Re: [Netconf] username from X.503 was Re: Summary of and AIs from the NETCONF Session in IETF #91
t.petch <ietfc@btconnect.com> Wed, 10 December 2014 15:24 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DDBD1A0115 for <netconf@ietfa.amsl.com>; Wed, 10 Dec 2014 07:24:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPN7Ag11SAkk for <netconf@ietfa.amsl.com>; Wed, 10 Dec 2014 07:24:27 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0761.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::761]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8556B1A6F9F for <netconf@ietf.org>; Wed, 10 Dec 2014 07:23:51 -0800 (PST)
Received: from pc6 (86.185.87.4) by AMSPR07MB050.eurprd07.prod.outlook.com (10.242.81.24) with Microsoft SMTP Server (TLS) id 15.1.31.17; Wed, 10 Dec 2014 15:23:28 +0000
Message-ID: <046401d0148d$3bd05e40$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
References: <E4DE949E6CE3E34993A2FF8AE79131F819562134@DEMUMBX005.nsn-intra.net> <04e401cfff2d$74e7e740$4001a8c0@gateway.2wire.net> <20141208133201.GB41570@elstar.local> <D0ABB36A.8BED1%kwatsen@juniper.net>
Date: Wed, 10 Dec 2014 15:23:09 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.185.87.4]
X-ClientProxiedBy: DB3PR05CA0025.eurprd05.prod.outlook.com (25.160.41.153) To AMSPR07MB050.eurprd07.prod.outlook.com (10.242.81.24)
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:AMSPR07MB050;
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:;SRVR:AMSPR07MB050;
X-Forefront-PRVS: 0421BF7135
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(13464003)(51704005)(189002)(377454003)(99396003)(21056001)(50466002)(105586002)(93886004)(14496001)(81816999)(122386002)(40100003)(120916001)(76176999)(81686999)(107046002)(89996001)(1556002)(106356001)(64706001)(47776003)(23756003)(66066001)(87976001)(101416001)(20776003)(44716002)(62236002)(42186005)(50986999)(61296003)(33646002)(84392001)(46102003)(77096005)(1941001)(1456003)(19580405001)(19580395003)(68736005)(97736003)(50226001)(77156002)(4396001)(86362001)(62966003)(92566001)(31966008)(74416001)(7059030)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AMSPR07MB050; H:pc6; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:;SRVR:AMSPR07MB050;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/IzYwIy6S0AySRdy8H5zK4sPKKyY
Cc: netconf <netconf@ietf.org>
Subject: Re: [Netconf] username from X.503 was Re: Summary of and AIs from the NETCONF Session in IETF #91
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Dec 2014 15:24:39 -0000
----- Original Message ----- From: "Kent Watsen" <kwatsen@juniper.net> To: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>; "t. petch" <ietfc@btconnect.com> Cc: "netconf" <netconf@ietf.org> Sent: Tuesday, December 09, 2014 2:12 AM >> >> > Describe algorithm for extracting a user name out of the X509 >> attributes >> > - loud humm in favor >> > >> >> A clarification - does this mean that this algorithm goes in >> netconf-server? > >The idea (as far as I understood it) is that NC over TLS provides a >high-level description of the algorithm. The NC server configuration >document will define the YANG objects to configure this. I didn't articulate clearly enough at the mic about the "what" and "how", but Juergen agreed so I'm sure not that he's a mindreader ;) Anyway, in reflecting on this, I realized what I should've said is that it should be whatever is needed so that 5539bis has an Informative (not Normative) reference to server-model. Again, this is the necessary because alternate configuration models can exist, thus it doesn't make sense to me for 5539bis to say that it can *only* be configured by just the server-model. My hope is that 5539bis will assert that client-certs are required and specify that servers must be configurable to know how to extract a username using the various options (specified, subAltName, DNS, etc.). Another option is for 5539bis to have a Normative reference onto draft-ietf-netmod-snmp-cfg, section 4.1, though that may be too convoluted for some. <tp> Yes, and no. SNMP over TLS requires the client to present a certificate which must be present in the server's table, and that is it. No DNS, AltName etc. I would want a good reason to move on from that (perhaps customers have done so). But that is in RFC6353 and not in snmp-cfg, which is different in some details. Also, I don't know where we got to with SSH and certificates, whether or not that is likely to appear - part of my logic is that putting it in server-model covers all protocols for the server (but not for the client) while putting it in 5539bis can cover both client and server (but only for TLS). Tom Petch Kent
- [Netconf] Summary of and AIs from the NETCONF Ses… Ersue, Mehmet (NSN - DE/Munich)
- [Netconf] 5539bis was Re: Summary of and AIs from… t.petch
- [Netconf] username from X.503 was Re: Summary of … t.petch
- Re: [Netconf] 5539bis was Re: Summary of and AIs … Juergen Schoenwaelder
- Re: [Netconf] username from X.503 was Re: Summary… Juergen Schoenwaelder
- Re: [Netconf] username from X.503 was Re: Summary… Kent Watsen
- Re: [Netconf] username from X.503 was Re: Summary… t.petch
- Re: [Netconf] username from X.503 was Re: Summary… Juergen Schoenwaelder