Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
Sean Turner <sean@sn3rd.com> Thu, 09 February 2023 18:32 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9D3C15153C for <netconf@ietfa.amsl.com>; Thu, 9 Feb 2023 10:32:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgD8TmoiLBKA for <netconf@ietfa.amsl.com>; Thu, 9 Feb 2023 10:32:43 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF8FFC1522AB for <netconf@ietf.org>; Thu, 9 Feb 2023 10:32:43 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id q13so3049533qtx.2 for <netconf@ietf.org>; Thu, 09 Feb 2023 10:32:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1KVA/6GstQM25y8/W3D8rg9gAI5cAxVeMSPsbkFqchA=; b=HniVFYZ4n2+KclILusTaHgo2a842sZpxUuUWuWLKbOLIlqJRb0qwWPqXLTzLPKXWgs M766Yef5yyVgw/LC1IHErKOnaESp7BASql2Jol0LicYsvlfjySOUvVtcW/5XiZ0gQF9U XxGOrna7clLiVMti7co/OhL4Na26POCO4YjaA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1KVA/6GstQM25y8/W3D8rg9gAI5cAxVeMSPsbkFqchA=; b=Baz52Dyq80urEYfGhoVwwps+PjE7D+U1i4xpH176cT6aaeTvhoIKfkj3kFwPbH4nJr RrzmWNxFzVJusb1OVgmojsx78q30Hkqj7YVMVRLHwPxDibEMN2/RZKUt6oSW1BtDhpCA bzEVDmfAE5sBn3hjzie953q5nkOExvVkELWDzqih6g0ne9vlbxy9rMLi+ISYoh1vYesz tUY+r3gL140/cudfwrlAldpcr3g4/YqC4D7WLCoFAMfiTNBpLyOVRHCQgEXEw3FhrKR5 9ckTjpKKGc+WNVN0w7ZWuctyKI85jl8a3O6KvGjUf2D+nGW4SeHBt3t/4rZfEcjawWVh TzTg==
X-Gm-Message-State: AO0yUKWLVpZeoCoSe5HSOdOl7qqiIDNycPCh4A2WZUyPjcpvZ979+zPG 55F8E27PniyJPPr/I27qNB3KNKQCNJbBmEQQ
X-Google-Smtp-Source: AK7set8dBqNk88h1czmUwUslEtXhKuI9gEX7BrVZRS7+vDDgkjpuZKkdHat8Q0D6n1s2vRxS+EBqdw==
X-Received: by 2002:a05:622a:1310:b0:3b6:2f3d:70bc with SMTP id v16-20020a05622a131000b003b62f3d70bcmr19973812qtk.53.1675967562746; Thu, 09 Feb 2023 10:32:42 -0800 (PST)
Received: from smtpclient.apple ([2600:4040:253b:7300:650e:4494:b493:a0a0]) by smtp.gmail.com with ESMTPSA id z187-20020a37b0c4000000b0070638ad5986sm1865340qke.85.2023.02.09.10.32.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2023 10:32:42 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.14\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <BN8PR14MB3459E9CADAD7924DC07E4D8A8DCF9@BN8PR14MB3459.namprd14.prod.outlook.com>
Date: Thu, 09 Feb 2023 13:32:41 -0500
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7BE8B44-3365-4CF8-8A49-5E627792C0E3@sn3rd.com>
References: <01000185988718f9-8bf57d79-4101-4bfb-a8a9-063e7d56e858-000000@email.amazonses.com> <01000185e0991946-dc4728af-420e-48bb-b2ea-c812c11ab923-000000@email.amazonses.com> <BN8PR14MB3459E9CADAD7924DC07E4D8A8DCF9@BN8PR14MB3459.namprd14.prod.outlook.com>
To: "Hartley, Jeff" <Jeff.Hartley@commscope.com>
X-Mailer: Apple Mail (2.3654.120.0.1.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5lw8kdYV1ZTpulrMscNerZCV2bo>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 18:32:47 -0000
Jeff, Thanks for your review. Responses below. I’ll let these and the other PRs settle for a week before merging. spt > On Jan 26, 2023, at 16:55, Hartley, Jeff <Jeff.Hartley@commscope.com> wrote: > > Comments re: https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13/ > I concur with others that the overall content of the document is clear from an implementer-reader's standpoint, and it provides useful references. > > > 1. Discussion re: RFC7589 and the Abstract: > The way the Abstract reads is technically accurate already -- RFC7589 is TLS 1.2-specific, and everything here is TLS 1.3-specific. Perhaps it's worthwhile reminding readers that some of the functions are not forward/backward-compatible between the two, but that's thoroughly covered in the primary TLS 1.3 docs. > > The format of this document appears to be structured as an addendum for RFC7589, but specific to TLS 1.3. Thus my concern is, "is this sufficiently stand-alone once TLS 1.2 is deprecated (and thus RFC7589 along with it)?" > A) If it's intended to be stand-alone, there's some copy-paste to do from the original. > B) If not, then describe this as an addendum. Based on Jürgen’s comment we’re making this an updates I-D, so an addendum. See the following PR: https://github.com/netconf-wg/netconf-over-tls13/pull/11 Note the cipher suite issue I noted in response to Jügen’s email. > 2. On this same topic, there is another reference to RFC7589 in "5. Security Considerations" that should follow the decision above: > A) If this is a standalone document, it's worth spelling out the full RFC7589 Client Identity requirements here, rewritten to be TLS 1.3-specific. > B) If this is an addendum to RFC7589, then it's fine as-is, and just fix the Abstract. Tweaks to the Security Considerations here: https://github.com/netconf-wg/netconf-over-tls13/pull/10 > 3. Concurring with others... This section can be safely deleted, as the logic of the adjacent three paragraphs appears to cover the intent sufficiently: > "So, this is what {{Section 9.1 of I-D.ietf-tls-rfc8446bis}} says: > ... > My guess is not. These ought to be available in all TLS libraries." Deleted via the following PR: https://github.com/netconf-wg/netconf-over-tls13/pull/7 > 4. "Please review ..." verbiage: > What's the RFC syntax for an import{}? > > The verbiage intent appears to function as an import or include, thus something like this may suffice: > " > The following texts are considered mandatory requirements for this document: > - Security Considerations in TLS 1.3 [I-D.ietf-tls-rfc8446bis] > - recommendations regarding Diffie-Hellman exponent reuse in Section 7.4 of [I-D.ietf-uta-rfc7525bis] > - Security Considerations in NETCONF [RFC6241] > - certificate revocation checking in Section 7.5 of [I-D.ietf-uta-rfc7525bis] > - generic host name validation in the TLS context in [RFC6125] Tweaked this section in a slightly different way; see the following PR: https://github.com/netconf-wg/netconf-over-tls13/pull/10 > Thanks; > -Jeff Hartley > > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [netconf] WGLC on draft-ietf-netconf-over-tls13 Kent Watsen
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Kent Watsen
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Per Andersson (perander)
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Kent Watsen
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Jürgen Schönwälder
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Hartley, Jeff
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Dhruv Dhody
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Qin Wu
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Jürgen Schönwälder
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner