Skip to main content

Last Call Review of draft-ietf-regext-login-security-05
review-ietf-regext-login-security-05-genart-lc-carpenter-2019-11-02-00

Request Review of draft-ietf-regext-login-security
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2019-11-12
Requested 2019-10-29
Authors James Gould , Matthew Pozun
I-D last updated 2019-11-02
Completed reviews Genart Last Call review of -05 by Brian E. Carpenter (diff)
Opsdir Last Call review of -06 by Carlos Pignataro (diff)
Assignment Reviewer Brian E. Carpenter
State Completed
Request Last Call review on draft-ietf-regext-login-security by General Area Review Team (Gen-ART) Assigned
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/z7yn4U1SFu4uYtnll5so_9y73ww
Reviewed revision 05 (document currently at 10)
Result Ready w/issues
Completed 2019-11-02
review-ietf-regext-login-security-05-genart-lc-carpenter-2019-11-02-00
Gen-ART Last Call review of draft-ietf-regext-login-security-05

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-regext-login-security-05.txt
Reviewer: Brian Carpenter
Review Date: 2019-11-03
IETF LC End Date: 2019-11-12
IESG Telechat date:  

Summary: Ready with minor issues
--------

Minor issues:
-------------

I found section 2 "Migrating to Newer Versions of This Extension"
a little hard to follow. Firstly, am I correct in assuming that
"a new version" means a version number higher than 1.0, e.g.
"loginSec-1.1"? That is probably the intended meaning, but I think
it needs to be explicit. Maybe state that this document defines
"loginSec-1.0" and future documents can define other minor and major
versions such as "loginSec-1.1" or "loginSec-2.0".  

Then "(for a temporary migration period)" is a bit vague. I think
it would be useful to suggest the order of magnitude of the overlap
period: days?, months?; hopefully not years.

I also think a short discussion of adding & removing versions is
needed in the Security Considerations, since the reason for a new
version might be the discovery of a vulnerability in the current
version. That's when a short migration period is desirable.

FYI, there are some other extension design considerations in
https://tools.ietf.org/html/rfc6709#section-4 .

Nits:
-----

"1.  Introduction

   This document describes an Extensible Provisioning Protocol (EPP)
   extension for enhancing the security of the EPP login command in EPP
   RFC 5730.  The enhancements include supporting longer passwords (or
   passphrases) than the 16-character maximum and providing a list of
   security events in the login response.  The password (current and
   new) in EPP RFC 5730 can be overridden..."

"RFC 5730" should either be in parenthesis as "(RFC 5730)" or
a reference "[RFC5730]" (twice).