Abbreviation
EPP
Automated domain name transactions like registrations and renewals
Scott Hollenbeck, Internet Engineering Task Force (IETF)
2009
700
History[edit]
The first protocol drafts were published as IETF individual submission Internet Draft documents by Scott Hollenbeck of Verisign in November 2000.[2] The individual submission documents were adopted by the IETF Provisioning Registry (provreg) working group, which was created after a BoF session was held at IETF-49 in December 2000.[3] Proposed Standard documents (RFCs 3730 - 3734) were published by the RFC Editor in March 2004.[4] Draft Standard documents (RFCs 4930 - 4934) were published in May 2007.[5]
In August 2009 IETF granted EPP the status of full standard as STD 69.[6]
The first EPP extension that became a proposed standard was the redemption grace period extension from RFC 3915 in September 2004.[7] Since then a number of different proposed standard extensions followed.[8]
Adoption[edit]
The protocol has been adopted by a number of ccTLD domain name registries, such as: .ac, .ag, .ai, .as, .ar, .at, .au, .be, .br, .bz, .ca, .cat, .cc, .ch, .cl, .cn, .co, .cr, .cx, .cz, .dk, .dm, .ee, .es (over HTTPS), .eu, .fi, .fm, .fr, .gg, .gr (over HTTPS), .gs, .hn, .ht, .il, .im, .in, .io, .it (over HTTPS), .je, .ke, .ki, .ky, .kz, .la, .lc, .li, .lt, .lu, .lv, .md, .me, .mk, .mn, .ms, .mu, .mx, .na, .nf, .ng, .nl, .no, .nu, .nz, .pe, .pk, .pl (over HTTPS), .ps, .pt, .ru, .ro, .sc, .se, .sh, .si, .su, .tl, .tm .tv, .tw, .ua, .uk, .us, .vc, .ve and .za as well as ENUM registries such as those operating the +31, +41, +43, +44 and +48 country codes.[9]
ICANN has made it a condition in their base registry contract to offer an EPP service, therefore every gTLD has adopted the protocol.[10]
There are multiple open source implementations of EPP server software. The Council of Country Code Administrators (CoCCA) maintain an EPP server software that is used by around 59 ccTLDs and 6 gTLDs.[11] Another open source software is FRED (maintained by CZ.NIC) which counts 11 ccTLDs as its users.[12]
Extensions[edit]
The protocol offers the ability to send an extension object on almost every possible command to enable registries to add new functionality without changing the base commands.[1]
There are a few standardized extensions that are used by a lot of registries. These include extensions for DNSSEC,[17] IDN,[18] premium domain names,[19] domain restoration (RGP)[7] and extensions to handle the launch of new TLDs[20] among other things.[8]
Some registries also developed extensions that are specific for their TLDs. A common use case for non-standardized extensions is the collection of extra data that is needed to create a domain, for example a VAT identification number.[8]
Security considerations[edit]
EPP only offers plain text passwords, additionally the EPP login password type is specified to be a string of 6-16 character length[1] which might be considered very low for today's standards. Connections over TCP therefore must use TLS and use of client certificates as well as correct identity confirmation of the client and server is strongly encouraged.[21]
Additionally a lot of domain name registries offer to set up a IP whitelist for connecting to their EPP servers.
EPP offers some protection against replay attacks via the client generated clTRID, however this element is optional and is therefore not used by every server software. Therefore additional anti-replay mechanisms should be implemented by the used transport mechanism.[1]