To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Cc:
<ietf-provreg@cafax.se>
From:
Francisco Obispo <fobispo@nic.ve>
Date:
Tue, 18 Aug 2009 11:29:03 -0430
In-Reply-To:
<046F43A8D79C794FA4733814869CDF0702C727DD@dul1wnexmb01.vcorp.ad.vrsn.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] EPP Server Implementer Help Needed
Hi Scott, Although this comment might seem odd, I was wondering, why the TLS feature is required. When I was in charge of .VE we decided not to include any encryption/ auth features besides regular user/pass simple auth. Later on, we decided to use SSL/TLS tunneling with a sepparate software package, that will provide the encryption services. At first we used ssh, but stunnel turned out to be a better solution. if we were to require stronger encryption, we could start by introducing other software packages, but taking the complications outside of the EPP implementation... I donīt know if using third party software will comply with this requirement, because if it does, then it might be a good idea to switch to that instead. Regards Francisco On Aug 18, 2009, at 6:46 AM, Hollenbeck, Scott wrote: > I still need info from one server implementer that is willing to be > included in an implementation report and confirm that they have > implemented the TLS client identification features described in > section > 9 of 4934bis. Specifically: > > 1. TLS implementations are REQUIRED to support the mandatory cipher > suite specified in the implemented version: > > 2. Mutual client and server authentication using the TLS Handshake > Protocol is REQUIRED. > > 3. Signatures on the complete certification path for both client > machine > and server machine MUST be validated as part of the TLS handshake. > > 4. Information included in the client and server certificates, such as > validity periods and machine names, MUST also be validated. > > 5. EPP service MUST NOT be granted until successful completion of a > TLS > handshake and certificate validation > > Most of these come for free with a good TLS toolkit. Are there any > server implementers willing to confirm that they've implemented these > features? I've already confirmed that VeriSign has implemented these > features. > > -Scott- > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =-=-=- > List run by majordomo software. For (Un-)subscription and similar > details > send "help" to ietf-provreg-request@cafax.se > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se