Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer
draft-ietf-regext-secure-authinfo-transfer-01

Document Type Active Internet-Draft (regext WG)
Last updated 2020-04-23
Replaces draft-gould-regext-secure-authinfo-transfer
Stream IETF
Intended RFC status Best Current Practice
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Stream WG state WG Document (wg milestone: Jul 2020 - Submit for publicati... )
Document shepherd Jody Kolker
IESG IESG state I-D Exists
Consensus Boilerplate Yes
Telechat date
Responsible AD (None)
Send notices to Jody Kolker <jkolker@godaddy.com>
Network Working Group                                           J. Gould
Internet-Draft                                                R. Wilhelm
Intended status: Best Current Practice                    VeriSign, Inc.
Expires: October 25, 2020                                 April 23, 2020

Extensible Provisioning Protocol (EPP) Secure Authorization Information
                              for Transfer
             draft-ietf-regext-secure-authinfo-transfer-01

Abstract

   The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the
   use of authorization information to authorize a transfer.  The
   authorization information is object-specific and has been defined in
   the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact
   Mapping, in RFC 5733, as password-based authorization information.
   Other authorization mechanisms can be used, but in practice the
   password-based authorization information has been used at the time of
   object create, managed with the object update, and used to authorize
   an object transfer request.  What has not been fully considered is
   the security of the authorization information that includes the
   complexity of the authorization information, the time-to-live (TTL)
   of the authorization information, and where and how the authorization
   information is stored.  This document defines an operational
   practice, using the EPP RFCs, that leverages the use of strong random
   authorization information values that are short-lived, that are not
   stored by the client, and that are stored using a cryptographic hash
   by the server to provide for secure authorization information used
   for transfers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 25, 2020.

Gould & Wilhelm         Expires October 25, 2020                [Page 1]
Internet-Draft          secure-transfer-authinfo              April 2020

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Conventions Used in This Document . . . . . . . . . . . .   4
   2.  Registrant, Registrar, Registry . . . . . . . . . . . . . . .   5
   3.  Signaling Client and Server Support . . . . . . . . . . . . .   6
   4.  Secure Authorization Information  . . . . . . . . . . . . . .   7
     4.1.  Secure Random Authorization Information . . . . . . . . .   7
     4.2.  Authorization Information Time-To-Live (TTL)  . . . . . .   8
     4.3.  Authorization Information Storage and Transport . . . . .   8
     4.4.  Authorization Information Matching  . . . . . . . . . . .   9
   5.  Create, Transfer, and Secure Authorization Information  . . .   9
     5.1.  Create Command  . . . . . . . . . . . . . . . . . . . . .  10
     5.2.  Update Command  . . . . . . . . . . . . . . . . . . . . .  12
     5.3.  Info Command and Response . . . . . . . . . . . . . . . .  15
     5.4.  Transfer Request Command  . . . . . . . . . . . . . . . .  16
   6.  Transition Considerations . . . . . . . . . . . . . . . . . .  17
     6.1.  Transition Phase 1 - Features . . . . . . . . . . . . . .  19
     6.2.  Transition Phase 2 - Storage  . . . . . . . . . . . . . .  19
     6.3.  Transition Phase 3 - Enforcement  . . . . . . . . . . . .  20
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  20
     7.1.  XML Namespace . . . . . . . . . . . . . . . . . . . . . .  20
     7.2.  EPP Extension Registry  . . . . . . . . . . . . . . . . .  21
   8.  Implementation Status . . . . . . . . . . . . . . . . . . . .  21
     8.1.  Verisign EPP SDK  . . . . . . . . . . . . . . . . . . . .  22
     8.2.  RegistryEngine EPP Service  . . . . . . . . . . . . . . .  22
Show full document text