Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Wed, 30 June 2021 16:09 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A153A2175 for <netconf@ietfa.amsl.com>; Wed, 30 Jun 2021 09:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5DOt7i7w0_L for <netconf@ietfa.amsl.com>; Wed, 30 Jun 2021 09:09:52 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130095.outbound.protection.outlook.com [40.107.13.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1503F3A2172 for <netconf@ietf.org>; Wed, 30 Jun 2021 09:09:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UIueEGG7pDKfpqA+I8R43NR7Bup4HPh1zwmjrQGrUuVJbhMuvUGkxeyu8rZvLXOdIoAk2BOL0mmC7FItEWvviA17amvd92up/0xurpR1FcHtCUCqlUQarUpYT25HrkJ0Db2eA+ib535YWVRV+vyLJED/a1fYkpBxqFJgBNJDXBiYasmdUPAauoLbQHY2sUyaZbAHMztElXw15F39qJaQB7bAIZqr480S8PBnR7PJHnRHFuWAwVPzunAP+ZQ2X8Zdqz9oQsMWulKiE/AsoCK/AonbI+XIgLmSPtpPXtKPpbi7KeqVA9iN8HgCKepmcPGktRDSGnEv1wrarb84NWYtlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GyMvIqJcMHMJRIkifwS+EBXUAFV6jnCPqhlR3w8PeX0=; b=KNYdhynZBT2IO2/+vAI6LLw4lT2H/o/LlGq+VcUe9vqUuLvy2+onRdknt+V0JGcUH0oFdtErMiEOlJR6IfNrG0rEE1P4FtoFWKHcKQ51D1xMtvf5sqvfCP14HVxoYzdSguH1+vPhxfdgOhS08SJabno99nQO75asMqwpljOJckqCg6V69Gjj57AowUJbIi51WfKFWWEL49ceBKHTXeTyAOtQjPs4zG7/E/af+VixM2gW4u6Vmtvxs0dTnrJpTAraqvZF/qCNOI5//TvfZQxvRcEYPwF+u52yvo0o0YM454KvPkPDtFY9yFDLcMc+rAaSt/TFU28Rr1Y6MramTfiw9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GyMvIqJcMHMJRIkifwS+EBXUAFV6jnCPqhlR3w8PeX0=; b=AG/Q3y8TDkkTWs8dU5v1rR6MR78gOVWbl3vShY/HMCdUyLbkKEQqdW9YxDk6vT2B/y4T7Il6OGM+7ycMnjFHO6PvtjXVgqhf3p7EJUUWNLJT20NjeKRP5sGXYtM/RpYKK2ZDtgncN/wWnmwGnZENSezoRIHvsH/J6zJxqUPEW90=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR07MB3845.eurprd07.prod.outlook.com (2603:10a6:209:35::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.16; Wed, 30 Jun 2021 16:09:49 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::fc5d:ca7a:e2ea:ca9d]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::fc5d:ca7a:e2ea:ca9d%7]) with mapi id 15.20.4287.022; Wed, 30 Jun 2021 16:09:49 +0000
From: tom petch <ietfc@btconnect.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] netconf-tls wasRe: Summary of updates
Thread-Index: AQHXUU2yri0EENaQXUOJipepn/woM6r0OwUAgAAKPQCAABCh7YAADbyAgAEWW6+AAC7QAIAAQIAWgAAFfsKANv/7rg==
Date: Wed, 30 Jun 2021 16:09:49 +0000
Message-ID: <AM7PR07MB6248CA8CD0401CFFBB9B0C90A0019@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com> <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de> <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525162921.ec2l7yc276yonzfb@anna.jacobs.jacobs-university.de> <AM7PR07MB62480023243A6DAFD2829191A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>, <20210526115310.gysua6ghz5xqnmfz@anna.jacobs.jacobs-university.de>, <AM7PR07MB624899F2ABA5B7251C9E026EA0249@AM7PR07MB6248.eurprd07.prod.outlook.com>, <AM7PR07MB6248AF48A5CE4BF5A0C27B33A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>
In-Reply-To: <AM7PR07MB6248AF48A5CE4BF5A0C27B33A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf229775-53f1-452c-60d0-08d93be17c7e
x-ms-traffictypediagnostic: AM6PR07MB3845:
