ICANN/DNSO
DNSO Mailling lists archives

[nc-transfer]


<<< Chronological Index >>>    <<< Thread Index >>>

[nc-transfer] AuthInfo Overview


Please find attached an overview of the AuthInfo facility that the EPP-based
registries support. This was prepared for review by Rick Wesson and includes
some very reasonable recommendations that we need to consider.

-rwr

BEGIN:VCARD
VERSION:2.1
N:Rader;Ross;Wm.
FN:Ross Wm. Rader
ORG:Tucows Inc.;Innovation & Research
TITLE:Director, Innovation & Research
TEL;WORK;VOICE:416.538.5492
TEL;PAGER;VOICE:rwr@tucows.com
TEL;WORK;FAX:416.531.5584
ADR;WORK:;Back corner;96 Mowat;Toronto;Ontario;M6K 3M1;Canada
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Back corner=0D=0A96 Mowat=0D=0AToronto, Ontario M6K 3M1=0D=0ACanada
URL;HOME:http://www.byte.org
URL;WORK:http://www.tucows.com
KEY;X509;ENCODING=BASE64:
    MIICeDCCAeGgAwIBAgIDBkCIMA0GCSqGSIb3DQEBAgUAMIGSMQswCQYDVQQGEwJaQTEVMBMG
    A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0
    ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZy
    ZWVtYWlsIFJTQSAyMDAwLjguMzAwHhcNMDExMjA1MTk1NDA0WhcNMDIxMjA1MTk1NDA0WjBB
    MR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR4wHAYJKoZIhvcNAQkBFg9yb3Nz
    QHR1Y293cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOCjoNR8ejCtPJDVmFbU
    0g72Lu2hOtWUjXuwwbq85Bf0igIYwXIY83H5QX8Ib436TI0fS2imHLEw3cmzU1sU6NMIqctH
    /PyRfwPZd+D4uNP8vwaGeEJ5ZJmUfKbRPNyzv+Ts58sO1Y/f+Ou+SMaDHxMbzJRXfJmEoxZu
    t9Sm7EerAgMBAAGjLDAqMBoGA1UdEQQTMBGBD3Jvc3NAdHVjb3dzLmNvbTAMBgNVHRMBAf8E
    AjAAMA0GCSqGSIb3DQEBAgUAA4GBAL/mgUJCx/fGLlhzDHaP3uAFq9dh17nuIsgURT4rKBFN
    DLDOpm6UWe19rqy0iTQqtoUbP9FBQqqNt/0A1n+xOFe02RquUCFsgwu1E4D21tuQiMBQzild
    V3ES8RMZrdzTe5kfgQCo1h3R0UycnOmZpLPV9UFFcO0RyudIuGbynMwI


EMAIL;PREF;INTERNET:ross@tucows.com
EMAIL;INTERNET:rwr@tucows.com
REV:20020225T183240Z
END:VCARD


  • To: "Ross Wm. Rader" <ross@tucows.com>
  • Subject: AuthInfo
  • From: Rick H Wesson <wessorh@ar.com>
  • Date: Mon, 25 Feb 2002 10:05:28 -0800 (PST)
  • cc: <rick@ar.com>
  • Delivery-date: Mon, 25 Feb 2002 13:05:34 -0500
  • Envelope-to: rwmrader@toronto.mail.tucows.com

Ross,

per your request a back-grounder on AuthInfo. Please pass this on to the
Transfers TaskForce.

thanks,

-rick

---------------------------- cut here -----------------------------

Transfers TF:


AuthInfo is a required parameter, used in EPP, in the creation of Contact
and Domain Objects in a thick EPP registry. The AuthInfo of type PW [for
password] is a clear text string of unbounded length in the epp spec,
registries may bound the length of the clear text password. The lower
bound of a length of 6 is common in some EPP Registries.

The writers of the EPP Internet-Drafts wanted to provide a mechanism for
registrants to express authorization for transfer commands. The IETF
working group did not concern itself with the operational conditions that
registrars would have to divulge to the Registrants of what their AuthInfo
was. The authors expressly assumed that the AuthInfo would come from a
registrant and not be generated or randomly assigned by a registrar.

There is also one danger with AuthInfo, if a registrar goes out of
business and registrants can no longer acquire their AuthInfo and the
Registrar had assigned the AuthInfo randomly, there is no currently
defined mechanism for the registrant to acquire the AuthInfo which is
required to initiate the transfer of the object. Registrants must know
their AuthInfo.

Registrars have used the AuthInfo element in creating contacts and domain
in two fundamentally different ways, neither of which AuthInfo was designed
to be used. the first way is a Registrar that assigns a randomly generated
AuthInfo for each registration. The second is a registrar that creates all
domains with the same AuthInfo.

In the first case the registrar needs to communicate the AuthInfo to the
registrant in the second case the registrar needs to update the domain
with a new AuthInfo and then communicate it back to the registrant. Most
registrars have not yet created the facilities to communicate the
associated AuthInfo back to their registrants and most registrants don't
even know that these new passwords are required until attempting to
transfer a domain in a EPP registry.

The intended way a Registrar should use the AuthInfo is to use the same
password associated with account access as the AuthInfo when creating
domains or contacts. Most but not all registrars have some way of
authorizing access to their web sites for domain management functions. if
this same clear text password is used then the registrant already knows
their AuthInfo for their domains. there are some reseller chains that
don't use such models and the above recommendation breaks down in long
reseller chains.

In the event other security models are required the EPP spec can be
extended to accommodate such things as X.509 certificates or XML-Signature;
however registrars and registrants must first learn how to use the clear
text password before we go designing more complex authorization schemes to
accommodate long reseller chains.

I hope this note clears some of the confusion on AuthInfo, some
Recommendations this group may wish to consider:

   o Request IETF provreg working group to come up with a BCP for using
     EPP in domain Registrars and Registries.

   o Request an educational program for registrants to be educated about
     new security measures EPP based registries.

Thanks for the opportunity to discuss the difficulties some have with new
authorization techniques in thick EPP registries with the Transfers
Task-force. It is my sincerest hope that the Authorization mechanism in
EPP can facilitate transfers and help foster a competitive registrar
market.

best regards,

-rick

Rick Wesson
CEO, Alice's Registry, Inc.
CTO, Registrars Constituency






<<< Chronological Index >>>    <<< Thread Index >>>