Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.txt
badra@isima.fr Wed, 01 October 2008 12:57 UTC
Return-Path: <netconf-bounces@ietf.org>
X-Original-To: netconf-archive@ietf.org
Delivered-To: ietfarch-netconf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 416B03A6BF1; Wed, 1 Oct 2008 05:57:26 -0700 (PDT)
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5CF83A6BF1 for <netconf@core3.amsl.com>; Wed, 1 Oct 2008 05:57:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.426
X-Spam-Level:
X-Spam-Status: No, score=-1.426 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, SARE_SUB_ENC_UTF8=0.152]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XclUweD61+0g for <netconf@core3.amsl.com>; Wed, 1 Oct 2008 05:57:24 -0700 (PDT)
Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id 44DDD3A6BA8 for <netconf@ietf.org>; Wed, 1 Oct 2008 05:57:24 -0700 (PDT)
Received: from www.isima.fr (www-data@www.isima.fr [193.55.95.79]) by sp.isima.fr (8.13.8/8.13.8) with SMTP id m91DvhFP594070; Wed, 1 Oct 2008 14:57:43 +0100
Received: from 88.164.98.77 (SquirrelMail authenticated user badra) by www.isima.fr with HTTP; Wed, 1 Oct 2008 14:56:32 +0200 (CEST)
Message-ID: <55201.88.164.98.77.1222865792.squirrel@www.isima.fr>
In-Reply-To: <000c01c923aa$054cc6e0$0601a8c0@allison>
References: <50947.88.164.98.77.1222460713.squirrel@www.isima.fr><00bb01c92265$a9c7ba90$0600a8c0@china.huawei.com> <61043.88.164.98.77.1222722436.squirrel@www.isima.fr> <001301c9230c$7ed77940$0601a8c0@allison> <54288.88.164.98.77.1222791769.squirrel@www.isima.fr> <000c01c923aa$054cc6e0$0601a8c0@allison>
Date: Wed, 01 Oct 2008 14:56:32 +0200
From: badra@isima.fr
To: "tom.petch�" <cfinss@dial.pipex.com>
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
X-Priority: 3
Importance: Normal
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Wed, 01 Oct 2008 14:57:43 +0100 (WEST)
Cc: � <netconf@ietf.org>
Subject: Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: netconf-bounces@ietf.org
Errors-To: netconf-bounces@ietf.org
>> "The benefits of pre-shared symmetric-key vs. public-/private-key pair >> based authentication for the key exchange in TLS have been explained in >> the Introduction of [RFC4279]". >> > > Weeeellllll I sort of see what you mean. Section 1.1 says > > "1.1. Applicability Statement > > The ciphersuites defined in this document are intended for a rather > limited set of applications, usually involving only a very small > number of clients and servers. Even in such environments, other > alternatives may be more appropriate. > > If the main goal is to avoid Public-Key Infrastructures (PKIs), > another possibility worth considering is using self-signed > certificates with public key fingerprints. Instead of manually > configuring a shared secret in, for instance, some configuration > file, a fingerprint (hash) of the other party's public key (or > certificate) could be placed there instead. > > It is also possible to use the SRP (Secure From netconf-bounces@ietf.org Wed Oct 1 05:57:26 2008 Return-Path: <netconf-bounces@ietf.org> X-Original-To: netconf-archive@lists.ietf.org Delivered-To: ietfarch-netconf-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 416B03A6BF1; Wed, 1 Oct 2008 05:57:26 -0700 (PDT) X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5CF83A6BF1 for <netconf@core3.amsl.com>; Wed, 1 Oct 2008 05:57:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.426 X-Spam-Level: X-Spam-Status: No, score=-1.426 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, SARE_SUB_ENC_UTF8=0.152] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XclUweD61+0g for <netconf@core3.amsl.com>; Wed, 1 Oct 2008 05:57:24 -0700 (PDT) Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id 44DDD3A6BA8 for <netconf@ietf.org>; Wed, 1 Oct 2008 05:57:24 -0700 (PDT) Received: from www.isima.fr (www-data@www.isima.fr [193.55.95.79]) by sp.isima.fr (8.13.8/8.13.8) with SMTP id m91DvhFP594070; Wed, 1 Oct 2008 14:57:43 +0100 Received: from 88.164.98.77 (SquirrelMail authenticated user badra) by www.isima.fr with HTTP; Wed, 1 Oct 2008 14:56:32 +0200 (CEST) Message-ID: <55201.88.164.98.77.1222865792.squirrel@www.isima.fr> In-Reply-To: <000c01c923aa$054cc6e0$0601a8c0@allison> References: <50947.88.164.98.77.1222460713.squirrel@www.isima.fr><00bb01c92265$a9c7ba90$0600a8c0@china.huawei.com> <61043.88.164.98.77.1222722436.squirrel@www.isima.fr> <001301c9230c$7ed77940$0601a8c0@allison> <54288.88.164.98.77.1222791769.squirrel@www.isima.fr> <000c01c923aa$054cc6e0$0601a8c0@allison> Date: Wed, 1 Oct 2008 14:56:32 +0200 (CEST) From: badra@isima.fr To: "=?utf-8?Q?tom.petch=C2?=" <cfinss@dial.pipex.com> User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 X-Priority: 3 Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Wed, 01 Oct 2008 14:57:43 +0100 (WEST) Cc: =?utf-8?Q?=C2?= <netconf@ietf.org> Subject: Re: [Netconf] =?utf-8?q?WGLC=C2=A0for=C2=A0draft-ietf-netconf-tls-04?= =?utf-8?q?=2Etxt?