Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer

Document Type Replaced Internet-Draft (regext WG)
Authors James Gould  , Richard Wilhelm 
Last updated 2020-02-14 (latest revision 2020-01-14)
Replaced by draft-ietf-regext-secure-authinfo-transfer
Stream IETF
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream WG state Adopted by a WG
Document shepherd No shepherd assigned
IESG IESG state Replaced by draft-ietf-regext-secure-authinfo-transfer
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the use of authorization information to authorize a transfer. The authorization information is object-specific and has been defined in the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact Mapping, in RFC 5733, as password-based authorization information. Other authorization mechanisms can be used, but in practice the password-based authorization information has been used at the time of object create, managed with the object update, and used to authorize an object transfer request. What has not been fully considered is the security of the authorization information that includes the complexity of the authorization information, the time-to-live (TTL) of the authorization information, and where and how the authorization information is stored. This document defines an operational practice, using the EPP RFCs, that leverages the use of strong random authorization information values that are short-lived, that are not stored by the client, and that are stored using a cryptographic hash by the server to provide for secure authorization information used for transfers.


James Gould (jgould@verisign.com)
Richard Wilhelm (rwilhelm@verisign.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)