Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 11 March 2015 07:35 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B531AC3F9 for <ietf@ietfa.amsl.com>; Wed, 11 Mar 2015 00:35:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7bzYJKdcVT3 for <ietf@ietfa.amsl.com>; Wed, 11 Mar 2015 00:35:15 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FD0E1AC3F8 for <ietf@ietf.org>; Wed, 11 Mar 2015 00:35:15 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 44AC4282FC2; Wed, 11 Mar 2015 07:35:14 +0000 (UTC)
Date: Wed, 11 Mar 2015 07:35:14 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09
Message-ID: <20150311073514.GK18819@mournblade.imrryr.org>
References: <tsltwxtauij.fsf@mit.edu> <006c01d05b3c$c44eac40$4001a8c0@gateway.2wire.net> <20150311071559.GC8717@elstar.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150311071559.GC8717@elstar.local>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/-yHYMA0ZVimAG9Pm-Pft2sWmpPc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 07:35:17 -0000
On Wed, Mar 11, 2015 at 08:15:59AM +0100, Juergen Schoenwaelder wrote: > > The I-D specifies fingerprint of the certificate so that is specified. > > > > Normalisation is not specified and is an interesting point; as you say, > > something to be considered. The certificate should not be normalized. Rather the "locally configured" fingerprint needs to match the certificate as it is expected to be presented. > The model follows RFC 6353 (STD 78) and I am not aware of any issues > that were reported against STD 78 because fingerprints do have issues > with being ambiguous. So are we talking about a real-world problem or > a problem that could exist in theory? Since the fingerprint is configured via some out-of-band process that establishes authorized access for the holders of the associated private keys, its represenation is largely irrelevant. Any strong cryptographic binding of the certificate (or bare public key) will do. In particular the draft should mention that fingerprints of raw public keys are also acceptable (and might some day even be used directly on the wire per RFC 7250). FWIW, the Postfix MTA has supported authentication of remote SMTP clients and servers by certificate fingerprint (since 2005 and 2008 respectively) and also by public key (SPKI) fingerprint (since 2012). No normalization of the certificate is performed, the ASN.1 form of the certificate is as encoded by the peer. -- Viktor.
- Secdir Review of draft-ietf-netconf-rfc5539bis-09 Sam Hartman
- Re: Secdir Review of draft-ietf-netconf-rfc5539bi… t.p.
- Re: Secdir Review of draft-ietf-netconf-rfc5539bi… Juergen Schoenwaelder
- Re: Secdir Review of draft-ietf-netconf-rfc5539bi… t.p.
- Re: Secdir Review of draft-ietf-netconf-rfc5539bi… Sam Hartman
- Re: Secdir Review of draft-ietf-netconf-rfc5539bi… Juergen Schoenwaelder
- Re: Secdir Review of draft-ietf-netconf-rfc5539bi… Viktor Dukhovni
- RE: Secdir Review of draft-ietf-netconf-rfc5539bi… Ersue, Mehmet (Nokia - DE/Munich)