Re: [Isms] Status of IESG-review changes for draft-ietf-isms-dtls-tm
Wes Hardaker <wjhns1@hardakers.net> Thu, 06 May 2010 04:49 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C124B28C0D9; Wed, 5 May 2010 21:49:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.425
X-Spam-Level:
X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfrzoctiT96z; Wed, 5 May 2010 21:49:16 -0700 (PDT)
Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 579CA28C0D6; Wed, 5 May 2010 21:49:16 -0700 (PDT)
Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 931D79827E; Wed, 5 May 2010 21:49:02 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: David Harrington <ietfdbh@comcast.net>
Organization: Sparta
References: <sdaase140y.fsf@wjh.hardakers.net> <097301caeca7$c385a650$0600a8c0@china.huawei.com> <sdhbmmx7eg.fsf@wjh.hardakers.net> <097801caecad$61936f30$0600a8c0@china.huawei.com>
Date: Wed, 05 May 2010 21:49:02 -0700
In-Reply-To: <097801caecad$61936f30$0600a8c0@china.huawei.com> (David Harrington's message of "Wed, 5 May 2010 19:47:54 -0400")
Message-ID: <sdvdb1vdmp.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: iesg@ietf.org, isms@ietf.org
Subject: Re: [Isms] Status of IESG-review changes for draft-ietf-isms-dtls-tm
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2010 04:49:17 -0000
>>>>> On Wed, 5 May 2010 19:47:54 -0400, "David Harrington" <ietfdbh@comcast.net> said: >> I'd love to see a case that points out where something isn't >> deterministic given the existing specifications. Please provide! DH> My concerns are not about deterministic; they are about DH> interoperability. Ah; then I'd love to have the concerns explained! More specifically, I haven't heard a description of an actual problem (and I love to fix problems, but I can't do so without the described complaint ;-). The only issue I have in my head is that an operator MAY create a situation where multiple certificates all map to a given tmSecurityName. This is possible a feature in their eyes, but it could be done by mistake. But certificates already contain this problem as if you have two CAs as trust anchors there is nothing that says the CommonName or any other value in a certificate can't conflict between the two CAs. IE, the problem isn't unique to SNMP. What operators should do is avoid those situations and ensure they understand and trust their CA's publication policies. DH> PKIX would not be the right place to define how to ***map them to DH> SNMPv3*** security levels. I think I misread a sentence early on and I apologize for that because I missed the original point. Defining a mapping table to security levels is technically possible and would probably look something close to: |------------------------------+-------------------------------| | TLS Suite (index(es)) | securityLevel (output column) | |------------------------------+-------------------------------| | TLS_RSA_WITH_AES_128_CBC_SHA | authPriv | | TLS_NULL_WITH_NULL_NULL | noAuthNoPriv | | TLS_RSA_WITH_NULL_SHA256 | authNoPriv | | ... | ... | |------------------------------+-------------------------------| I don't think it would be a complex table. But we decided not to go there and simply declare than "NULL" must not be used to fulfill an "auth" or "priv" flag (which the document already says). -- Wes Hardaker Cobham Analytic Solutions
- [Isms] Status of IESG-review changes for draft-ie… Wes Hardaker
- Re: [Isms] Status of IESG-review changes for draf… David Harrington
- Re: [Isms] Status of IESG-review changes for draf… Wes Hardaker
- Re: [Isms] Status of IESG-review changes for draf… David Harrington
- Re: [Isms] Status of IESG-review changes for draf… Wes Hardaker
- Re: [Isms] Status of IESG-review changes for draf… Juergen Schoenwaelder