Re: [netconf] netconf-tls wasRe: Summary of updates

Kent Watsen <kent+ietf@watsen.net> Mon, 24 May 2021 23:43 UTC

Return-Path: <01000179a0c32a2e-d0bce1e5-c006-4550-aebf-29b903643b4c-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540FF3A1218 for <netconf@ietfa.amsl.com>; Mon, 24 May 2021 16:43:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycJhQD6o_v5T for <netconf@ietfa.amsl.com>; Mon, 24 May 2021 16:43:37 -0700 (PDT)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07EC73A1214 for <netconf@ietf.org>; Mon, 24 May 2021 16:43:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1621899815; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=Q2gl9p3xH3tx8AuYiJO4UBFdDoaLF4aj9DcprQYfptE=; b=ju/iMKCjWkpUEvifbtZT/qBux4ippQU7FP7f7Rgm2+woOI0LUHn1x3/bcy3bdtjv T5vRcu4/Zpm8XEbl/ZOtkdtYJu6C8Fu7W9/ms9lwhn8jVts83qsWuoW9bkJ7f5NEj5q VS2B4QMRByF/khvChrrvhx3LaaluKd6pw5fyGtMo=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000179a0c32a2e-d0bce1e5-c006-4550-aebf-29b903643b4c-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9561B291-FED0-4696-9A53-4773B29B2446"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 24 May 2021 23:43:35 +0000
In-Reply-To: <AM7PR07MB6248C43AF481F5A94D2041DAA0269@AM7PR07MB6248.eurprd07.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>, garywu@cisco.com
To: tom petch <ietfc@btconnect.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <AM7PR07MB6248C43AF481F5A94D2041DAA0269@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.05.24-54.240.8.88
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/7GqCwugMXx3Nd5i6uEw-8Rpqfys>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 23:43:43 -0000

[CC-ing Gary again...]


Hi Tom,


> I still think that the I-D lacks clarity about supported versions.
> 
> <tp2.0>
> OK, some references.

Grepping for the string “tp2.0” returns no results.


> tlscmn
> 
> tls-ecc
> needs RFC8446

Why?  8446 refs and defers to 8422, right?


> 
> tls-dhe
> needs 8446

Okay, 8446 obsoletes 5246.


> tls-3des
> ok no support in 1.3

Ack.  Unmodified.



> tls-gcm 
> needs 8446

Okay, but it’s strange that 8446 doesn’t ref/obsolete 5288…I guess because it uses the NIST “GCM” ref instead…perhaps this draft should as well?



> identity ciphersuite
> I do not see the 1.3 values from 8446 B.4

grepping for “ciphersuite” returns no matches…?


> hello-params
> needs 8446

Added.


> tls-client
> I note that the feature statements do not have references which some YANG doctors say they should have.

Added (for X.509, PSK, and RPK)


> container client-identity
> needs 8446 and a reference in the body to 8446 s.4.4.2

Added.


> case psk
> needs Normative References to the two
> draft-ietf-tls-external-psk-*

"external-psk-guidance” is Informational and "external-psk-importer” while Standards Track, only regards an interface for importing the PSKs into TLS.  It seems that the existing ref to RFC 4279 (which is NOT obsolete) is pretty good, right?


> tls-server
> 
> container server-identity
> as client-identity

Added.


> case psk
> as for tls-client

Same.


> Tom Petch

THANK YOU!

Updates can be found in https://github.com/netconf-wg/tls-client-server/commit/b94588b5a33c0852cfacbc415ca0a626bc1c5763.


K.