similar 1140 change to the following sentence. 1141 4. In section 3.1, replace the description of the "cipher" type 1142 and the "tlsProtocol" type. 1144 5. In section 3.1, add a sentence that the "exDate" attribute 1145 MUST be set for the "password" type and the "certificate" 1146 type. 1147 6. Updates the dates by replacing 2018 with 2020. 1148 7. In section 3.2, update the MUST override sentences for the 1149 and the elements. 1150 8. In section 4.1, update "OPTIONAL client user agent" with 1151 "OPTIONAL client user agent information" for the description 1152 of the element. 1153 9. In section 4.1, replace "MUST only be used" to "MUST only be 1154 set" for the and elements. 1155 10. Updated references of "x86_64 Mac OS X 10.11.6" to "x86_64 1156 Mac OS X 10.15.2". 1157 11. In section 4.1, replace "MUST be included in the response 1158 based on both of the following conditions" with "MUST be 1159 included in the response when both of the following 1160 conditions hold". 1161 12. In section 4.1, update the "exDate" for the "password" 1162 security event error to be "2020-03-24T22:00:00.0Z" so that 1163 it's prior to the date 2020-03-25 reference previously. 1164 13. In section 8, add the sentence "The server returning of 1165 security events to unauthenticated users needs to take into 1166 account the security/privacy issues of returning information 1167 to potential attackers." to the end of the last paragraph. 1168 14. In section 8, change "minimum length beyond 6 characters" to 1169 "minimum length greater than 6 characters". 1170 15. In section 8, add the sentence "The user agent information 1171 represents the client system of a system-to-system 1172 interface, so the user agent information MUST NOT provide 1173 any ability to track individual users or classes of users." 1175 Authors' Addresses 1177 James Gould 1178 VeriSign, Inc. 1179 12061 Bluemont Way 1180 Reston, VA 20190 1181 US 1183 Email: jgould@verisign.com 1184 URI: http://www.verisign.com 1185 Matthew Pozun 1186 VeriSign, Inc. 1187 12061 Bluemont Way 1188 Reston, VA 20190 1189 US 1191 Email: mpozun@verisign.com 1192 URI: http://www.verisign.com