idnits 2.17.1 draft-ietf-regext-secure-authinfo-transfer-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (4 January 2021) is 1208 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Gould 3 Internet-Draft R. Wilhelm 4 Intended status: Standards Track VeriSign, Inc. 5 Expires: 8 July 2021 4 January 2021 7 Extensible Provisioning Protocol (EPP) Secure Authorization Information 8 for Transfer 9 draft-ietf-regext-secure-authinfo-transfer-05 11 Abstract 13 The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the 14 use of authorization information to authorize a transfer. The 15 authorization information is object-specific and has been defined in 16 the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact 17 Mapping, in RFC 5733, as password-based authorization information. 18 Other authorization mechanisms can be used, but in practice the 19 password-based authorization information has been used at the time of 20 object create, managed with the object update, and used to authorize 21 an object transfer request. What has not been fully considered is 22 the security of the authorization information that includes the 23 complexity of the authorization information, the time-to-live (TTL) 24 of the authorization information, and where and how the authorization 25 information is stored. This document defines an operational 26 practice, using the EPP RFCs, that leverages the use of strong random 27 authorization information values that are short-lived, that are not 28 stored by the client, and that are stored using a cryptographic hash 29 by the server to provide for secure authorization information used 30 for transfers. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on 8 July 2021. 49 Copyright Notice 51 Copyright (c) 2021 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 56 license-info) in effect on the date of publication of this document. 57 Please review these documents carefully, as they describe your rights 58 and restrictions with respect to this document. Code Components 59 extracted from this document must include Simplified BSD License text 60 as described in Section 4.e of the Trust Legal Provisions and are 61 provided without warranty as described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 67 2. Registrant, Registrar, Registry . . . . . . . . . . . . . . . 5 68 3. Signaling Client and Server Support . . . . . . . . . . . . . 6 69 4. Secure Authorization Information . . . . . . . . . . . . . . 7 70 4.1. Secure Random Authorization Information . . . . . . . . . 7 71 4.2. Authorization Information Time-To-Live (TTL) . . . . . . 8 72 4.3. Authorization Information Storage and Transport . . . . . 9 73 4.4. Authorization Information Matching . . . . . . . . . . . 9 74 5. Create, Transfer, and Secure Authorization Information . . . 10 75 5.1. Create Command . . . . . . . . . . . . . . . . . . . . . 10 76 5.2. Update Command . . . . . . . . . . . . . . . . . . . . . 12 77 5.3. Info Command and Response . . . . . . . . . . . . . . . . 15 78 5.4. Transfer Request Command . . . . . . . . . . . . . . . . 17 79 6. Transition Considerations . . . . . . . . . . . . . . . . . . 18 80 6.1. Transition Phase 1 - Features . . . . . . . . . . . . . . 19 81 6.2. Transition Phase 2 - Storage . . . . . . . . . . . . . . 20 82 6.3. Transition Phase 3 - Enforcement . . . . . . . . . . . . 21 83 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 84 7.1. XML Namespace . . . . . . . . . . . . . . . . . . . . . . 21 85 7.2. EPP Extension Registry . . . . . . . . . . . . . . . . . 21 86 8. Implementation Status . . . . . . . . . . . . . . . . . . . . 22 87 8.1. Verisign EPP SDK . . . . . . . . . . . . . . . . . . . . 22 88 8.2. RegistryEngine EPP Service . . . . . . . . . . . . . . . 23 89 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 90 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 91 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 92 11.1. Normative References . . . . . . . . . . . . . . . . . . 24 93 11.2. Informative References . . . . . . . . . . . . . . . . . 25 94 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 25 95 A.1. Change from 00 to 01 . . . . . . . . . . . . . . . . . . 25 96 A.2. Change from 01 to 02 . . . . . . . . . . . . . . . . . . 25 97 A.3. Change from 02 to 03 . . . . . . . . . . . . . . . . . . 25 98 A.4. Change from 03 to REGEXT 00 . . . . . . . . . . . . . . . 27 99 A.5. Change from REGEXT 00 to REGEXT 01 . . . . . . . . . . . 27 100 A.6. Change from REGEXT 01 to REGEXT 02 . . . . . . . . . . . 27 101 A.7. Change from REGEXT 02 to REGEXT 03 . . . . . . . . . . . 27 102 A.8. Change from REGEXT 03 to REGEXT 04 . . . . . . . . . . . 27 103 A.9. Change from REGEXT 04 to REGEXT 05 . . . . . . . . . . . 28 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 106 1. Introduction 108 The Extensible Provisioning Protocol (EPP), in [RFC5730], defines the 109 use of authorization information to authorize a transfer. The 110 authorization information is object-specific and has been defined in 111 the EPP Domain Name Mapping, in [RFC5731], and the EPP Contact 112 Mapping, in [RFC5733], as password-based authorization information. 113 Other authorization mechanisms can be used, but in practice the 114 password-based authorization information has been used at the time of 115 object create, managed with the object update, and used to authorize 116 an object transfer request. What has not been considered is the 117 security of the authorization information that includes the 118 complexity of the authorization information, the time-to-live (TTL) 119 of the authorization information, and where and how the authorization 120 information is stored. This document defines an operational 121 practice, using the EPP RFCs, that leverages the use of strong, 122 random authorization information values that are short-lived, that 123 are not stored by the client, and that are stored by the server using 124 a cryptographic hash to provide, for secure authorization information 125 used for transfers. This operational practice can be used to support 126 transfers of any EPP object, where the domain name object defined in 127 [RFC5731] is used in this document for illustration purposes. 128 Elements of the practice may be used to support the secure use of the 129 authorization information for purposes other than transfer, but any 130 other purposes and the applicable elements are out-of-scope for this 131 document. 133 The overall goal is to have strong, random authorization information 134 values, that are short-lived, and that are either not stored or 135 stored as a cryptographic hash values by the non-responsible parties. 136 In a registrant, registrar, and registry model, the registrant 137 registers the object through the registrar to the registry. The 138 registrant is the responsible party and the registrar and the 139 registry are the non-responsible parties. EPP is a protocol between 140 the registrar and the registry, where the registrar is referred to as 141 the client and the registry is referred to as the server. The 142 following are the elements of the operational practice and how the 143 existing features of the EPP RFCs can be leveraged to satisfy them: 145 "Strong Random Authorization Information": The EPP RFCs define the 146 password-based authorization information value using an XML 147 schema "normalizedString" type, so they don't restrict what can 148 be used in any way. This operational practice defines the 149 recommended mechanism for creating a strong random authorization 150 value, that would be generated by the client. 151 "Short-Lived Authorization Information": The EPP RFCs don't 152 explicitly support short-lived authorization information or a 153 time-to-live (TTL) for authorization information, but there are 154 EPP RFC features that can be leveraged to support short-lived 155 authorization information. If authorization information is set 156 only when there is a transfer in process, the server needs to 157 support empty authorization information on create, support 158 setting and unsetting authorization information, and support 159 automatically unsetting the authorization information upon a 160 successful transfer. All of these features can be supported by 161 the EPP RFCs. 162 "Storing Authorization Information Securely": The EPP RFCs don't 163 specify where and how the authorization information is stored in 164 the client or the server, so there are no restrictions to define 165 an operational practice for storing the authorization information 166 securely. The operational practice will not require the client 167 to store the authorization information and will require the 168 server to store the authorization information using a 169 cryptographic hash, with at least a 256-bit hash function such as 170 SHA-256, and with a random salt. Returning the authorization 171 information set in an EPP info response will not be supported. 173 1.1. Conventions Used in This Document 175 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 176 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 177 document are to be interpreted as described in RFC 2119 [RFC2119]. 179 XML is case sensitive. Unless stated otherwise, XML specifications 180 and examples provided in this document MUST be interpreted in the 181 character case presented in order to develop a conforming 182 implementation. 184 In examples, "C:" represents lines sent by a protocol client and "S:" 185 represents lines returned by a protocol server. Indentation and 186 white space in examples are provided only to illustrate element 187 relationships and are not a required feature of this protocol. 189 The examples reference XML namespace prefixes that are used for the 190 associated XML namespaces. Implementations MUST NOT depend on the 191 example XML namespaces and instead employ a proper namespace-aware 192 XML parser and serializer to interpret and output the XML documents. 193 The example namespace prefixes used and their associated XML 194 namespaces include: 196 "domain": urn:ietf:params:xml:ns:domain-1.0 197 "contact": urn:ietf:params:xml:ns:contact-1.0 199 2. Registrant, Registrar, Registry 201 The EPP RFCs refer to client and server, but when it comes to 202 transfers, there are three types of actors that are involved. This 203 document will refer to the actors as registrant, registrar, and 204 registry. [RFC8499] defines these terms formally for the Domain Name 205 System (DNS). The terms are further described below to cover their 206 roles as actors of using the authorization information in the 207 transfer process of any object in the registry, such as a domain name 208 or a contact: 210 "registrant": [RFC8499] defines the registrant as "an individual or 211 organization on whose behalf a name in a zone is registered by 212 the registry". The registrant can be the owner of any object in 213 the registry, such as a domain name or a contact. The registrant 214 interfaces with the registrar for provisioning the objects. A 215 transfer is coordinated by the registrant to transfer the 216 sponsorship of the object from one registrar to another. The 217 authorization information is meant to authenticate the registrant 218 as the owner of the object to the non-sponsoring registrar and to 219 authorize the transfer. 220 "registrar": [RFC8499] defines the registrar as "a service provider 221 that acts as a go-between for registrants and registries". The 222 registrar interfaces with the registrant for the provisioning of 223 objects, such as domain names and contacts, and with the 224 registries to satisfy the registrant's provisioning requests. A 225 registrar may directly interface with the registrant or may 226 indirectly interface with the registrant, typically through one 227 or more resellers. Implementing a transfer using secure 228 authorization information extends through the registrar's 229 reseller channel up to the direct interface with the registrant. 230 The registrar's interface with the registries uses EPP. The 231 registrar's interface with its reseller channel or the registrant 232 is registrar-specific. In the EPP RFCs, the registrar is 233 referred to as the "client", since EPP is the protocol used 234 between the registrar and the registry. The sponsoring registrar 235 is the authorized registrar to manage objects on behalf of the 236 registrant. A non-sponsoring registrar is not authorized to 237 manage objects on behalf of the registrant. A transfer of an 238 object's sponsorship is from one registrar, referred to as the 239 losing registrar, to another registrar, referred to as the 240 gaining registrar. 241 "registry": [RFC8499] defines the registry as "the administrative 242 operation of a zone that allows registration of names within the 243 zone". The registry typically interfaces with the registrars 244 over EPP and generally does not interact directly with the 245 registrant. In the EPP RFCs, the registry is referred to as the 246 "server", since EPP is the protocol used between the registrar 247 and the registry. The registry has a record of the sponsoring 248 registrar for each object and provides the mechanism (over EPP) 249 to coordinate a transfer of an object's sponsorship between 250 registrars. 