To:
"Francisco Obispo" <fobispo@nic.ve>
Cc:
<ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Tue, 18 Aug 2009 12:45:43 -0400
Content-class:
urn:content-classes:message
In-Reply-To:
<642A4A1B-8A8E-4A47-846E-D7D221A39222@nic.ve>
Sender:
owner-ietf-provreg@cafax.se
Thread-Index:
AcogHNF4dzT1s3DMSNafSpUgoU0pMwABihGA
Thread-Topic:
[ietf-provreg] EPP Server Implementer Help Needed
Subject:
RE: [ietf-provreg] EPP Server Implementer Help Needed
TLS was selected because it was thought to provide the best fit for the requirements identified in RFC 3375. -Scott- > -----Original Message----- > From: Francisco Obispo [mailto:fobispo@nic.ve] > Sent: Tuesday, August 18, 2009 11:59 AM > To: Hollenbeck, Scott > Cc: ietf-provreg@cafax.se > Subject: Re: [ietf-provreg] EPP Server Implementer Help Needed > > Hi Scott, > > Although this comment might seem odd, I was wondering, why > the TLS feature is required. > > When I was in charge of .VE we decided not to include any > encryption/ auth features besides regular user/pass simple auth. > > Later on, we decided to use SSL/TLS tunneling with a > sepparate software package, that will provide the encryption > services. At first we used ssh, but stunnel turned out to be > a better solution. > if we were to require stronger encryption, we could start by > introducing other software packages, but taking the > complications outside of the EPP implementation... > > I donīt know if using third party software will comply with > this requirement, because if it does, then it might be a good > idea to switch to that instead. > > Regards > > Francisco > > > > On Aug 18, 2009, at 6:46 AM, Hollenbeck, Scott wrote: > > > I still need info from one server implementer that is willing to be > > included in an implementation report and confirm that they have > > implemented the TLS client identification features described in > > section > > 9 of 4934bis. Specifically: > > > > 1. TLS implementations are REQUIRED to support the mandatory cipher > > suite specified in the implemented version: > > > > 2. Mutual client and server authentication using the TLS Handshake > > Protocol is REQUIRED. > > > > 3. Signatures on the complete certification path for both client > > machine and server machine MUST be validated as part of the TLS > > handshake. > > > > 4. Information included in the client and server > certificates, such as > > validity periods and machine names, MUST also be validated. > > > > 5. EPP service MUST NOT be granted until successful completion of a > > TLS handshake and certificate validation > > > > Most of these come for free with a good TLS toolkit. Are there any > > server implementers willing to confirm that they've > implemented these > > features? I've already confirmed that VeriSign has > implemented these > > features. > > > > -Scott- > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > =-=-=- > > List run by majordomo software. For (Un-)subscription and similar > > details send "help" to ietf-provreg-request@cafax.se > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se