x-microsoft-antispam-prvs: <AM6PR07MB3845FB80D4E69EC7F7BC603EA0019@AM6PR07MB3845.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q8XYtzPvEKgxTZSD41WSGuE8z0lb3/3hi5ivN5m3ogpwvYEBsH9sL8OFRzASqTxg+70lbgfamxBdhDAirmIzRKllLXdWNghyW2cTaniZgXOhrIm4SYiB5qm8N0VDwCKRMzWvEddIbimPc123f1Vj8o+C/demsff4VuIrohYA0fCJjzMaI7zToflJJHxljqB5nCOH625joRUbxj9TZPcMbIIBb+uziaGSPc7ScJ5MGJYGg4EUKgfPjWpEkeywb5ro+0/PLajG1Grwn/89gIOH+rVPrJwWihXgQxQaWXLE93BBlPCONP+LxegDO08+VUAcjWxhmNPmlcF+b6LfbjLi3/Zzndx4Vare6M0YnSeoPfUOKwgEgS3J4Tg6XS8XrEQiTAEfFOTuMgNL8n89of2PxM6SPaEzWhh73qPuDB0a3qtUcAajoQcbnFrWtIGQlGElWbR0f7r64UPQonOxKNYIsCzpDy+CqD33ImDA/YV4S1A5P6vEdKEycMeYTibdzXBDurugnO/JFt5dw9ryhkR0tOefQIPX2qp5O5yCbR2a8j5VXFqi1/b16J8qvwGU8sOzaTYAvhWcoM4IbStrOz8k+EPFkUVJVYJPJgF1q/BF/u7mS1LIkfyYNtxxtNruupcWSQeFMxQJCV33fxr/t/OlSnKheVrQ8CSbwtYo6K7QVzN8LixZl9lFhEgX+vKbLsHOuzbec54TsCBRtBQrRO1z2OHKlUD5R7fKAid0ocNgmKHfok/l6hDRd7bCK19Ugpz/62Hd7FApzJRpiCvQRqkT95AM2rqKCW+7/TTBIdzmxqbLIybjcik9XPy8RQYbyKiu
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(346002)(396003)(376002)(39860400002)(4326008)(86362001)(33656002)(478600001)(83380400001)(186003)(966005)(6916009)(52536014)(316002)(7696005)(66946007)(15650500001)(9686003)(8936002)(71200400001)(122000001)(38100700002)(2906002)(55016002)(6506007)(8676002)(76116006)(91956017)(64756008)(66556008)(5660300002)(66476007)(26005)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?YBDYJ1haY5wLbawcIKGRZadifpt4SEdQZ5KIVDlGla1nqZAzh767Pr4/U+?= =?iso-8859-1?Q?EJQJXs2Bg2b/E15iKpEJhOXUYGKJTtY+TgsDZzmsLUOEbZvS37awW+Uz7/?= =?iso-8859-1?Q?AOZppqwRaZX5+yEDpgCco5Rd1Y803NiqFFRjzffMyYpuggs4kK+0Ei8IBo?= =?iso-8859-1?Q?alZOpgfAEVS1zr+NH/26+4vgU54uioTimAI9cnEmUhfQlC5MW9J7FTsiJp?= =?iso-8859-1?Q?DepElmYq3guNVdYvKQv10XhH/HLCAr30y+8SAQKuUNVd1tmfagMn86NlDC?= =?iso-8859-1?Q?PCHRIBgjAl1GhsnHR0cY4Nnozkr0W/9uScBMWo/pbgslqZHCtmIazdIxzm?= =?iso-8859-1?Q?9XEnKPFvx6yE3XRCiS3FyWGQjSu2rCit6mzk88rPOghnhSeKlscoRe2EB4?= =?iso-8859-1?Q?qS38tE8xeH3JoUN1+hQacH3jycRsQbFn3nL0SFYU3oRSfXywDrrHlmZl5m?= =?iso-8859-1?Q?RzNgJte83Rrf+gZyEoD3kbJV9CqoKBhcw4Uegnzrtf8E1CgToscs7P+g9T?= =?iso-8859-1?Q?hOgtnjjiwPDR/lfhAjpv1PPcTFHmvKdxILda0LQ24d4zXBVVjzrSFlJ16E?= =?iso-8859-1?Q?QeoHRAsp7AhN4UcU6olA0/4xst/89Cg8C8CsW9MyRtL5vJjHEliKQQ6p+S?= =?iso-8859-1?Q?Qu/3RSpM8RkkvRK8dfTAT5fBsoWrSTs5k7KvqGP4is2es/olH7yjzeDQ35?= =?iso-8859-1?Q?3ZN1a5yi+q+cGgIH2m5LvJ5sy6U4WDv88Fz7YVy3E8X4EPjDWpaP8S6EyK?= =?iso-8859-1?Q?CdAeCZeP07NpxlgEop2QcbE7U5OU1Aj9o6uYgefE6j81tWgeOafS3O21zT?= =?iso-8859-1?Q?a6wjIdNUHUn89W4GV3CsKtiJd8fucHOTU7OjgP0r8pZ2psjvYgLCitmoaY?= =?iso-8859-1?Q?ygK7BiV1CwlMw1IxezZllUsIcpWHaMRmnBt1XxB343xCzai76oXowVJdzA?= =?iso-8859-1?Q?5AWeQZkYYe1T6iIXoDKfTkjnyr3yurdRj2nOVo68YFErZ3MFoTRwOH9OSE?= =?iso-8859-1?Q?U5TK+TUWFYwIfu2A15g5FexMxyLBObv60Br5+8zmdJslXUmQmW9piZFwK1?= =?iso-8859-1?Q?TF+z1C+BE1NIFV/W58Lx5kgPGfo+L2K2f2Ay6U7C7C3OCRtcMlKaex38t1?= =?iso-8859-1?Q?8ibnoEtdB2Lwy4v9XUebtJKkfweJUTX5EenxKRyVJFChEMMUl3WrPfC0zC?= =?iso-8859-1?Q?GoTx2OrzkS5n3j9T/VgR7s/faxfcb3gSacEBVAho3lOG3/RfiaO3DNQi0l?= =?iso-8859-1?Q?GNXlBCBqSOfSPlGN/DNKzccycIsc2x8y80uEyvJJmb6uMrCje/Qp8k4ffg?= =?iso-8859-1?Q?LtIi7WBCLWRvXXhqFF2O73szLDrelqWRpKLYP22OY8vIMXw=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf229775-53f1-452c-60d0-08d93be17c7e
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2021 16:09:49.1435 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FRSZogQ5Fi6cNg2zLkoDUtYSr9X7y/Qv/fhq1VAWhHnoRe+77IvT48LBL51LtSrDyu3mn+Qfsp0G2y0BcnzJ6A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB3845
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Dkw6FYL9vR_J6Xs-CJHJ0ZslR-0>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2021 16:09:57 -0000

