idnits 2.17.1 draft-ietf-regext-secure-authinfo-transfer-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (21 October 2020) is 1255 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 7451 ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Gould 3 Internet-Draft R. Wilhelm 4 Intended status: Standards Track VeriSign, Inc. 5 Expires: 24 April 2021 21 October 2020 7 Extensible Provisioning Protocol (EPP) Secure Authorization Information 8 for Transfer 9 draft-ietf-regext-secure-authinfo-transfer-04 11 Abstract 13 The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the 14 use of authorization information to authorize a transfer. The 15 authorization information is object-specific and has been defined in 16 the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact 17 Mapping, in RFC 5733, as password-based authorization information. 18 Other authorization mechanisms can be used, but in practice the 19 password-based authorization information has been used at the time of 20 object create, managed with the object update, and used to authorize 21 an object transfer request. What has not been fully considered is 22 the security of the authorization information that includes the 23 complexity of the authorization information, the time-to-live (TTL) 24 of the authorization information, and where and how the authorization 25 information is stored. This document defines an operational 26 practice, using the EPP RFCs, that leverages the use of strong random 27 authorization information values that are short-lived, that are not 28 stored by the client, and that are stored using a cryptographic hash 29 by the server to provide for secure authorization information used 30 for transfers. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on 24 April 2021. 49 Copyright Notice 51 Copyright (c) 2020 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 56 license-info) in effect on the date of publication of this document. 57 Please review these documents carefully, as they describe your rights 58 and restrictions with respect to this document. Code Components 59 extracted from this document must include Simplified BSD License text 60 as described in Section 4.e of the Trust Legal Provisions and are 61 provided without warranty as described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 67 2. Registrant, Registrar, Registry . . . . . . . . . . . . . . . 5 68 3. Signaling Client and Server Support . . . . . . . . . . . . . 6 69 4. Secure Authorization Information . . . . . . . . . . . . . . 7 70 4.1. Secure Random Authorization Information . . . . . . . . . 7 71 4.2. Authorization Information Time-To-Live (TTL) . . . . . . 8 72 4.3. Authorization Information Storage and Transport . . . . . 9 73 4.4. Authorization Information Matching . . . . . . . . . . . 9 74 5. Create, Transfer, and Secure Authorization Information . . . 10 75 5.1. Create Command . . . . . . . . . . . . . . . . . . . . . 10 76 5.2. Update Command . . . . . . . . . . . . . . . . . . . . . 12 77 5.3. Info Command and Response . . . . . . . . . . . . . . . . 15 78 5.4. Transfer Request Command . . . . . . . . . . . . . . . . 17 79 6. Transition Considerations . . . . . . . . . . . . . . . . . . 18 80 6.1. Transition Phase 1 - Features . . . . . . . . . . . . . . 19 81 6.2. Transition Phase 2 - Storage . . . . . . . . . . . . . . 20 82 6.3. Transition Phase 3 - Enforcement . . . . . . . . . . . . 21 83 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 84 7.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 21 85 7.2. EPP Extension Registry . . . . . . . . . . . . . . . . . 21 86 8. Implementation Status . . . . . . . . . . . . . . . . . . . . 22 87 8.1. Verisign EPP SDK . . . . . . . . . . . . . . . . . . . . 22 88 8.2. RegistryEngine EPP Service . . . . . . . . . . . . . . . 23 89 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 90 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 91 11. Normative References . . . . . . . . . . . . . . . . . . . . 24 92 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 25 93 A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 25 94 A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 25 95 A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 25 96 A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 27 97 A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 27 98 A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 27 99 A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 27 100 A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 27 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 103 1. Introduction 105 The Extensible Provisioning Protocol (EPP), in [RFC5730], defines the 106 use of authorization information to authorize a transfer. The 107 authorization information is object-specific and has been defined in 108 the EPP Domain Name Mapping, in [RFC5731], and the EPP Contact 109 Mapping, in [RFC5733], as password-based authorization information. 110 Other authorization mechanisms can be used, but in practice the 111 password-based authorization information has been used at the time of 112 object create, managed with the object update, and used to authorize 113 an object transfer request. What has not been considered is the 114 security of the authorization information that includes the 115 complexity of the authorization information, the time-to-live (TTL) 116 of the authorization information, and where and how the authorization 117 information is stored. This document defines an operational 118 practice, using the EPP RFCs, that leverages the use of strong, 119 random authorization information values that are short-lived, that 120 are not stored by the client, and that are stored by the server using 121 a cryptographic hash to provide, for secure authorization information 122 used for transfers. This operational practice can be used to support 123 transfers of any EPP object, where the domain name object defined in 124 [RFC5731] is used in this document for illustration purposes. 125 Elements of the practice may be used to support the secure use of the 126 authorization information for purposes other than transfer, but any 127 other purposes and the applicable elements are out-of-scope for this 128 document. 130 The overall goal is to have strong, random authorization information 131 values, that are short-lived, and that are either not stored or 132 stored as a cryptographic hash values by the non-responsible parties. 133 In a registrant, registrar, and registry model, the registrant 134 registers the object through the registrar to the registry. The 135 registrant is the responsible party and the registrar and the 136 registry are the non-responsible parties. EPP is a protocol between 137 the registrar and the registry, where the registrar is referred to as 138 the client and the registry is referred to as the server. The 139 following are the elements of the operational practice and how the 140 existing features of the EPP RFCs can be leveraged to satisfy them: 142 "Strong Random Authorization Information": The EPP RFCs define the 143 password-based authorization information value using an XML 144 schema "normalizedString" type, so they don't restrict what can 145 be used in any way. This operational practice defines the 146 recommended mechanism for creating a strong random authorization 147 value, that would be generated by the client. 148 "Short-Lived Authorization Information": The EPP RFCs don't 149 explicitly support short-lived authorization information or a 150 time-to-live (TTL) for authorization information, but there are 151 EPP RFC features that can be leveraged to support short-lived 152 authorization information. If authorization information is set 153 only when there is a transfer in process, the server needs to 154 support empty authorization information on create, support 155 setting and unsetting authorization information, and support 156 automatically unsetting the authorization information upon a 157 successful transfer. All of these features can be supported by 158 the EPP RFCs. 159 "Storing Authorization Information Securely": The EPP RFCs don't 160 specify where and how the authorization information is stored in 161 the client or the server, so there are no restrictions to define 162 an operational practice for storing the authorization information 163 securely. The operational practice will not require the client 164 to store the authorization information and will require the 165 server to store the authorization information using a 166 cryptographic hash, with at least a 256-bit hash function such as 167 SHA-256, and with a random salt. Returning the authorization 168 information set in an EPP info response will not be supported. 170 1.1. Conventions Used in This Document 172 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 173 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 174 document are to be interpreted as described in RFC 2119 [RFC2119]. 176 XML is case sensitive. Unless stated otherwise, XML specifications 177 and examples provided in this document MUST be interpreted in the 178 character case presented in order to develop a conforming 179 implementation. 181 In examples, "C:" represents lines sent by a protocol client and "S:" 182 represents lines returned by a protocol server. Indentation and 183 white space in examples are provided only to illustrate element 184 relationships and are not a required feature of this protocol. 186 The examples reference XML namespace prefixes that are used for the 187 associated XML namespaces. Implementations MUST NOT depend on the 188 example XML namespaces and instead employ a proper namespace-aware 189 XML parser and serializer to interpret and output the XML documents. 190 The example namespace prefixes used and their associated XML 191 namespaces include: 193 "domain": urn:ietf:params:xml:ns:domain-1.0 194 "contact": urn:ietf:params:xml:ns:contact-1.0 196 2. Registrant, Registrar, Registry 198 The EPP RFCs refer to client and server, but when it comes to 199 transfers, there are three types of actors that are involved. This 200 document will refer to the actors as registrant, registrar, and 201 registry. [RFC8499] defines these terms formally for the Domain Name 202 System (DNS). The terms are further described below to cover their 203 roles as actors of using the authorization information in the 204 transfer process of any object in the registry, such as a domain name 205 or a contact: 207 "registrant": [RFC8499] defines the registrant as "an individual or 208 organization on whose behalf a name in a zone is registered by 209 the registry". The registrant can be the owner of any object in 210 the registry, such as a domain name or a contact. The registrant 211 interfaces with the registrar for provisioning the objects. A 212 transfer is coordinated by the registrant to transfer the 213 sponsorship of the object from one registrar to another. The 214 authorization information is meant to authenticate the registrant 215 as the owner of the object to the non-sponsoring registrar and to 216 authorize the transfer. 217 "registrar": [RFC8499] defines the registrar as "a service provider 218 that acts as a go-between for registrants and registries". The 219 registrar interfaces with the registrant for the provisioning of 220 objects, such as domain names and contacts, and with the 221 registries to satisfy the registrant's provisioning requests. A 222 registrar may directly interface with the registrant or may 223 indirectly interface with the registrant, typically through one 224 or more resellers. Implementing a transfer using secure 225 authorization information extends through the registrar's 226 reseller channel up to the direct interface with the registrant. 227 The registrar's interface with the registries uses EPP. The 228 registrar's interface with its reseller channel or the registrant 229 is registrar-specific. In the EPP RFCs, the registrar is 230 referred to as the "client", since EPP is the protocol used 231 between the registrar and the registry. The sponsoring registrar 232 is the authorized registrar to manage objects on behalf of the 233 registrant. A non-sponsoring registrar is not authorized to 234 manage objects on behalf of the registrant. A transfer of an 235 object's sponsorship is from one registrar, referred to as the 236 losing registrar, to another registrar, referred to as the 237 gaining registrar. 238 "registry": [RFC8499] defines the registry as "the administrative 239 operation of a zone that allows registration of names within the 240 zone". The registry typically interfaces with the registrars 241 over EPP and generally does not interact directly with the 242 registrant. In the EPP RFCs, the registry is referred to as the 243 "server", since EPP is the protocol used between the registrar 244 and the registry. The registry has a record of the sponsoring 245 registrar for each object and provides the mechanism (over EPP) 246 to coordinate a transfer of an object's sponsorship between 247 registrars. 249 3. Signaling Client and Server Support 251 This document does not define new protocol but an operational 252 practice using the existing EPP protocol, where the client and the 253 server can signal support for the BCP using a namespace URI in the 254 login and greeting extension services. The namespace URI 255 "urn:ietf:params:xml:ns:epp:secure-authinfo-transfer-1.0" is used to 256 signal support for the BCP. The client includes the namespace URI in 257 an element of the [RFC5730] Command. 258 The server includes the namespace URI in an 259 element of the [RFC5730] Greeting. 261 A client that receives the namespace URI in the server's Greeting 262 extension services, can expect the following supported behavior by 263 the server: 265 1. Support empty authorization information with a create command. 266 2. Support unsetting authorization information with an update 267 command. 268 3. Support validating authorization information with an info 269 command. 270 4. Support not returning an indication whether the authorization 271 information is set or unset to the non-sponsoring registrar. 272 5. Support returning empty authorization information to sponsoring 273 registrar when the authorization information is set in an info 274 response. 275 6. Support allowing for the passing of a matching non-empty 276 authorization information to authorize a transfer. 277 7. Support automatically unsetting the authorization information 278 upon a successful completion of transfer. 280 A server that receives the namespace URI in the client's 281 Command extension services, can expect the following supported 282 behavior by the client: 284 1. Support generation of authorization information using a secure 285 random value. 286 2. Support only setting the authorization information when there is 287 a transfer in process. 289 4. Secure Authorization Information 291 The authorization information in the EPP RFCs ([RFC5731] and 292 [RFC5733]) that support transfer use password-based authorization 293 information. Other EPP objects that support password-based 294 authorization information for transfer can use the Secure 295 Authorization Information defined in this document. For the 296 authorization information to be secure it must be a strong random 297 value and must have a short time-to-live (TTL). The security of the 298 authorization information is defined in the following sections. 300 4.1. Secure Random Authorization Information 302 For authorization information to be secure, it MUST be generated 303 using a secure random value. The authorization information is 304 treated as a password, where according to [RFC4086] a high-security 305 password must have at least 49 bits of randomness or entropy. The 306 required length L of a password, rounded up to the largest whole 307 number, is based on the set of characters N and the desired entropy 308 H, in the equation L = ROUNDUP(H / log2 N). With a target entropy of 309 49, the required length can be calculated after deciding on the set 310 of characters that will be randomized. The following are a set of 311 possible character sets and the calculation of the required length. 313 Calculation of the required length with 49 bits of entropy and with 314 the set of all printable ASCII characters except space (0x20), which 315 consists of the 94 characters 0x21-0x7E. 317 ROUNDUP(49 / log2 94) =~ ROUNDUP(49 / 6.55) =~ ROUNDUP(7.48) = 8 319 Calculation of the required length with 49 bits of entropy and with 320 the set of case-insensitive alphanumeric characters, which consists 321 of 36 characters (a-z A-Z 0-9). 323 ROUNDUP(49 / log2 36) =~ ROUNDUP(49 / 5.17) =~ ROUNDUP(9.48) = 10 324 Considering the age of [RFC4086], the evolution of security 325 practices, and that the authorization information is a machine- 326 generated value, the recommendation is to use at least 128 bits of 327 entropy. The lengths are recalculated below using 128 bits of 328 entropy. 330 Calculation of the required length with 128 bits of entropy and with 331 the set of all printable ASCII characters except space (0x20), which 332 consists of the 94 characters 0x21-0x7E. 334 ROUNDUP(128 / log2 94) =~ ROUNDUP(128 / 6.55) =~ ROUNDUP(19.54) = 20 336 Calculation of the required length with 128 bits of entropy and with 337 the set of case insensitive alphanumeric characters, which consists 338 of 36 characters (a-z A-Z 0-9). 340 ROUNDUP(128 / log2 36) =~ ROUNDUP(128 / 5.17) =~ ROUNDUP(24.76) = 25 342 The strength of the random authorization information is dependent on 343 the actual entropy of the underlying random number generator. For 344 the random number generator, the practices defined in [RFC4086] and 345 section 4.7.1 of the NIST Federal Information Processing Standards 346 (FIPS) Publication 140-2 347 (https://csrc.nist.gov/publications/detail/fips/140/2/final) SHOULD 348 be followed to produce random values that will be resistant to 349 attack. A random number generator (RNG) is preferable over the use 350 of a pseudorandom number generator (PRNG) to reduce the 351 predictability of the authorization information. The more 352 predictable the random number generator is, the lower the true 353 entropy, and the longer the required length for the authorization 354 information. 356 4.2. Authorization Information Time-To-Live (TTL) 358 The authorization information SHOULD only be set when there is a 359 transfer in process. This implies that the authorization information 360 has a Time-To-Live (TTL) by which the authorization information is 361 cleared when the TTL expires. The EPP RFCs have no definition of 362 TTL, but since the server supports the setting and unsetting of the 363 authorization information by the sponsoring registrar, then the 364 sponsoring registrar can apply a TTL based on client policy. The TTL 365 client policy may be based on proprietary registrar-specific criteria 366 which provides for a transfer-specific TTL tuned for the particular 367 circumstances of the transaction. The sponsoring registrar will be 368 aware of the TTL and the sponsoring registrar MUST inform the 369 registrant of the TTL when the authorization information is provided 370 to the registrant. 372 4.3. Authorization Information Storage and Transport 374 To protect the disclosure of the authorization information, the 375 following requirements apply: 377 1. The authorization information MUST be stored by the registry 378 using a strong one-way cryptographic hash, with at least a 379 256-bit hash function such as SHA-256, and with a random salt. 380 2. An empty authorization information MUST be stored as an undefined 381 value that is referred to as a NULL value. The representation of 382 an NULL (undefined) value is dependent on the type of database 383 used. 384 3. The authorization information MUST NOT be stored by the losing 385 registrar. 386 4. The authorization information MUST only be stored by the gaining 387 registrar as a "transient" value in support of the transfer 388 process. 389 5. The plain text version of the authorization information MUST NOT 390 be written to any logs by the registrar or the registry. 391 6. All communication that includes the authorization information 392 MUST be over an encrypted channel, such as defined in [RFC5734] 393 for EPP. 394 7. The registrar's interface for communicating the authorization 395 information with the registrant MUST be over an authenticated and 396 encrypted channel. 398 4.4. Authorization Information Matching 400 To support the authorization information TTL, as defined in 401 Section 4.2, the authorization information must have either a set or 402 unset state. The unset authorization information is stored with a 403 NULL (undefined) value. Based on the requirement to store the 404 authorization information using a strong one-way cryptographic hash, 405 as defined in Section 4.3, a set authorization information is stored 406 with a non-NULL hashed value. The empty authorization information is 407 used as input in both the create command (Section 5.1) and the update 408 command (Section 5.2) to define the unset state. The matching of the 409 authorization information in the info command (Section 5.3) and the 410 transfer request command (Section 5.4) is based on the following 411 rules: 413 1. Any input authorization information value MUST NOT match an unset 414 authorization information value. 415 2. An empty input authorization information value MUST NOT match any 416 authorization information value. 417 3. A non-empty input authorization information value MUST be hashed 418 and matched against the set authorization information value, 419 which is stored using the same hash algorithm. 421 5. Create, Transfer, and Secure Authorization Information 423 To make the transfer process secure using secure authorization 424 information, as defined in Section 4, the client and server need to 425 implement steps where the authorization information is set only when 426 a transfer is actively in process and ensure that the authorization 427 information is stored securely and transported only over secure 428 channels. The steps in management of the authorization information 429 for transfers include: 431 1. Registrant requests to register the object with the registrar. 432 Registrar sends the create command, with empty authorization 433 information, to the registry, as defined in Section 5.1. 434 2. Registrant requests from the losing registrar the authorization 435 information to provide to the gaining registrar. 436 3. Losing registrar generates a secure random authorization 437 information value, sends it to the registry as defined in 438 Section 5.2, and provides it to the registrant. 439 4. Registrant provides the authorization information value to the 440 gaining registrar. 441 5. Gaining registrar optionally verifies the authorization 442 information with the info command to the registry, as defined in 443 Section 5.3. 444 6. Gaining registrar sends the transfer request with the 445 authorization information to the registry, as defined in 446 Section 5.4. 447 7. If the transfer successfully completes, the registry 448 automatically unsets the authorization information; otherwise the 449 losing registrar unsets the authorization information when the 450 TTL expires, as defined in Section 5.2. 452 The following sections outline the practices of the EPP commands and 453 responses between the registrar and the registry that supports secure 454 authorization information for transfer. 456 5.1. Create Command 458 For a create command, the registry MUST allow for the passing of an 459 empty authorization information and MAY disallow for the passing of a 460 non-empty authorization information. By having an empty 461 authorization information on create, the object is initially not in 462 the transfer process. Any EPP object extension that supports setting 463 the authorization information with a "eppcom:pwAuthInfoType" element, 464 can have an empty authorization information passed, such as [RFC5731] 465 and [RFC5733]. 467 Example of passing empty authorization information in an [RFC5731] 468 domain name create command. 470 C: 471 C: 472 C: 473 C: 474 C: 476 C: example.com 477 C: 478 C: 479 C: 480 C: 481 C: 482 C: ABC-12345 483 C: 484 C: 486 Example of passing empty authorization information in an [RFC5733] 487 contact create command. 489 C: 490 C: 491 C: 492 C: 493 C: 495 C: sh8013 496 C: 497 C: John Doe 498 C: 499 C: Dulles 500 C: US 501 C: 502 C: 503 C: jdoe@example.com 504 C: 505 C: 506 C: 507 C: 508 C: 509 C: ABC-12345 510 C: 511 C: 513 5.2. Update Command 515 For an update command, the registry MUST allow for the setting and 516 unsetting of the authorization information. The registrar sets the 517 authorization information by first generating a strong, random 518 authorization information value, based on Section 4.1, and setting it 519 in the registry in the update command. The registry SHOULD validate 520 the randomness of the authorization information based on the length 521 and character set required by the registry. For example, a registry 522 that requires 20 random printable ASCII characters except space 523 (0x20), should validate that the authorization information contains 524 at least one upper case alpha character, one lower case alpha 525 character, and one non-alpha numeric character. If the authorization 526 information fails the randomness validation, the registry MUST return 527 an EPP error result code of 2202. 529 Often the registrar has the "clientTransferProhibited" status set, so 530 to start the transfer process, the "clientTransferProhibited" status 531 needs to be removed, and the strong, random authorization information 532 value needs to be set. The registrar MUST define a time-to-live 533 (TTL), as defined in Section 4.2, where if the TTL expires the 534 registrar will unset the authorization information. 536 Example of removing the "clientTransferProhibited" status and setting 537 the authorization information in an [RFC5731] domain name update 538 command. 540 C: 541 C: 542 C: 543 C: 544 C: 546 C: example.com 547 C: 548 C: 549 C: 550 C: 551 C: 552 C: LuQ7Bu@w9?%+_HK3cayg$55$LSft3MPP 553 C: 554 C: 555 C: 556 C: 557 C: 558 C: ABC-12345-XYZ 559 C: 560 C: 561 When the registrar-defined TTL expires, the sponsoring registrar 562 cancels the transfer process by unsetting the authorization 563 information value and may add back statuses like the 564 "clientTransferProbited" status. Any EPP object extension that 565 supports setting the authorization information with a 566 "eppcom:pwAuthInfoType" element, can have an empty authorization 567 information passed, such as [RFC5731] and [RFC5733]. Setting an 568 empty authorization information unsets the value. [RFC5731] supports 569 an explicit mechanism of unsetting the authorization information, by 570 passing the authorization information value. The 571 registry MUST support unsetting the authorization information by 572 accepting an empty authorization information value and accepting an 573 explicit unset element if it is supported by the object extension. 575 Example of adding the "clientTransferProhibited" status and unsetting 576 the authorization information explicitly in an [RFC5731] domain name 577 update command. 579 C: 580 C: 581 C: 582 C: 583 C: 585 C: example.com 586 C: 587 C: 588 C: 589 C: 590 C: 591 C: 592 C: 593 C: 594 C: 595 C: 596 C: ABC-12345-XYZ 597 C: 598 C: 600 Example of unsetting the authorization information with an empty 601 authorization information in an [RFC5731] domain name update command. 603 C: 604 C: 605 C: 606 C: 607 C: 609 C: example.com 610 C: 611 C: 612 C: 613 C: 614 C: 615 C: 616 C: 617 C: 618 C: 619 C: 620 C: ABC-12345-XYZ 621 C: 622 C: 624 Example of unsetting the authorization information with an empty 625 authorization information in an [RFC5733] contact update command. 627 C: 628 C: 629 C: 630 C: 631 C: 633 C: sh8013 634 C: 635 C: 636 C: 637 C: 638 C: 639 C: 640 C: 641 C: ABC-12345-XYZ 642 C: 643 C: 645 5.3. Info Command and Response 647 For an info command, the registry MUST allow for the passing of a 648 non-empty authorization information for verification. The gaining 649 registrar can pre-verify the authorization information provided by 650 the registrant prior to submitting the transfer request with the use 651 of the info command. The registry compares the hash of the passed 652 authorization information with the hashed authorization information 653 value stored for the object. When the authorization information is 654 not set or the passed authorization information does not match the 655 previously set value, the registry MUST return an EPP error result 656 code of 2202 [RFC5730]. 658 Example of passing a non-empty authorization information in an 659 [RFC5731] domain name info command to verify the authorization 660 information value. 662 C: 663 C: 664 C: 665 C: 666 C: 668 C: example.com 669 C: 670 C: LuQ7Bu@w9?%+_HK3cayg$55$LSft3MPP 671 C: 672 C: 673 C: 674 C: 675 C: ABC-12345 676 C: 677 C: 678 The info response in object extensions, such as [RFC5731] and 679 [RFC5733], MUST NOT include the optional authorization information 680 element with a non-empty authorization value. The authorization 681 information is stored as a hash in the registry, so returning the 682 plain text authorization information is not possible, unless a valid 683 plain text authorization information is passed in the info command. 684 The registry MUST NOT return any indication of whether the 685 authorization information is set or unset to the non-sponsoring 686 registrar by not returning the authorization information element in 687 the response. The registry MAY return an indication to the 688 sponsoring registrar that the authorization information is set by 689 using an empty authorization information value. The registry MAY 690 return an indication to the sponsoring registrar that the 691 authorization information is unset by not returning the authorization 692 information element. 694 Example of returning an empty authorization information in an 695 [RFC5731] domain name info response to indicate to the sponsoring 696 registrar that the authorization information is set. 698 S: 699 S: 700 S: 701 S: 702 S: Command completed successfully 703 S: 704 S: 705 S: 707 S: example.com 708 S: EXAMPLE1-REP 709 S: 710 S: ClientX 711 S: 712 S: 713 S: 714 S: 715 S: 716 S: 717 S: ABC-12345 718 S: 54322-XYZ 719 S: 720 S: 721 S: 723 5.4. Transfer Request Command 725 For a Transfer Request Command, the registry MUST allow for the 726 passing of a non-empty authorization information to authorize a 727 transfer. The registry compares the hash of the passed authorization 728 information with the hashed authorization information value stored 729 for the object. When the authorization information is not set or the 730 passed authorization information does not match the previously set 731 value, the registry MUST return an EPP error result code of 2202 732 [RFC5730]. Whether the transfer occurs immediately or is pending is 733 up to server policy. When the transfer occurs immediately, the 734 registry MUST return the EPP success result code of 1000 and when the 735 transfer is pending, the registry MUST return the EPP success result 736 code of 1001. The losing registrar MUST be informed of a successful 737 transfer request using an EPP poll message. 739 Example of passing a non-empty authorization information in an 740 [RFC5731] domain name transfer request command to authorize the 741 transfer. 743 C: 744 C: 745 C: 746 C: 747 C: 749 C: example1.com 750 C: 751 C: LuQ7Bu@w9?%+_HK3cayg$55$LSft3MPP 752 C: 753 C: 754 C: 755 C: 756 C: ABC-12345 757 C: 758 C: 760 Upon successful completion of the transfer, the registry MUST 761 automatically unset the authorization information. If the transfer 762 request is not submitted within the time-to-live (TTL) (Section 4.2) 763 or the transfer is cancelled or rejected, the registrar MUST unset 764 the authorization information as defined in Section 5.2. 766 6. Transition Considerations 768 The goal of the transition considerations to the practice defined in 769 this document, referred to as the Secure Authorization Information 770 Model, is to minimize the impact to the registrars by supporting 771 incremental steps of adoption. The transtion steps are dependent on 772 the starting point of the registry. Registries may have different 773 starting points, since some of the elements of the Secure 774 Authorization Information Model may have already been implemented. 775 The considerations assume a starting point, referred to as the 776 Classic Authorization Information Model, that have the following 777 steps in the management of the authorization information for 778 transfers: 780 1. Registrant requests to register the object with the registrar. 781 Registrar sends the create command, with a non-empty 782 authorization information, to the registry. The registry stores 783 the authorization information as an encrypted value and requires 784 a non-empty authorization information for the life of the object. 785 The registrar may store the long-lived authorization information. 786 2. At the time of transfer, Registrant requests from the losing 787 registrar the authorization information to provide to the gaining 788 registrar. 789 3. Losing registrar retrieves the stored authorization information 790 locally or queries the registry for authorization information 791 using the info command, and provides it to the registrant. If 792 the registry is queried, the authorization information is 793 decrypted and the plain text authorization information is 794 returned in the info response to the registrar. 795 4. Registrant provides the authorization information value to the 796 gaining registrar. 797 5. Gaining registrar optionally verifies the authorization 798 information with the info command to the registry, by passing the 799 authorization information in the info command to the registry. 800 6. Gaining registrar sends the transfer request with the 801 authorization information to the registry. The registry will 802 decrypt the stored authorization information to compare to the 803 passed authorization information. 804 7. If the transfer successfully completes, the authorization 805 information is not touched by the registry and may be updated by 806 the gaining registrar using the update command. If the transfer 807 is cancelled or rejected, the losing registrar may reset the 808 authorization information using the update command. 810 The gaps between the Classic Authorization Information Model and the 811 Secure Authorization Information Model include: 813 1. Registry requirement for a non-empty authorization information on 814 create and for the life of the object versus the authorization 815 information not being set on create and only being set when a 816 transfer is in process. 817 2. Registry not allowing the authorization information to be unset 818 versus supporting the authorization to be unset in the update 819 command. 820 3. Registry storing the authorization information as an encrypted 821 value versus as a hashed value. 822 4. Registry support for returning the authorization information 823 versus not returning the authorization information in the info 824 response. 825 5. Registry not touching the authorization information versus the 826 registry automatically unsetting the authorization information 827 upon a successful transfer. 828 6. Registry may validate a shorter authorization information value 829 using password complexity rules versus validating the randomness 830 of a longer authorization information value that meets the 831 required bits of entropy. 833 The transition can be handled in the three phases defined in the sub- 834 sections Section 6.1, Section 6.2, Section 6.3. 836 6.1. Transition Phase 1 - Features 838 The goal of the "Transition Phase 1 - Features" is to implement the 839 needed features in EPP so that the registrar can optionally implement 840 the Secure Authorization Information Model. The features to 841 implement are broken out by the command and responses below: 843 Create Command: Change the create command to make the authorization 844 information optional, by allowing both a non-empty value and an 845 empty value. This enables a registrar to optionally create 846 objects without an authorization information value, as defined in 847 Section 5.1. 848 Update Command: Change the update command to allow unsetting the 849 authorization information, as defined in Section 5.2. This 850 enables the registrar to optionally unset the authorization 851 information when the TTL expires or when the transfer is cancelled 852 or rejected. 853 Transfer Approve Command and Transfer Auto-Approve: Change the 854 transfer approve command and the transfer auto-approve to 855 automatically unset the authorization information. This sets the 856 default state of the object to not have the authorization 857 information set. The registrar implementing the Secure 858 Authorization Information Model will not set the authorization 859 information for an inbound transfer and the registrar implementing 860 the Classic Authorization Information Model will set the new 861 authorization information upon the successful transfer. 862 Info Response: Change the info command to not return the 863 authorization information in the info response, as defined in 864 Section 5.3. This sets up the implementation of "Transition Phase 865 2 - Storage", since the dependency in returning the authorization 866 information in the info response will be removed. This feature is 867 the only one that is not an optional change to the registrar. 868 Info Command and Transfer Request: Change the info command and the 869 transfer request to ensure that a registrar cannot get an 870 indication that the authorization information is set or not set by 871 returning the EPP error result code of 2202 when comparing a 872 passed authorization to a non-matching set authorization 873 information value or an unset value. 875 6.2. Transition Phase 2 - Storage 877 The goal of the "Transition Phase 2 - Storage" is to transition the 878 registry to use hashed authorization information instead of encrypted 879 authorization information. There is no direct impact to the 880 registrars, since the only visible indication that the authorization 881 information has been hashed is by not returning the set authorization 882 information in the info response, which is addressed in Transition 883 Phase 1 - Features (Section 6.1). There are three steps to 884 transition the authorization information storage, which includes: 886 Hash New Authorization Information Values: Change the create command 887 and the update command to hash instead of encyrpting the 888 authorization information. 889 Supporting Comparing Against Encrypted and Hashed Authorization 890 Information: Change the info command and the transfer request 891 command to be able to compare a passed authorization information 892 value with either a hashed or encyrpted authorization information 893 value. 894 Hash Existing Encrypted Authorization Information Values: Convert 895 the encrypted authorization information values stored in the 896 registry database to hashed values. The update is not a visible 897 change to the registrar. The conversion can be done over a period 898 of time depending on registry policy. 900 6.3. Transition Phase 3 - Enforcement 902 The goal of the "Transition Phase 3 - Enforcement" is to complete the 903 implementation of the "Secure Authorization Information Model", by 904 enforcing the following: 906 Disallow Authorization Information on Create Command: Change the 907 create command to not allow for the passing of a non-empty 908 authorization information value. 909 Validate the Strong Random Authorization Information: Change the 910 validation of the authorization information in the update command 911 to ensure at least 128 bits of entropy. 