252 3. Signaling Client and Server Support 254 This document does not define new protocol but an operational 255 practice using the existing EPP protocol, where the client and the 256 server can signal support for the BCP using a namespace URI in the 257 login and greeting extension services. The namespace URI 258 "urn:ietf:params:xml:ns:epp:secure-authinfo-transfer-1.0" is used to 259 signal support for the BCP. The client includes the namespace URI in 260 an element of the [RFC5730] Command. 261 The server includes the namespace URI in an 262 element of the [RFC5730] Greeting. 264 A client that receives the namespace URI in the server's Greeting 265 extension services, can expect the following supported behavior by 266 the server: 268 1. Support empty authorization information with a create command. 269 2. Support unsetting authorization information with an update 270 command. 271 3. Support validating authorization information with an info 272 command. 273 4. Support not returning an indication whether the authorization 274 information is set or unset to the non-sponsoring registrar. 275 5. Support returning empty authorization information to sponsoring 276 registrar when the authorization information is set in an info 277 response. 278 6. Support allowing for the passing of a matching non-empty 279 authorization information to authorize a transfer. 280 7. Support automatically unsetting the authorization information 281 upon a successful completion of transfer. 283 A server that receives the namespace URI in the client's 284 Command extension services, can expect the following supported 285 behavior by the client: 287 1. Support generation of authorization information using a secure 288 random value. 289 2. Support only setting the authorization information when there is 290 a transfer in process. 292 4. Secure Authorization Information 294 The authorization information in the EPP RFCs ([RFC5731] and 295 [RFC5733]) that support transfer use password-based authorization 296 information. Other EPP objects that support password-based 297 authorization information for transfer can use the Secure 298 Authorization Information defined in this document. For the 299 authorization information to be secure it must be a strong random 300 value and must have a short time-to-live (TTL). The security of the 301 authorization information is defined in the following sections. 303 4.1. Secure Random Authorization Information 305 For authorization information to be secure, it MUST be generated 306 using a secure random value. The authorization information is 307 treated as a password, where according to [RFC4086] a high-security 308 password must have at least 49 bits of randomness or entropy. The 309 required length L of a password, rounded up to the largest whole 310 number, is based on the set of characters N and the desired entropy 311 H, in the equation L = ROUNDUP(H / log2 N). With a target entropy of 312 49, the required length can be calculated after deciding on the set 313 of characters that will be randomized. The following are a set of 314 possible character sets and the calculation of the required length. 316 Calculation of the required length with 49 bits of entropy and with 317 the set of all printable ASCII characters except space (0x20), which 318 consists of the 94 characters 0x21-0x7E. 320 ROUNDUP(49 / log2 94) =~ ROUNDUP(49 / 6.55) =~ ROUNDUP(7.48) = 8 322 Calculation of the required length with 49 bits of entropy and with 323 the set of case-insensitive alphanumeric characters, which consists 324 of 36 characters (a-z A-Z 0-9). 326 ROUNDUP(49 / log2 36) =~ ROUNDUP(49 / 5.17) =~ ROUNDUP(9.48) = 10 327 Considering the age of [RFC4086], the evolution of security 328 practices, and that the authorization information is a machine- 329 generated value, the recommendation is to use at least 128 bits of 330 entropy. The lengths are recalculated below using 128 bits of 331 entropy. 333 Calculation of the required length with 128 bits of entropy and with 334 the set of all printable ASCII characters except space (0x20), which 335 consists of the 94 characters 0x21-0x7E. 337 ROUNDUP(128 / log2 94) =~ ROUNDUP(128 / 6.55) =~ ROUNDUP(19.54) = 20 339 Calculation of the required length with 128 bits of entropy and with 340 the set of case insensitive alphanumeric characters, which consists 341 of 36 characters (a-z A-Z 0-9). 343 ROUNDUP(128 / log2 36) =~ ROUNDUP(128 / 5.17) =~ ROUNDUP(24.76) = 25 345 The strength of the random authorization information is dependent on 346 the actual entropy of the underlying random number generator. For 347 the random number generator, the practices defined in [RFC4086] and 348 section 4.7.1 of the NIST Federal Information Processing Standards 349 (FIPS) Publication 140-2 350 (https://csrc.nist.gov/publications/detail/fips/140/2/final) SHOULD 351 be followed to produce random values that will be resistant to 352 attack. A random number generator (RNG) is preferable over the use 353 of a pseudorandom number generator (PRNG) to reduce the 354 predictability of the authorization information. The more 355 predictable the random number generator is, the lower the true 356 entropy, and the longer the required length for the authorization 357 information. 359 4.2. Authorization Information Time-To-Live (TTL) 361 The authorization information SHOULD only be set when there is a 362 transfer in process. This implies that the authorization information 363 has a Time-To-Live (TTL) by which the authorization information is 364 cleared when the TTL expires. The EPP RFCs have no definition of 365 TTL, but since the server supports the setting and unsetting of the 366 authorization information by the sponsoring registrar, then the 367 sponsoring registrar can apply a TTL based on client policy. The TTL 368 client policy may be based on proprietary registrar-specific criteria 369 which provides for a transfer-specific TTL tuned for the particular 370 circumstances of the transaction. The sponsoring registrar will be 371 aware of the TTL and the sponsoring registrar MUST inform the 372 registrant of the TTL when the authorization information is provided 373 to the registrant. 375 4.3. Authorization Information Storage and Transport 377 To protect the disclosure of the authorization information, the 378 following requirements apply: 380 1. The authorization information MUST be stored by the registry 381 using a strong one-way cryptographic hash, with at least a 382 256-bit hash function such as SHA-256, and with a random salt. 383 2. An empty authorization information MUST be stored as an undefined 384 value that is referred to as a NULL value. The representation of 385 an NULL (undefined) value is dependent on the type of database 386 used. 387 3. The authorization information MUST NOT be stored by the losing 388 registrar. 389 4. The authorization information MUST only be stored by the gaining 390 registrar as a "transient" value in support of the transfer 391 process. 