To:
Bill Manning <bmanning@isi.edu>
Cc:
ietf-provreg@cafax.se, hartmans@MIT.EDU
From:
Sam Hartman <hartmans@MIT.EDU>
Date:
20 Mar 2001 12:06:03 -0500
In-Reply-To:
Bill Manning's message of "Tue, 20 Mar 2001 07:38:07 -0800 (PST)"
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: security in draft-ietf-provreg-epp-0.txt
>>>>> "Bill" == Bill Manning <bmanning@ISI.EDU> writes:
Bill> % % Hi. I've been looking at the security implications of
Bill> the current EPP % draft and I am concerned that plaintext
Bill> logins are not an appropriate % authentication mechanism for
Bill> this protocol. Per section 3.2 of %
Bill> draft-ietf-provreg-grrp-req-0: % % 3.2 Identification and
Bill> Authentication % % [1] The protocol or another layered
Bill> protocol MUST provide services to % identify registrar
Bill> clients and registry servers before granting access % to
Bill> other protocol services. % % [2] The protocol or another
Bill> layered protocol MUST provide services to % authenticate
Bill> registrar clients and registry servers before granting %
Bill> access to other protocol services. % % [3] The protocol or
Bill> another layered protocol MUST provide services to %
Bill> negotiate an authentication mechanism acceptable to both
Bill> client and % server. % % % First of all, having a login
Bill> element that requires plaintext % passwords is not standard
Bill> practice in new IETF protocols.
Bill> Where, in the above quoted sections, is there a
Bill> requirement for plaintext passwords?
My question was unclear because it assumed familiarity with the EPP
draft. The current EPP draft has a login element that takes a
plaintext password; section 2.6.1.1 of the EPP draft requires a client
send a plaintext passwordbefore any other command.
The requirements are fine; the draft is not.