913 7. IANA Considerations 915 7.1. XML Namespace 917 This document uses URNs to describe XML namespaces conforming to a 918 registry mechanism described in [RFC3688]. The following URI 919 assignment is requested of IANA: 921 Registration request for the secure authorization information for 922 transfer namespace: 924 URI: urn:ietf:params:xml:ns:epp:secure-authinfo-transfer-1.0 925 Registrant Contact: IESG 926 XML: None. Namespace URIs do not represent an XML specification. 928 7.2. EPP Extension Registry 930 The EPP operational practice described in this document should be 931 registered by the IANA in the EPP Extension Registry described in 932 [RFC7451]. The details of the registration are as follows: 934 Name of Extension: "Extensible Provisioning Protocol (EPP) Secure 935 Authorization Information for Transfer" 937 Document status: Standards Track 939 Reference: (insert reference to RFC version of this document) 941 Registrant Name and Email Address: IESG, 943 TLDs: Any 945 IPR Disclosure: None 947 Status: Active 948 Notes: None 950 8. Implementation Status 952 Note to RFC Editor: Please remove this section and the reference to 953 RFC 7942 [RFC7942] before publication. 955 This section records the status of known implementations of the 956 protocol defined by this specification at the time of posting of this 957 Internet-Draft, and is based on a proposal described in RFC 7942 958 [RFC7942]. The description of implementations in this section is 959 intended to assist the IETF in its decision processes in progressing 960 drafts to RFCs. Please note that the listing of any individual 961 implementation here does not imply endorsement by the IETF. 962 Furthermore, no effort has been spent to verify the information 963 presented here that was supplied by IETF contributors. This is not 964 intended as, and must not be construed to be, a catalog of available 965 implementations or their features. Readers are advised to note that 966 other implementations may exist. 968 According to RFC 7942 [RFC7942], "this will allow reviewers and 969 working groups to assign due consideration to documents that have the 970 benefit of running code, which may serve as evidence of valuable 971 experimentation and feedback that have made the implemented protocols 972 more mature. It is up to the individual working groups to use this 973 information as they see fit". 975 8.1. Verisign EPP SDK 977 Organization: Verisign Inc. 979 Name: Verisign EPP SDK 981 Description: The Verisign EPP SDK includes both a full client 982 implementation and a full server stub implementation of draft-ietf- 983 regext-secure-authinfo-transfer. 985 Level of maturity: Development 987 Coverage: All aspects of the protocol are implemented. 989 Licensing: GNU Lesser General Public License 991 Contact: jgould@verisign.com 993 URL: https://www.verisign.com/en_US/channel-resources/domain- 994 registry-products/epp-sdks 996 8.2. RegistryEngine EPP Service 998 Organization: CentralNic 1000 Name: RegistryEngine EPP Service 1002 Description: Generic high-volume EPP service for gTLDs, ccTLDs and 1003 SLDs 1005 Level of maturity: Deployed in CentralNic's production environment as 1006 well as two other gTLD registry systems, and two ccTLD registry 1007 systems. 1009 Coverage: Authorization Information is "write only" in that the 1010 registrars can set the Authorization Information, but not get the 1011 Authorization Information in the Info Response. 1013 Licensing: Proprietary In-House software 1015 Contact: epp@centralnic.com 1017 URL: https://www.centralnic.com 1019 9. Security Considerations 1021 Section 4.1 defines the use a secure random value for the generation 1022 of the authorization information. The server SHOULD define policy 1023 related to the length and set of characters that are included in the 1024 randomization to target the desired entropy level, with the 1025 recommendation of at least 49 bits for entropy. The authorization 1026 information server policy is communicated to the client using an out- 1027 of-band process. The client SHOULD choose a length and set of 1028 characters that results in entropy that meets or exceeds the server 1029 policy. A random number generator (RNG) is preferable over the use 1030 of a pseudorandom number generator (PRNG) when creating the 1031 authorization information value. 1033 Section 4.2 defines the use of an authorization information Time-To- 1034 Live (TTL). The registrar SHOULD only set the authorization 1035 information during the transfer process by the server support for 1036 setting and unsetting the authorization information. The TTL value 1037 is up to registrar policy and the sponsoring registrar MUST inform 1038 the registrant of the TTL when providing the authorization 1039 information to the registrant. 1041 Section 4.3 defines the storage and transport of authorization 1042 information. The losing registrar MUST NOT store the authorization 1043 information and the gaining registrar MUST only store the 1044 authorization information as a "transient" value during the transfer 1045 process, where the authorization information MUST NOT be stored after 1046 the end of the transfer process. The registry MUST store the 1047 authorization information using a one-way cryptographic hash of at 1048 least 256 bits and with a random salt. All communication that 1049 includes the authorization information MUST be over an encrypted 1050 channel. The plain text authorization information MUST NOT be 1051 written to any logs by the registrar or the registry. 1053 Section 4.4 defines the matching of the authorization information 1054 values. The registry stores an unset authorization information as a 1055 NULL (undefined) value to ensure that an empty input authorization 1056 information never matches it. The method used to define a NULL 1057 (undefined) value is database specific. 1059 10. Acknowledgements 1061 The authors wish to thank the following persons for their feedback 1062 and suggestions: Michael Bauland, Martin Casanova, Scott Hollenbeck, 1063 Jody Kolker, Patrick Mevzek, Matthew Pozun, Srikanth Veeramachaneni, 1064 and Ulrich Wisser. 1066 11. Normative References 1068 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1069 Requirement Levels", BCP 14, RFC 2119, 1070 DOI 10.17487/RFC2119, March 1997, 1071 . 1073 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1074 DOI 10.17487/RFC3688, January 2004, 1075 . 1077 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 1078 "Randomness Requirements for Security", BCP 106, RFC 4086, 1079 DOI 10.17487/RFC4086, June 2005, 1080 . 1082 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 1083 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 1084 . 1086 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 1087 Domain Name Mapping", STD 69, RFC 5731, 1088 DOI 10.17487/RFC5731, August 2009, 1089 . 