Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer
draft-gould-regext-secure-authinfo-transfer-02

Document Type Active Internet-Draft (individual)
Last updated 2019-08-05
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           J. Gould
Internet-Draft                                                R. Wilhelm
Intended status: Best Current Practice                    VeriSign, Inc.
Expires: February 6, 2020                                 August 5, 2019

Extensible Provisioning Protocol (EPP) Secure Authorization Information
                              for Transfer
             draft-gould-regext-secure-authinfo-transfer-02

Abstract

   The Extensible Provisioning Protocol (EPP), in RFC 5730, defines the
   use of authorization information to authorize a transfer.  The
   authorization information is object-specific and has been defined in
   the EPP Domain Name Mapping, in RFC 5731, and the EPP Contact
   Mapping, in RFC 5733, as password-based authorization information.
   Other authorization mechanisms can be used, but in practice the
   password-based authorization information has been used at the time of
   object create, managed with the object update, and used to authorize
   an object transfer request.  What has not been fully considered is
   the security of the authorization information that includes the
   complexity of the authorization information, the time-to-live (TTL)
   of the authorization information, and where and how the authorization
   information is stored.  This document defines an operational
   practice, using the EPP RFCs, that leverages the use of strong random
   authorization information values that are short-lived, that are not
   stored by the client, and that are stored using a cryptographic hash
   by the server to provide for secure authorization information used
   for transfers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 6, 2020.

Gould & Wilhelm         Expires February 6, 2020                [Page 1]
Internet-Draft          secure-transfer-authinfo             August 2019

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conventions Used in This Document . . . . . . . . . . . .   4
   2.  Registrant, Registrar, Registry . . . . . . . . . . . . . . .   4
   3.  Secure Authorization Information  . . . . . . . . . . . . . .   5
     3.1.  Secure Random Authorization Information . . . . . . . . .   6
     3.2.  Authorization Information Time-To-Live (TTL)  . . . . . .   7
     3.3.  Authorization Information Storage and Transport . . . . .   7
   4.  Create, Transfer, and Secure Authorization Information  . . .   7
     4.1.  Create Command  . . . . . . . . . . . . . . . . . . . . .   8
     4.2.  Update Command  . . . . . . . . . . . . . . . . . . . . .  10
     4.3.  Info Command and Response . . . . . . . . . . . . . . . .  14
     4.4.  Transfer Request Command  . . . . . . . . . . . . . . . .  14
   5.  Implementation Status . . . . . . . . . . . . . . . . . . . .  15
     5.1.  Verisign EPP SDK  . . . . . . . . . . . . . . . . . . . .  16
     5.2.  RegistryEngine EPP Service  . . . . . . . . . . . . . . .  16
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  17
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  17
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  17
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  17
     8.2.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .  18
   Appendix A.  Change History . . . . . . . . . . . . . . . . . . .  18
     A.1.  Change from 00 to 01  . . . . . . . . . . . . . . . . . .  18
     A.2.  Change from 01 to 02  . . . . . . . . . . . . . . . . . .  18
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  18
Show full document text