= X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list <netconf.ietf.org> List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe> List-Archive: <https://www.ietf.org/mailman/private/netconf> List-Post: <mailto:netconf@ietf.org> List-Help: <mailto:netconf-request@ietf.org?subject=help> List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: netconf-bounces@ietf.org Errors-To: netconf-bounces@ietf.org >> "The benefits of pre-shared symmetric-key vs. public-/private-key pair >> based authentication for the key exchange in TLS have been explained in >> the Introduction of [RFC4279]". >> > > Weeeellllll I sort of see what you mean. Section 1.1 says > > "1.1. Applicability Statement > > The ciphersuites defined in this document are intended for a rather > limited set of applications, usually involving only a very small > number of clients and servers. Even in such environments, other > alternatives may be more appropriate. > > If the main goal is to avoid Public-Key Infrastructures (PKIs), > another possibility worth considering is using self-signed > certificates with public key fingerprints. Instead of manually > configuring a shared secret in, for instance, some configuration > file, a fingerprint (hash) of the other party's public key (or > certificate) could be placed there instead. > > It is also possible to use the SRP (SRemote Password) > ciphersuites for shared secret authentication [SRP]. SRP was > designed to be used with passwords, and it incorporates protection > against dictionary attacks. However, it is computationally more > expensive than the PSK ciphersuites in Section 2." > > which is all quite negative, not exactly benefits or applicability; and > syslog > went down the fingerprint route so what makes netconf different, why is it > one > of those 'limited set of applications'? > Maybe I don't understand well your point here; using PSK is optional with the document and the only mandatory mode to implement is certificate base authentication. The Jurgen proposal works for you? (inserting the following sentence at the end of paragraph 1 of Section 3: "For details concerning pre-shared key based authentication see [RFC4279]".) And what is the reason to add fingerprint to Netconf? Best regards, Badra _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf ecure Remote Password) > ciphersuites for shared secret authentication [SRP]. SRP was > designed to be used with passwords, and it incorporates protection > against dictionary attacks. However, it is computationally more > expensive than the PSK ciphersuites in Section 2." > > which is all quite negative, not exactly benefits or applicability; and > syslog > went down the fingerprint route so what makes netconf different, why is it > one > of those 'limited set of applications'? > Maybe I don't understand well your point here; using PSK is optional with the document and the only mandatory mode to implement is certificate base authentication. The Jurgen proposal works for you? (inserting the following sentence at the end of paragraph 1 of Section 3: "For details concerning pre-shared key based authentication see [RFC4279]".) And what is the reason to add fingerprint to Netconf? Best regards, Badra _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] WGLC for draft-ietf-netconf-tls-04.txt Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… fanhuaxiang 90002624
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ????WGLC??for??draft-ietf-netconf-t… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ?? WGLC for draft-ietf-netconf-t??l… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- [Netconf] Re: ?? WGLC for draft-ietf-net conf-t ?… badra
- [Netconf] Re: Re: ?? WGLC for draft-ietf-net conf… fanhuaxiang 90002624
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… fanhuaxiang 90002624
- [Netconf] Re: Re: WGLC for draft-ietf-netcon f-tl… badra
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Juergen Schoenwaelder
- Re: [Netconf]  Re: WGLC for draft-ietf-netcon… tom.petch
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… fanhuaxiang 90002624
- Re: [Netconf] ? Re:? WGLC? for? draft-ietf-netcon… fanhuaxiang 90002624
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Juergen Schoenwaelder
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Mohamad Badra
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Mohamad Badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… David B Harrington
- Re: [Netconf] WGLC for draft-ietf-netconf-t ls-… David Harrington
- [Netconf] RE: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ��WGLC�for�draft-ietf-netcon f-t ls… badra
- [Netconf] RE: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ????WGLC??for??draft-ietf-netconf-t… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-t ls-04… fanhuaxiang 90002624
- Re: [Netconf]   WGLC for draft-ietf-netconf-t… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC??for??draft-ietf-netconf-tls-0… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-tls-04… badra
- Re: [Netconf] ????WGLC for draft-ietf-netconf-tls… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-tls-04… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… David B Harrington
- [Netconf] system or registered port for Netconf o… badra
- Re: [Netconf] system or registered port for Netco… fanhuaxiang 90002624
- Re: [Netconf] system or registered port for Netco… Mohamad Badra
- Re: [Netconf] system or registered port for Netco… David Harrington