392 5. The plain text version of the authorization information MUST NOT 393 be written to any logs by the registrar or the registry. 394 6. All communication that includes the authorization information 395 MUST be over an encrypted channel, such as defined in [RFC5734] 396 for EPP. 397 7. The registrar's interface for communicating the authorization 398 information with the registrant MUST be over an authenticated and 399 encrypted channel. 401 4.4. Authorization Information Matching 403 To support the authorization information TTL, as defined in 404 Section 4.2, the authorization information must have either a set or 405 unset state. The unset authorization information is stored with a 406 NULL (undefined) value. Based on the requirement to store the 407 authorization information using a strong one-way cryptographic hash, 408 as defined in Section 4.3, a set authorization information is stored 409 with a non-NULL hashed value. The empty authorization information is 410 used as input in both the create command (Section 5.1) and the update 411 command (Section 5.2) to define the unset state. The matching of the 412 authorization information in the info command (Section 5.3) and the 413 transfer request command (Section 5.4) is based on the following 414 rules: 416 1. Any input authorization information value MUST NOT match an unset 417 authorization information value. 418 2. An empty input authorization information value MUST NOT match any 419 authorization information value. 420 3. A non-empty input authorization information value MUST be hashed 421 and matched against the set authorization information value, 422 which is stored using the same hash algorithm. 424 5. Create, Transfer, and Secure Authorization Information 426 To make the transfer process secure using secure authorization 427 information, as defined in Section 4, the client and server need to 428 implement steps where the authorization information is set only when 429 a transfer is actively in process and ensure that the authorization 430 information is stored securely and transported only over secure 431 channels. The steps in management of the authorization information 432 for transfers include: 434 1. Registrant requests to register the object with the registrar. 435 Registrar sends the create command, with empty authorization 436 information, to the registry, as defined in Section 5.1. 437 2. Registrant requests from the losing registrar the authorization 438 information to provide to the gaining registrar. 439 3. Losing registrar generates a secure random authorization 440 information value, sends it to the registry as defined in 441 Section 5.2, and provides it to the registrant. 442 4. Registrant provides the authorization information value to the 443 gaining registrar. 444 5. Gaining registrar optionally verifies the authorization 445 information with the info command to the registry, as defined in 446 Section 5.3. 447 6. Gaining registrar sends the transfer request with the 448 authorization information to the registry, as defined in 449 Section 5.4. 450 7. If the transfer successfully completes, the registry 451 automatically unsets the authorization information; otherwise the 452 losing registrar unsets the authorization information when the 453 TTL expires, as defined in Section 5.2. 455 The following sections outline the practices of the EPP commands and 456 responses between the registrar and the registry that supports secure 457 authorization information for transfer. 459 5.1. Create Command 461 For a create command, the registry MUST allow for the passing of an 462 empty authorization information and MAY disallow for the passing of a 463 non-empty authorization information. By having an empty 464 authorization information on create, the object is initially not in 465 the transfer process. Any EPP object extension that supports setting 466 the authorization information with a "eppcom:pwAuthInfoType" element, 467 can have an empty authorization information passed, such as [RFC5731] 468 and [RFC5733]. 470 Example of passing empty authorization information in an [RFC5731] 471 domain name create command. 473 C: 474 C: 475 C: 476 C: 477 C: 479 C: example.com 480 C: 481 C: 482 C: 483 C: 484 C: 485 C: ABC-12345 486 C: 487 C: 489 Example of passing empty authorization information in an [RFC5733] 490 contact create command. 492 C: 493 C: 494 C: 495 C: 496 C: 498 C: sh8013 499 C: 500 C: John Doe 501 C: 502 C: Dulles 503 C: US 504 C: 505 C: 506 C: jdoe@example.com 507 C: 508 C: 509 C: 510 C: 511 C: 512 C: ABC-12345 513 C: 514 C: 516 5.2. Update Command 518 For an update command, the registry MUST allow for the setting and 519 unsetting of the authorization information. The registrar sets the 520 authorization information by first generating a strong, random 521 authorization information value, based on Section 4.1, and setting it 522 in the registry in the update command. The registry SHOULD validate 523 the randomness of the authorization information based on the length 524 and character set required by the registry. For example, a registry 525 that requires 20 random printable ASCII characters except space 526 (0x20), should validate that the authorization information contains 527 at least one upper case alpha character, one lower case alpha 528 character, and one non-alpha numeric character. If the authorization 529 information fails the randomness validation, the registry MUST return 530 an EPP error result code of 2202. 532 Often the registrar has the "clientTransferProhibited" status set, so 533 to start the transfer process, the "clientTransferProhibited" status 534 needs to be removed, and the strong, random authorization information 535 value needs to be set. The registrar MUST define a time-to-live 536 (TTL), as defined in Section 4.2, where if the TTL expires the 537 registrar will unset the authorization information. 539 Example of removing the "clientTransferProhibited" status and setting 540 the authorization information in an [RFC5731] domain name update 541 command. 543 C: 544 C: 545 C: 546 C: 547 C: 549 C: example.com 550 C: 551 C: 552 C: 553 C: 554 C: 555 C: LuQ7Bu@w9?%+_HK3cayg$55$LSft3MPP 556 C: 557 C: 558 C: 559 C: 560 C: 561 C: ABC-12345-XYZ 562 C: 563 C: 564 When the registrar-defined TTL expires, the sponsoring registrar 565 cancels the transfer process by unsetting the authorization 566 information value and may add back statuses like the 567 "clientTransferProbited" status. Any EPP object extension that 568 supports setting the authorization information with a 569 "eppcom:pwAuthInfoType" element, can have an empty authorization 570 information passed, such as [RFC5731] and [RFC5733]. Setting an 571 empty authorization information unsets the value. [RFC5731] supports 572 an explicit mechanism of unsetting the authorization information, by 573 passing the authorization information value. The 574 registry MUST support unsetting the authorization information by 575 accepting an empty authorization information value and accepting an 576 explicit unset element if it is supported by the object extension. 