Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 20 February 2024 23:05 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBCDFC180B43 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 15:05:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WovBAsU7XIaI for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 15:04:58 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C35EC180B62 for <anima@ietf.org>; Tue, 20 Feb 2024 15:04:58 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 844DD38991; Tue, 20 Feb 2024 18:04:57 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id UTWVnmnz5WAe; Tue, 20 Feb 2024 18:04:55 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id A7F1E38990; Tue, 20 Feb 2024 18:04:55 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1708470295; bh=nmnrDr61BeH8+DD1k6IDUpJhlIAntM+hFR3Wz2OsCUY=; h=From:To:Subject:In-Reply-To:References:Date:From; b=jWQKP8L4vnQWtL7nEAX5LKeFDU4rHgf/IQZv7V1zZkL2fgBFZ7aZ2ElTzZVURyvN0 RlRi2UfKknGNAczZe7OmYCEn/JYoOVDg9QAIEu+h+rfnPS31ogUiByB98m/3OicLfa sqFJccU8lkK36xnB7YwJIQhI/QnwHEx9a7C/XWehzRLsceZ5/Q9C3lr8EWaih+7R1V ex2R+kyzZgDxqj4zkB7h8CXycnLZRP9P1XMkR3ChWCVYXi4I3x79dtpSo8UWAYpgN9 risYrIB0LbiRNp+6wqquKDd7y2aeT3pLIMSvORdag+KahDDoIHsCzXah9uX6iRIahc bRj0ytoB68gIg==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A123BA5; Tue, 20 Feb 2024 18:04:55 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>, "rwilton@cisco.com" <rwilton@cisco.com>, "anima@ietf.org" <anima@ietf.org>
In-Reply-To: <Zc5BMpCqBykhqNzC@faui48e.informatik.uni-erlangen.de>
References: <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca> <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de> <8823.1707933716@obiwan.sandelman.ca> <Zc0GZ39gU0RuxiY6@faui48e.informatik.uni-erlangen.de> <22821.1707936851@obiwan.sandelman.ca> <DU0P190MB19786CC639ACDE423DEAD895FD4D2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <Zc5BMpCqBykhqNzC@faui48e.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 20 Feb 2024 18:04:55 -0500
Message-ID: <2368.1708470295@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/m9DhqwqCH_GiKN3fi6J0ASuuYPc>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 23:05:02 -0000
I have opened to pull requests in github against the text that was there. The goal is not to merge this, it's an RFC already, but rather to permit github to be used for wordsmithing efforts. https://www.rfc-editor.org/errata/eid6648 https://github.com/anima-wg/anima-bootstrap/pull/151/files Pledge->Registrar: Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is REQUIRED on the pledge side. TLS 1.3 (or newer) SHOULD be available on the registrar server interface, and the registrar client interface, but TLS 1.2 MAY be used. When TLS 1.3 is used the use of Server Name Indicator (SNI, [RFC6066]) is not required, per RFC8446 section 9.2, this specification is an application profile specification. A pledge connects to the Registrar using only an IP address and it will not have any idea of a correct SNI value. This also implies that the Registrar interface may not be virtual \ hosted using SNI. {I have no problem with changing "not required" in 6648 to say, "is ignored by Registrar upon receipt", as brski-cloud requires the pledge to include the SNI} {note that the errata says it is to section 5.4, but it's to section 5.1!} https://www.rfc-editor.org/errata/eid6642 https://github.com/anima-wg/anima-bootstrap/pull/150/files Registrar->MASA: TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if TLS 1.3 is not available. The Server Name Indicator (SNI) is required when the Registrar communicates with the MASA in order for the MASA to be hosted in a modern multi-tenant TLS infrastructure. This way, you can use the github "Suggest" text. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] Registrar to MASA connections: SNI requir… Michael Richardson
- Re: [Anima] Registrar to MASA connections: SNI re… Brian E Carpenter
- [Anima] Errata 6642: Re: Registrar to MASA connec… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Rob Wilton (rwilton)
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- [Anima] Rob: Re: Errata 6642: Re: Registrar to MA… Toerless Eckert
- [Anima] Rob: Reminder: Re: Errata 6642: Re: Regis… Toerless Eckert