Re: [netconf] WGLC on draft-ietf-netconf-tls-client-server

Kent Watsen <> Wed, 21 April 2021 01:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8ED573A0F46 for <>; Tue, 20 Apr 2021 18:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0yKb-4pHPjnY for <>; Tue, 20 Apr 2021 18:11:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DEF753A0768 for <>; Tue, 20 Apr 2021 18:11:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;; t=1618967491; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=n5Yade3QVueOHzWmTfL1PIr8oRFtlm2iRzWfnd8N5cM=; b=WS77cLuIs7SNnbzGuiknD5HQqGIelOVIhQwrhfBDGGwggF4Jt6m1MWqzAABO9M2G fXqzygJ0wHLL/9pB+WvxSp6NF21jS8v+r1mIlbYzNG5gPXta8mdKceGW9lTMieHU/FS QlItl4WcQPGLEkz9GquHOMT2xJ4UIWnauKovsxpU=
From: Kent Watsen <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_99D79F34-7304-4152-ACD7-86A519D2632A"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Wed, 21 Apr 2021 01:11:31 +0000
In-Reply-To: <>
Cc: "" <>
To: Dhruv Dhody <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3654.
X-SES-Outgoing: 2021.04.21-
Archived-At: <>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-tls-client-server
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Apr 2021 01:11:38 -0000

Hi Dhruv,

>> - I am wondering if anything needs to be done for the older versions of TLS which are made historic. The use of features helps, is there any other guidance that needs to be given?
> We could set the “status” to “deprecated”.  That said, it's one thing to say that a protocol is deprecated and another to say that the configuration for a still somewhat widely-used deprecated-protocol is deprecated…thoughts?
> I agree that we need to allow the configuration of older TLS versions in the YANG module. 
> I found this comment from Ben to be useful - <>  . I ended up putting MD5 and SHA-1 support under a feature 'deprecated’.

Wait, you put the support under a feature called “deprecated” or under a deprecated feature (called something else?

> In this case, I think just adding some text in the description around the existing features for older TLS could also do the job.  

That’s easy enough.  For each feature except 1.3, I added to the “description” statement:

    "Please note that TLS 1.? is obsoleted and thus it is NOT
     RECOMMENDED to enable ths feature.”

Is it what you had in mind?