578 Example of adding the "clientTransferProhibited" status and unsetting 579 the authorization information explicitly in an [RFC5731] domain name 580 update command. 582 C: 583 C: 584 C: 585 C: 586 C: 588 C: example.com 589 C: 590 C: 591 C: 592 C: 593 C: 594 C: 595 C: 596 C: 597 C: 598 C: 599 C: ABC-12345-XYZ 600 C: 601 C: 603 Example of unsetting the authorization information with an empty 604 authorization information in an [RFC5731] domain name update command. 606 C: 607 C: 608 C: 609 C: 610 C: 612 C: example.com 613 C: 614 C: 615 C: 616 C: 617 C: 618 C: 619 C: 620 C: 621 C: 622 C: 623 C: ABC-12345-XYZ 624 C: 625 C: 627 Example of unsetting the authorization information with an empty 628 authorization information in an [RFC5733] contact update command. 630 C: 631 C: 632 C: 633 C: 634 C: 636 C: sh8013 637 C: 638 C: 639 C: 640 C: 641 C: 642 C: 643 C: 644 C: ABC-12345-XYZ 645 C: 646 C: 648 5.3. Info Command and Response 650 For an info command, the registry MUST allow for the passing of a 651 non-empty authorization information for verification. The gaining 652 registrar can pre-verify the authorization information provided by 653 the registrant prior to submitting the transfer request with the use 654 of the info command. The registry compares the hash of the passed 655 authorization information with the hashed authorization information 656 value stored for the object. When the authorization information is 657 not set or the passed authorization information does not match the 658 previously set value, the registry MUST return an EPP error result 659 code of 2202 [RFC5730]. 661 Example of passing a non-empty authorization information in an 662 [RFC5731] domain name info command to verify the authorization 663 information value. 665 C: 666 C: 667 C: 668 C: 669 C: 671 C: example.com 672 C: 673 C: LuQ7Bu@w9?%+_HK3cayg$55$LSft3MPP 674 C: 675 C: 676 C: 677 C: 678 C: ABC-12345 679 C: 680 C: 681 The info response in object extensions, such as [RFC5731] and 682 [RFC5733], MUST NOT include the optional authorization information 683 element with a non-empty authorization value. The authorization 684 information is stored as a hash in the registry, so returning the 685 plain text authorization information is not possible, unless a valid 686 plain text authorization information is passed in the info command. 687 The registry MUST NOT return any indication of whether the 688 authorization information is set or unset to the non-sponsoring 689 registrar by not returning the authorization information element in 690 the response. The registry MAY return an indication to the 691 sponsoring registrar that the authorization information is set by 692 using an empty authorization information value. The registry MAY 693 return an indication to the sponsoring registrar that the 694 authorization information is unset by not returning the authorization 695 information element. 697 Example of returning an empty authorization information in an 698 [RFC5731] domain name info response to indicate to the sponsoring 699 registrar that the authorization information is set. 701 S: 702 S: 703 S: 704 S: 705 S: Command completed successfully 706 S: 707 S: 708 S: 710 S: example.com 711 S: EXAMPLE1-REP 712 S: 713 S: ClientX 714 S: 715 S: 716 S: 717 S: 718 S: 719 S: 720 S: ABC-12345 721 S: 54322-XYZ 722 S: 723 S: 724 S: 726 5.4. Transfer Request Command 728 For a Transfer Request Command, the registry MUST allow for the 729 passing of a non-empty authorization information to authorize a 730 transfer. The registry compares the hash of the passed authorization 731 information with the hashed authorization information value stored 732 for the object. When the authorization information is not set or the 733 passed authorization information does not match the previously set 734 value, the registry MUST return an EPP error result code of 2202 735 [RFC5730]. Whether the transfer occurs immediately or is pending is 736 up to server policy. When the transfer occurs immediately, the 737 registry MUST return the EPP success result code of 1000 and when the 738 transfer is pending, the registry MUST return the EPP success result 739 code of 1001. The losing registrar MUST be informed of a successful 740 transfer request using an EPP poll message. 742 Example of passing a non-empty authorization information in an 743 [RFC5731] domain name transfer request command to authorize the 744 transfer. 746 C: 747 C: 748 C: 749 C: 750 C: 752 C: example1.com 753 C: 754 C: LuQ7Bu@w9?%+_HK3cayg$55$LSft3MPP 755 C: 756 C: 757 C: 758 C: 759 C: ABC-12345 760 C: 761 C: 763 Upon successful completion of the transfer, the registry MUST 764 automatically unset the authorization information. If the transfer 765 request is not submitted within the time-to-live (TTL) (Section 4.2) 766 or the transfer is cancelled or rejected, the registrar MUST unset 767 the authorization information as defined in Section 5.2. 769 6. Transition Considerations 771 The goal of the transition considerations to the practice defined in 772 this document, referred to as the Secure Authorization Information 773 Model, is to minimize the impact to the registrars by supporting 774 incremental steps of adoption. The transtion steps are dependent on 775 the starting point of the registry. Registries may have different 776 starting points, since some of the elements of the Secure 777 Authorization Information Model may have already been implemented. 778 The considerations assume a starting point, referred to as the 779 Classic Authorization Information Model, that have the following 780 steps in the management of the authorization information for 781 transfers: 783 1. Registrant requests to register the object with the registrar. 784 Registrar sends the create command, with a non-empty 785 authorization information, to the registry. The registry stores 786 the authorization information as an encrypted value and requires 787 a non-empty authorization information for the life of the object. 788 The registrar may store the long-lived authorization information. 789 2. At the time of transfer, Registrant requests from the losing 790 registrar the authorization information to provide to the gaining 791 registrar. 792 3. Losing registrar retrieves the stored authorization information 793 locally or queries the registry for authorization information 794 using the info command, and provides it to the registrant. If 795 the registry is queried, the authorization information is 796 decrypted and the plain text authorization information is 797 returned in the info response to the registrar. 798 4. Registrant provides the authorization information value to the 799 gaining registrar. 800 5. Gaining registrar optionally verifies the authorization 801 information with the info command to the registry, by passing the 802 authorization information in the info command to the registry. 803 6. Gaining registrar sends the transfer request with the 804 authorization information to the registry. The registry will 805 decrypt the stored authorization information to compare to the 806 passed authorization information. 807 7. If the transfer successfully completes, the authorization 808 information is not touched by the registry and may be updated by 809 the gaining registrar using the update command. If the transfer 810 is cancelled or rejected, the losing registrar may reset the 811 authorization information using the update command. 813 The gaps between the Classic Authorization Information Model and the 814 Secure Authorization Information Model include: 816 1. Registry requirement for a non-empty authorization information on 817 create and for the life of the object versus the authorization 818 information not being set on create and only being set when a 819 transfer is in process. 820 2. Registry not allowing the authorization information to be unset 821 versus supporting the authorization to be unset in the update 822 command. 823 3. Registry storing the authorization information as an encrypted 824 value versus as a hashed value. 825 4. Registry support for returning the authorization information 826 versus not returning the authorization information in the info 827 response. 828 5. Registry not touching the authorization information versus the 829 registry automatically unsetting the authorization information 830 upon a successful transfer. 831 6. Registry may validate a shorter authorization information value 832 using password complexity rules versus validating the randomness 833 of a longer authorization information value that meets the 834 required bits of entropy. 836 The transition can be handled in the three phases defined in the sub- 837 sections Section 6.1, Section 6.2, Section 6.3. 839 6.1. Transition Phase 1 - Features 841 The goal of the "Transition Phase 1 - Features" is to implement the 842 needed features in EPP so that the registrar can optionally implement 843 the Secure Authorization Information Model. The features to 844 implement are broken out by the command and responses below: 846 Create Command: Change the create command to make the authorization 847 information optional, by allowing both a non-empty value and an 848 empty value. This enables a registrar to optionally create 849 objects without an authorization information value, as defined in 850 Section 5.1. 851 Update Command: Change the update command to allow unsetting the 852 authorization information, as defined in Section 5.2. This 853 enables the registrar to optionally unset the authorization 854 information when the TTL expires or when the transfer is cancelled 855 or rejected. 856 Transfer Approve Command and Transfer Auto-Approve: Change the 857 transfer approve command and the transfer auto-approve to 858 automatically unset the authorization information. This sets the 859 default state of the object to not have the authorization 860 information set. The registrar implementing the Secure 861 Authorization Information Model will not set the authorization 862 information for an inbound transfer and the registrar implementing 863 the Classic Authorization Information Model will set the new 864 authorization information upon the successful transfer. 865 Info Response: Change the info command to not return the 866 authorization information in the info response, as defined in 867 Section 5.3. This sets up the implementation of "Transition Phase 868 2 - Storage", since the dependency in returning the authorization 869 information in the info response will be removed. This feature is 870 the only one that is not an optional change to the registrar. 871 Info Command and Transfer Request: Change the info command and the 872 transfer request to ensure that a registrar cannot get an 873 indication that the authorization information is set or not set by 874 returning the EPP error result code of 2202 when comparing a 875 passed authorization to a non-matching set authorization 876 information value or an unset value. 878 6.2. Transition Phase 2 - Storage 880 The goal of the "Transition Phase 2 - Storage" is to transition the 881 registry to use hashed authorization information instead of encrypted 882 authorization information. There is no direct impact to the 883 registrars, since the only visible indication that the authorization 884 information has been hashed is by not returning the set authorization 885 information in the info response, which is addressed in Transition 886 Phase 1 - Features (Section 6.1). There are three steps to 887 transition the authorization information storage, which includes: 889 Hash New Authorization Information Values: Change the create command 890 and the update command to hash instead of encyrpting the 891 authorization information. 892 Supporting Comparing Against Encrypted and Hashed Authorization 893 Information: Change the info command and the transfer request 894 command to be able to compare a passed authorization information 895 value with either a hashed or encyrpted authorization information 896 value. 897 Hash Existing Encrypted Authorization Information Values: Convert 898 the encrypted authorization information values stored in the 899 registry database to hashed values. The update is not a visible 900 change to the registrar. The conversion can be done over a period 901 of time depending on registry policy. 903 6.3. Transition Phase 3 - Enforcement 905 The goal of the "Transition Phase 3 - Enforcement" is to complete the 906 implementation of the "Secure Authorization Information Model", by 907 enforcing the following: 909 Disallow Authorization Information on Create Command: Change the 910 create command to not allow for the passing of a non-empty 911 authorization information value. 912 Validate the Strong Random Authorization Information: Change the 913 validation of the authorization information in the update command 914 to ensure at least 128 bits of entropy. 916 7. IANA Considerations 918 7.1. XML Namespace 920 This document uses URNs to describe XML namespaces conforming to a 921 registry mechanism described in [RFC3688]. The following URI 922 assignment is requested of IANA: 924 Registration request for the secure authorization information for 925 transfer namespace: 927 URI: urn:ietf:params:xml:ns:epp:secure-authinfo-transfer-1.0 928 Registrant Contact: IESG 929 XML: None. Namespace URIs do not represent an XML specification. 