Il 22/02/2024 16:00, Hollenbeck, Scott ha scritto:
Mario, allow me to make a minor adjustment to my suggestion:
“Servers MUST implement at least one method of access control that
limits server connection access to only authorized clients.
Implementation of multiple access control methods is
Mario, allow me to make a minor adjustment to my suggestion:
“Servers MUST implement at least one method of access control that limits
server connection access to only authorized clients. Implementation of multiple
access control methods is RECOMMENDED.”
We need to be clear that
Hi Scott,
Il 22/02/2024 13:54, Hollenbeck, Scott ha scritto:
I understand that there are options available for client
authentication, and that this isn’t necessarily easy for clients.
However, there are known attacks that can be perpetrated against
servers that allow TCP or TLS connections
> -Original Message-
> From: Andrew Newton (andy)
> Sent: Thursday, February 22, 2024 7:10 AM
> To: Mario Loffredo
> Cc: Hollenbeck, Scott ; regext@ietf.org
> Subject: [EXTERNAL] Re: [regext] Fwd: New Version Notification for draft-
> loffredo-regext-epp-over-http-03.txt
>
> Caution:
I understand that there are options available for client authentication, and
that this isn’t necessarily easy for clients. However, there are known attacks
that can be perpetrated against servers that allow TCP or TLS connections from
unauthorized clients. One example is described here:
I am not in favor of weakening the security posture of EPP. If one
security mechanism is to be downgraded from a MUST to a SHOULD, there
needs to be a replacement of it with another security mechanism that
is a MUST which keeps the security posture of EPP at the same or
greater level.
-andy
On
