[Netconf] RC#32: what to do about ClientCertificate?
Kent Watsen <kwatsen@juniper.net> Wed, 11 November 2015 17:30 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC991B2E63 for <netconf@ietfa.amsl.com>; Wed, 11 Nov 2015 09:30:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.401
X-Spam-Level:
X-Spam-Status: No, score=-0.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IXHASH_X1=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ywI0auujyowu for <netconf@ietfa.amsl.com>; Wed, 11 Nov 2015 09:30:39 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0749.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:749]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9641B2E5D for <netconf@ietf.org>; Wed, 11 Nov 2015 09:30:37 -0800 (PST)
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) with Microsoft SMTP Server (TLS) id 15.1.318.15; Wed, 11 Nov 2015 17:30:17 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0318.003; Wed, 11 Nov 2015 17:30:17 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Netconf <netconf@ietf.org>
Thread-Topic: RC#32: what to do about ClientCertificate?
Thread-Index: AQHRHKah6BRKEARIS0eoEcje6rHpYQ==
Date: Wed, 11 Nov 2015 17:30:17 +0000
Message-ID: <F6BED5E5-AD33-46DD-9404-0B066E320C2D@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.151008
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.10]
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1442; 5:zOKvfbADtdfeSWWcE2qF0FI/QznVsDC7Z8WWkoKNyjFv51gsMd/R2zGa1w3kAHYtqjS/F7pM+N6WpA0UwpZ76fRfPUw4LPHMkrLc2DOLLp4pGuC1E97mb0rDw32wjzRfkFrITiZMSpxxUvGeOGm40A==; 24:W+fUkGrvhQ1OdUHUv3tmpkUmfDbnUxLFU5qbzPZkQu2TUox0k9GlqpL4tcATXHtP9ZfCwBAC7cV/DYoUileuPnGYCxu0d13Uuhi+8tGORQY=; 20:BhYLtqMe9GssXHXhdVNEPMwXy6tKqACC0BejZaE6AlvbQKXHvoCReCoqI4PlkFzPuctiVr1C0J1o79XmofxMbw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0501MB1442;
x-microsoft-antispam-prvs: <BN3PR0501MB1442701682F10C9BAFB1ABA5A5130@BN3PR0501MB1442.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(10201501046)(3002001); SRVR:BN3PR0501MB1442; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1442;
x-forefront-prvs: 0757EEBDCA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(164054003)(19580395003)(105586002)(106356001)(4001350100001)(33656002)(122556002)(40100003)(106116001)(16236675004)(66066001)(92566002)(81156007)(86362001)(229853001)(10400500002)(5007970100001)(97736004)(87936001)(83506001)(5008740100001)(101416001)(99286002)(82746002)(11100500001)(54356999)(50986999)(83716003)(15975445007)(102836002)(5004730100002)(36756003)(5002640100001)(5001960100002)(110136002)(107886002)(2900100001)(77096005)(551544002)(189998001)(450100001)(5001920100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1442; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_F6BED5E5AD3346DD94040B066E320C2Djunipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2015 17:30:17.3782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1442
Archived-At: <http://mailarchive.ietf.org/arch/msg/netconf/His-1H3NO8knl6_KowRZtHHl03E>
Subject: [Netconf] RC#32: what to do about ClientCertificate?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 17:30:40 -0000
This is for the untracked issue I mentioned at the mic: https://github.com/netconf-wg/restconf/issues/32 Here is the text of the issue: =====START===== Section 2.5 lists ClientCertificate as one of a set of 3 auth schemes that MUST be implemented. But draft-thomson-httpbis-cant-01 expired about 10 months ago, with no recent discussion about resurrecting it. RC32-01: Work with the httpbis WG to resurrect the expired draft. This may cause the RFC Editor to hold the draft longer than otherwise needed. RC32-02: Remove ClientCertificate from the list. Effectively stating that the server MUST implement at least Basic or Digest, excluding the possibility that it could avoid password-based authentication. RC32-03: Assert that only client-certificate based auth is supported (like NETCONF over TLS). This would effectively remove the need for WWW-Authenticate altogether. =====STOP===== Please send your comments to the list. Thanks, Kent