1091 [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 1092 Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733, 1093 August 2009, . 1095 [RFC5734] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 1096 Transport over TCP", STD 69, RFC 5734, 1097 DOI 10.17487/RFC5734, August 2009, 1098 . 1100 [RFC7451] Hollenbeck, S., "Extension Registry for the Extensible 1101 Provisioning Protocol", RFC 7451, DOI 10.17487/RFC7451, 1102 February 2015, . 1104 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 1105 Code: The Implementation Status Section", BCP 205, 1106 RFC 7942, DOI 10.17487/RFC7942, July 2016, 1107 . 1109 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 1110 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 1111 January 2019, . 1113 Appendix A. Change History 1115 A.1. Change from 00 to 01 1117 1. Filled in the "Implementation Status" section with the inclusion 1118 of the "Verisign EPP SDK" and "RegistryEngine EPP Service" 1119 implementations. 1120 2. Made small wording corrections based on private feedback. 1121 3. Added content to the "Acknowledgements" section. 1123 A.2. Change from 01 to 02 1125 1. Revised the language used for the storage of the authorization 1126 information based on the feedback from Patrick Mevzek and Jody 1127 Kolker. 1129 A.3. Change from 02 to 03 1131 1. Updates based on the feedback from the interim REGEXT meeting 1132 held at ICANN-66: 1133 1. Section 3.3, include a reference to the hash algorithm to 1134 use. Broke the requirements into a list and included a the 1135 reference the text ', with at least a 256-bit hash function, 1136 such as SHA-256'. 1138 2. Add a Transition Considerations section to cover the 1139 transition from the classic authorization information 1140 security model in the EPP RFCs to the model defined in the 1141 document. 1142 3. Add a statement to the Introduction that elements of the 1143 practice can be used for purposes other than transfer, but 1144 with a caveat. 1145 2. Updates based on the review by Michael Bauland, that include: 1146 1. In section 2, change 'there are three actors' to 'there are 1147 three types of actors' to cover the case with transfers that 1148 has two registrar actors (losing and gaining). 1149 2. In section 3.1, change the equations equals to be 1150 approximately equal by using '=~' instead of '=', where 1151 applicable. 1152 3. In section 3.3, change 'MUST be over an encrypted channel, 1153 such as [RFC5734]'' to 'MUST be over an encrypted channel, 1154 such as defined in [RFC5734]''. 1155 4. In section 4.1, remove the optional RFC 5733 elements from 1156 the contact create, which includes the , 1157 , , , 1158 , , and elements. 1159 5. In section 4.2, changed 'Example of unsetting the 1160 authorization information explicitly in an [RFC5731] domain 1161 name update command.' to 'Example of adding the 1162 "clientTransferProhibited" status and unsetting the 1163 authorization information explicitly in an [RFC5731] domain 1164 name update command.' 1165 6. In section 4.3, cover a corner case of the ability to return 1166 the authorization information when it's passed in the info 1167 command. 1168 7. In section 4.4, change 'If the transfer does not complete 1169 within the time-to-live (TTL)' to 'If the transfer is not 1170 initiated within the time-to-live (TTL)', since the TTL is 1171 the time between setting the authorization information and 1172 when it's successfully used in a transfer request. Added the 1173 case of unsetting the authorization information when the 1174 transfer is cancelled or rejected. 1175 3. Updates based on the authorization information messages by Martin 1176 Casanova on the REGEXT mailing list, that include: 1177 1. Added section 3.4 'Authorization Information Matching' to 1178 clarify how the authorization information is matched, when 1179 there is set and unset authorization information in the 1180 database and empty and non-empty authorization information 1181 passed in the info and transfer commands. 1182 2. Added support for signaling that the authorization 1183 information is set or unset to the sponsoring registrar with 1184 the inclusion of an empty authorization information element 1185 in the response to indicate that the authorization 1186 information is set and the exclusion of the authorization 1187 information element in the response to indicate that the 1188 authorization information is unset. 1189 4. Made the capitalization of command and response references 1190 consistent by uppercasing section and item titles and lowercasing 1191 references elsewhere. 1193 A.4. Change from 03 to REGEXT 00 1195 1. Changed to regext working group draft by changing draft-gould- 1196 regext-secure-authinfo-transfer to draft-ietf-regext-secure- 1197 authinfo-transfer. 1199 A.5. Change from REGEXT 00 to REGEXT 01 1201 1. Added the "Signaling Client and Server Support" section to 1202 describe the mechanism to signal support for the BCP by the 1203 client and the server. 1204 2. Added the "IANA Considerations" section with the registration of 1205 the secure authorization for transfer XML namespace and the 1206 registration of the EPP Best Current Practice (BCP) in the EPP 1207 Extension Registry. 1209 A.6. Change from REGEXT 01 to REGEXT 02 1211 1. Added inclusion of random salt for the hashed authorization 1212 information, based on feedback from Ulrich Wisser. 1213 2. Added clarification that the representation of a NULL (undefined) 1214 value is dependent on the type of database, based on feedback 1215 from Patrick Mevzek. 1216 3. Filled in the Security Considerations section. 1218 A.7. Change from REGEXT 02 to REGEXT 03 1220 1. Updated the XML namespace to urn:ietf:params:xml:ns:epp:secure- 1221 authinfo-transfer-1.0, which removed bcp from the namespace and 1222 bumped the version from 0.1 and 1.0. Inclusion of bcp in the XML 1223 namespace was discussed at the REGEXT interim meeting. 1224 2. Replaced Auhtorization with Authorization based on a review by 1225 Jody Kolker. 1227 A.8. Change from REGEXT 03 to REGEXT 04 1229 1. Converted from xml2rfc v2 to v3. 1230 2. Updated Acknowledgements to match the approach taken by the RFC 1231 Editor with draft-ietf-regext-login-security. 1232 3. Changed from Best Current Practice (BCP) to Standards Track based 1233 on mailing list discussion. 1235 Authors' Addresses 1237 James Gould 1238 VeriSign, Inc. 1239 12061 Bluemont Way 1240 Reston, VA 20190 1241 United States of America 1243 Email: jgould@verisign.com 1244 URI: http://www.verisign.com 1246 Richard Wilhelm 1247 VeriSign, Inc. 1248 12061 Bluemont Way 1249 Reston, VA 20190 1250 United States of America 1252 Email: rwilhelm@verisign.com 1253 URI: http://www.verisign.com