To:
ietf-provreg@cafax.se
From:
Bruce Campbell <bruce.campbell@apnic.net>
Date:
Wed, 21 Mar 2001 08:51:56 +1000 (EST)
Sender:
owner-ietf-provreg@cafax.se
Subject:
light comment on security provisions.
This is in the 'am I missing something here' vein, however the drafts already released (as listed in the IETF WG charter page) have wording which covers in-transit security, which seems to be most of the security concerns being brought to the microphone, ie: http://www.ietf.org/internet-drafts/draft-ietf-provreg-grrp-reqs-00.txt 11. Security Considerations [1] Security services MUST be provided to protect against the following types of attack: eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle. http://www.ietf.org/internet-drafts/draft-ietf-provreg-epp-00.txt 7. Security Considerations EPP provides only simple client authentication services. A passive attack is sufficient to recover client identifiers and passwords, allowing trivial command forgery. Protection against most common attacks must be provided by other protocols. The actual security provided is (as someone, Bill?) pointed out, dependent on country laws which one or both of the Registrars/Registries must observe, and as such, could be left as an issue between the individual Registrars/Registries. (ie, whatever the local laws/customers allow/want). --==-- Bruce.