From: netconf <netconf-bounces@ietf.org> on behalf of tom petch <ietfc@btconnect.com>
Sent: 26 May 2021 17:12
From: netconf <netconf-bounces@ietf.org> on behalf of tom petch <ietfc@btconnect.com>
Sent: 26 May 2021 16:45
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Sent: 26 May 2021 12:53

This sounds like 'lets wait and see what comes out of the RFC 6125
revision' is the best approach for now.

<tp>
Oh dear; I got the wrong WG.  The 6125 update I-D exists and is in the UTA WG (which I am not subscribed to but saw a cross post thereof). It is quite short and is very much an updates, requiring the use of SAN, prohibiting CN-ID.   It was published on April 1st, 2021:-)

<tp>

Following on to this, 
draft-ietf-uta-rfc6125bis-00 
has now been submitted.   So far, the proposal is for the use of CN to be removed and the rules for the use of asterisk to be changed, although I do not yet see the former in the I-D -00!
Still time to wait and see!

As the I-D says, there is an issue tracker in the personal github of one of the authors.

Tom Petch

<tp>
WFM

I do have an element of FUD about this (as I have about TLS1.3) which hopefully will diminish with time.

Tom Petch

/js

On Wed, May 26, 2021 at 09:23:17AM +0000, tom petch wrote:
> From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> Sent: 25 May 2021 17:29
>
> On Tue, May 25, 2021 at 03:58:10PM +0000, tom petch wrote:
> >
> > I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
> > perspective to tell the WG if any changes are needed so that the WG
> > can take an informed decision whether an update of RFC 5539 is
> > necessary or whether what we have is good enough.
> >
> > <tp>
> > Well, I tend to forget that RFC5539 is obsolete, obsoleted by RFC7589 which is X.509 certificate only; no PSK, no naked public keys.  My concerns with TLS1.3 mostly relate to PSK which allows data to flow before the handshake is complete, before authentication is complete, which is a problem for some applications as I mentioned before; but staying with X.509 authentication only for Netconf makes life simpler for a 7589bis, replace 1.2 by 1.3 and think about the extensions to see what may be needed.
> >
>
> So regarding a possible update of RFC 7589, what is needed?
>
> + Require TLS 1.3 (update section 8)
>
> Which extensions should one think about? Do you mean RFC 8773 or
> something else?
>
> <tp>
> It is more a question of going through 8446 s.4.2 s.9.2 to see what we want by way of an Application Profile.  Thus I would like to prohibit PSK but that prohibits session resumption which is fine by me but I have limited exposure to what the world is doing so may be it is not that simple.
>
> There is another problem which I see as larger and that is that the TAPS WG is revising RFC6125 and this leans heavily on that RFC and that might take a year or two to get revised.  I don't have a sense of where a 6125bis is going.
>
> Tom Petch
>
> /js
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf

_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf