To:
Bill Manning <bmanning@isi.edu>
Cc:
ietf-provreg@cafax.se, hartmans@MIT.EDU
From:
Sam Hartman <hartmans@MIT.EDU>
Date:
20 Mar 2001 12:06:03 -0500
In-Reply-To:
Bill Manning's message of "Tue, 20 Mar 2001 07:38:07 -0800 (PST)"
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: security in draft-ietf-provreg-epp-0.txt
>>>>> "Bill" == Bill Manning <bmanning@ISI.EDU> writes: Bill> % % Hi. I've been looking at the security implications of Bill> the current EPP % draft and I am concerned that plaintext Bill> logins are not an appropriate % authentication mechanism for Bill> this protocol. Per section 3.2 of % Bill> draft-ietf-provreg-grrp-req-0: % % 3.2 Identification and Bill> Authentication % % [1] The protocol or another layered Bill> protocol MUST provide services to % identify registrar Bill> clients and registry servers before granting access % to Bill> other protocol services. % % [2] The protocol or another Bill> layered protocol MUST provide services to % authenticate Bill> registrar clients and registry servers before granting % Bill> access to other protocol services. % % [3] The protocol or Bill> another layered protocol MUST provide services to % Bill> negotiate an authentication mechanism acceptable to both Bill> client and % server. % % % First of all, having a login Bill> element that requires plaintext % passwords is not standard Bill> practice in new IETF protocols. Bill> Where, in the above quoted sections, is there a Bill> requirement for plaintext passwords? My question was unclear because it assumed familiarity with the EPP draft. The current EPP draft has a login element that takes a plaintext password; section 2.6.1.1 of the EPP draft requires a client send a plaintext passwordbefore any other command. The requirements are fine; the draft is not.