931 7.2. EPP Extension Registry 933 The EPP operational practice described in this document should be 934 registered by the IANA in the EPP Extension Registry described in 935 [RFC7451]. The details of the registration are as follows: 937 Name of Extension: "Extensible Provisioning Protocol (EPP) Secure 938 Authorization Information for Transfer" 940 Document status: Standards Track 942 Reference: (insert reference to RFC version of this document) 944 Registrant Name and Email Address: IESG, 946 TLDs: Any 948 IPR Disclosure: None 950 Status: Active 951 Notes: None 953 8. Implementation Status 955 Note to RFC Editor: Please remove this section and the reference to 956 RFC 7942 [RFC7942] before publication. 958 This section records the status of known implementations of the 959 protocol defined by this specification at the time of posting of this 960 Internet-Draft, and is based on a proposal described in RFC 7942 961 [RFC7942]. The description of implementations in this section is 962 intended to assist the IETF in its decision processes in progressing 963 drafts to RFCs. Please note that the listing of any individual 964 implementation here does not imply endorsement by the IETF. 965 Furthermore, no effort has been spent to verify the information 966 presented here that was supplied by IETF contributors. This is not 967 intended as, and must not be construed to be, a catalog of available 968 implementations or their features. Readers are advised to note that 969 other implementations may exist. 971 According to RFC 7942 [RFC7942], "this will allow reviewers and 972 working groups to assign due consideration to documents that have the 973 benefit of running code, which may serve as evidence of valuable 974 experimentation and feedback that have made the implemented protocols 975 more mature. It is up to the individual working groups to use this 976 information as they see fit". 978 8.1. Verisign EPP SDK 980 Organization: Verisign Inc. 982 Name: Verisign EPP SDK 984 Description: The Verisign EPP SDK includes both a full client 985 implementation and a full server stub implementation of draft-ietf- 986 regext-secure-authinfo-transfer. 988 Level of maturity: Development 990 Coverage: All aspects of the protocol are implemented. 992 Licensing: GNU Lesser General Public License 994 Contact: jgould@verisign.com 996 URL: https://www.verisign.com/en_US/channel-resources/domain- 997 registry-products/epp-sdks 999 8.2. RegistryEngine EPP Service 1001 Organization: CentralNic 1003 Name: RegistryEngine EPP Service 1005 Description: Generic high-volume EPP service for gTLDs, ccTLDs and 1006 SLDs 1008 Level of maturity: Deployed in CentralNic's production environment as 1009 well as two other gTLD registry systems, and two ccTLD registry 1010 systems. 1012 Coverage: Authorization Information is "write only" in that the 1013 registrars can set the Authorization Information, but not get the 1014 Authorization Information in the Info Response. 1016 Licensing: Proprietary In-House software 1018 Contact: epp@centralnic.com 1020 URL: https://www.centralnic.com 1022 9. Security Considerations 1024 Section 4.1 defines the use a secure random value for the generation 1025 of the authorization information. The server SHOULD define policy 1026 related to the length and set of characters that are included in the 1027 randomization to target the desired entropy level, with the 1028 recommendation of at least 49 bits for entropy. The authorization 1029 information server policy is communicated to the client using an out- 1030 of-band process. The client SHOULD choose a length and set of 1031 characters that results in entropy that meets or exceeds the server 1032 policy. A random number generator (RNG) is preferable over the use 1033 of a pseudorandom number generator (PRNG) when creating the 1034 authorization information value. 1036 Section 4.2 defines the use of an authorization information Time-To- 1037 Live (TTL). The registrar SHOULD only set the authorization 1038 information during the transfer process by the server support for 1039 setting and unsetting the authorization information. The TTL value 1040 is up to registrar policy and the sponsoring registrar MUST inform 1041 the registrant of the TTL when providing the authorization 1042 information to the registrant. 1044 Section 4.3 defines the storage and transport of authorization 1045 information. The losing registrar MUST NOT store the authorization 1046 information and the gaining registrar MUST only store the 1047 authorization information as a "transient" value during the transfer 1048 process, where the authorization information MUST NOT be stored after 1049 the end of the transfer process. The registry MUST store the 1050 authorization information using a one-way cryptographic hash of at 1051 least 256 bits and with a random salt. All communication that 1052 includes the authorization information MUST be over an encrypted 1053 channel. The plain text authorization information MUST NOT be 1054 written to any logs by the registrar or the registry. 1056 Section 4.4 defines the matching of the authorization information 1057 values. The registry stores an unset authorization information as a 1058 NULL (undefined) value to ensure that an empty input authorization 1059 information never matches it. The method used to define a NULL 1060 (undefined) value is database specific. 1062 10. Acknowledgements 1064 The authors wish to thank the following persons for their feedback 1065 and suggestions: Michael Bauland, Martin Casanova, Scott Hollenbeck, 1066 Jody Kolker, Patrick Mevzek, Matthew Pozun, Srikanth Veeramachaneni, 1067 and Ulrich Wisser. 1069 11. References 1071 11.1. Normative References 1073 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1074 Requirement Levels", BCP 14, RFC 2119, 1075 DOI 10.17487/RFC2119, March 1997, 1076 . 1078 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1079 DOI 10.17487/RFC3688, January 2004, 1080 . 1082 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 1083 "Randomness Requirements for Security", BCP 106, RFC 4086, 1084 DOI 10.17487/RFC4086, June 2005, 1085 . 1087 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 1088 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 1089 . 1091 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 1092 Domain Name Mapping", STD 69, RFC 5731, 1093 DOI 10.17487/RFC5731, August 2009, 1094 . 1096 [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 1097 Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733, 1098 August 2009, . 1100 [RFC5734] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 1101 Transport over TCP", STD 69, RFC 5734, 1102 DOI 10.17487/RFC5734, August 2009, 1103 . 1105 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 1106 Code: The Implementation Status Section", BCP 205, 1107 RFC 7942, DOI 10.17487/RFC7942, July 2016, 1108 . 1110 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 1111 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 1112 January 2019, . 1114 11.2. Informative References 1116 [RFC7451] Hollenbeck, S., "Extension Registry for the Extensible 1117 Provisioning Protocol", RFC 7451, DOI 10.17487/RFC7451, 1118 February 2015, . 1120 Appendix A. Change History 1122 A.1. Change from 00 to 01 1124 1. Filled in the "Implementation Status" section with the inclusion 1125 of the "Verisign EPP SDK" and "RegistryEngine EPP Service" 1126 implementations. 1127 2. Made small wording corrections based on private feedback. 1128 3. Added content to the "Acknowledgements" section. 1130 A.2. Change from 01 to 02 1132 1. Revised the language used for the storage of the authorization 1133 information based on the feedback from Patrick Mevzek and Jody 1134 Kolker. 1136 A.3. Change from 02 to 03 1138 1. Updates based on the feedback from the interim REGEXT meeting 1139 held at ICANN-66: 1140 1. Section 3.3, include a reference to the hash algorithm to 1141 use. Broke the requirements into a list and included a the 1142 reference the text ', with at least a 256-bit hash function, 1143 such as SHA-256'. 1145 2. Add a Transition Considerations section to cover the 1146 transition from the classic authorization information 1147 security model in the EPP RFCs to the model defined in the 1148 document. 1149 3. Add a statement to the Introduction that elements of the 1150 practice can be used for purposes other than transfer, but 1151 with a caveat. 1152 2. Updates based on the review by Michael Bauland, that include: 1153 1. In section 2, change 'there are three actors' to 'there are 1154 three types of actors' to cover the case with transfers that 1155 has two registrar actors (losing and gaining). 1156 2. In section 3.1, change the equations equals to be 1157 approximately equal by using '=~' instead of '=', where 1158 applicable. 1159 3. In section 3.3, change 'MUST be over an encrypted channel, 1160 such as RFC5734' to 'MUST be over an encrypted channel, such 1161 as defined in RFC5734'. 1162 4. In section 4.1, remove the optional RFC 5733 elements from 1163 the contact create, which includes the , 1164 , , , 1165 , , and elements. 1166 5. In section 4.2, changed 'Example of unsetting the 1167 authorization information explicitly in an [RFC5731] domain 1168 name update command.' to 'Example of adding the 1169 "clientTransferProhibited" status and unsetting the 1170 authorization information explicitly in an [RFC5731] domain 1171 name update command.' 1172 6. In section 4.3, cover a corner case of the ability to return 1173 the authorization information when it's passed in the info 1174 command. 1175 7. In section 4.4, change 'If the transfer does not complete 1176 within the time-to-live (TTL)' to 'If the transfer is not 1177 initiated within the time-to-live (TTL)', since the TTL is 1178 the time between setting the authorization information and 1179 when it's successfully used in a transfer request. Added the 1180 case of unsetting the authorization information when the 1181 transfer is cancelled or rejected. 1182 3. Updates based on the authorization information messages by Martin 1183 Casanova on the REGEXT mailing list, that include: 1184 1. Added section 3.4 'Authorization Information Matching' to 1185 clarify how the authorization information is matched, when 1186 there is set and unset authorization information in the 1187 database and empty and non-empty authorization information 1188 passed in the info and transfer commands. 1189 2. Added support for signaling that the authorization 1190 information is set or unset to the sponsoring registrar with 1191 the inclusion of an empty authorization information element 1192 in the response to indicate that the authorization 1193 information is set and the exclusion of the authorization 1194 information element in the response to indicate that the 1195 authorization information is unset. 1196 4. Made the capitalization of command and response references 1197 consistent by uppercasing section and item titles and lowercasing 1198 references elsewhere. 1200 A.4. Change from 03 to REGEXT 00 1202 1. Changed to regext working group draft by changing draft-gould- 1203 regext-secure-authinfo-transfer to draft-ietf-regext-secure- 1204 authinfo-transfer. 1206 A.5. Change from REGEXT 00 to REGEXT 01 1208 1. Added the "Signaling Client and Server Support" section to 1209 describe the mechanism to signal support for the BCP by the 1210 client and the server. 1211 2. Added the "IANA Considerations" section with the registration of 1212 the secure authorization for transfer XML namespace and the 1213 registration of the EPP Best Current Practice (BCP) in the EPP 1214 Extension Registry. 1216 A.6. Change from REGEXT 01 to REGEXT 02 1218 1. Added inclusion of random salt for the hashed authorization 1219 information, based on feedback from Ulrich Wisser. 1220 2. Added clarification that the representation of a NULL (undefined) 1221 value is dependent on the type of database, based on feedback 1222 from Patrick Mevzek. 1223 3. Filled in the Security Considerations section. 1225 A.7. Change from REGEXT 02 to REGEXT 03 1227 1. Updated the XML namespace to urn:ietf:params:xml:ns:epp:secure- 1228 authinfo-transfer-1.0, which removed bcp from the namespace and 1229 bumped the version from 0.1 and 1.0. Inclusion of bcp in the XML 1230 namespace was discussed at the REGEXT interim meeting. 1231 2. Replaced Auhtorization with Authorization based on a review by 1232 Jody Kolker. 1234 A.8. Change from REGEXT 03 to REGEXT 04 1236 1. Converted from xml2rfc v2 to v3. 1237 2. Updated Acknowledgements to match the approach taken by the RFC 1238 Editor with draft-ietf-regext-login-security. 1239 3. Changed from Best Current Practice (BCP) to Standards Track based 1240 on mailing list discussion. 1242 A.9. Change from REGEXT 04 to REGEXT 05 1244 1. Fixed IDNITS issues, including moving RFC7451 to Informative 1245 References section. 1247 Authors' Addresses 1249 James Gould 1250 VeriSign, Inc. 1251 12061 Bluemont Way 1252 Reston, VA 20190 1253 United States of America 1255 Email: jgould@verisign.com 1256 URI: http://www.verisign.com 1258 Richard Wilhelm 1259 VeriSign, Inc. 1260 12061 Bluemont Way 1261 Reston, VA 20190 1262 United States of America 1264 Email: rwilhelm@verisign.com 1265 URI: http://www.verisign.com