IETF Logo Mail Archive

Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)

Paul Wouters <paul.wouters@aiven.io> Mon, 12 February 2024 21:59 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 986FEC151985 for <netconf@ietfa.amsl.com>; Mon, 12 Feb 2024 13:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxkHQdKppDp7 for <netconf@ietfa.amsl.com>; Mon, 12 Feb 2024 13:59:02 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B56ACC151981 for <netconf@ietf.org>; Mon, 12 Feb 2024 13:59:02 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a3832ef7726so427255366b.0 for <netconf@ietf.org>; Mon, 12 Feb 2024 13:59:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1707775140; x=1708379940; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mJQUFlsqycBUevhC4tUESfS3u14bFQLukEgaeELMj1s=; b=lv/qCtmo0X6+tD5+6q3MhACtI0pxd0xIJ1rlLRNt8JlxPoHnK/WT6C2BRdZJcEElQU CMvRMwe8AZVN7E245f5OQvid3A2+TRYB+22OCvLAE7yaPEyuLLm+27tsWTb2FFcN3iCs YEaODQz5ul+k5Cnut3KOueR/Juw/cWM1ZtIfI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707775140; x=1708379940; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mJQUFlsqycBUevhC4tUESfS3u14bFQLukEgaeELMj1s=; b=wwWhjzRLrCleWBAunA9XoU/J4Ag5v3U8jUAyfgEyESqMf89Kt2zXHd0AAKny/NSD+m bQuP3IZQ5HkKM0a5iYObDCmmvZ/bIenQzo0K61iCY/Cckd/VMD5APTvW2Tvv2ktWcD7N BE4bKv8WdoZRyBVGgZNCG0tyq3k9UwrdghnBm0Y+qc0MjBVR9r0YrTxHIGItG8j0NtzF zixNzWdkLfx7+kYCFWB3KuTU4hj5bldm7z4X7pPoi+l9pGpGk7+xBTcTURS3O/B3FNvL FF8FhmlZxztq3Uns8Pwv85AlNZD8pA9Nyao5UlyE0ORg6E+rhPttVwYe4p6xt6ZSnHml EFzg==
X-Forwarded-Encrypted: i=1; AJvYcCVm+BzBPucmyA03umr5W8SQ9fQ8P3oEOtOUUhKNYwhXAyeVXP8jT779bDpOFMnn2M7MSm7ATrDEVNcFEMJwBnGb
X-Gm-Message-State: AOJu0YxWKJ4FY9TwQt9p0A0xuI4f7EDD8DnhXgdmv3FUH/Cz2mDFV5/K hb40RNZjVo0VbM7lMvLpv0CiPZrwzrTexNpuzgLjMn15DczT9xWhojl+3WBJPwd+UGA6LxkaeFr BRMkszUmGD1Af+ZGls3yOywchxyJXAgrWWopVYA==
X-Google-Smtp-Source: AGHT+IG87Gy8fqiH/dr+JWx3IlRecmsNztymVaM4DD3PjvzT/QCotTTDSjPoalKnTTAYNb4H4LS6cEsA/sd3GMXp/lY=
X-Received: by 2002:a17:906:2b4a:b0:a3c:bcf4:14e4 with SMTP id b10-20020a1709062b4a00b00a3cbcf414e4mr2170655ejg.9.1707775140607; Mon, 12 Feb 2024 13:59:00 -0800 (PST)
MIME-Version: 1.0
References: <0100018d8e79728d-53c71957-dd1f-4113-ab63-e1b028486824-000000@email.amazonses.com> <7F7D8261-D97E-4FBE-BE0C-6BC0953FC1FD@aiven.io> <0100018d9eda2bba-34bbb7e9-9d31-4651-a098-a3b62abe5d76-000000@email.amazonses.com>
In-Reply-To: <0100018d9eda2bba-34bbb7e9-9d31-4651-a098-a3b62abe5d76-000000@email.amazonses.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 12 Feb 2024 16:58:48 -0500
Message-ID: <CAGL5yWYWtbfzEJGqGst5rwz8g9A8eSs=zvbsYGjSjK7Ag-Na8g@mail.gmail.com>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-crypto-types@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009d0eb80611366285"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/QJe1SdxqMY_Y0cf1k8-2mdYlukg>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 21:59:06 -0000

That is different from our usage of crl-strict=yes

For us (libreswan) strict means:
- If CRL is expired, block everyone
- If OCSP not available, block attempt

non-strict means:
- if CRL expired, but cert is in CRL, still reject. But if it is not in
CRL, allow it
- if OCSP not cached and fails, still allow client

But if the cert itself is invalid, we never allow it.

I'm not sure if we would need to add this. I'm fine either way. Perhaps
chat with the WG, or don't add it now?

Paul

On Mon, Feb 12, 2024 at 2:45 PM Kent Watsen <kent+ietf@watsen.net> wrote:

> Hi Paul,
>
> On Feb 11, 2024, at 9:37 PM, Paul Wouters <paul.wouters@aiven.io> wrote:
>
> I have no good advice to give on strictness of CRLs and OCSP. Obviously a
> per connection setting would be better than a global setting but that might
> not be easy. Eg libreswan has it as global option partially because it
> keeps a global store of received certificates.
>
>
> Granular is better.
>
> I’m thinking to add the following to the `trust-anchor-cert-grouping` and
> `end-entity-cert-grouping` groupings:
>
>     leaf disable-stict-enforcement {
>         nacm:default-deny-all;
>         type boolean;
>         default false;
>         description
>           "Disables strict enforcement of this certificate.
>            Ignore issues regarding, e.g., the certificate's
>            validity period or CRL/OCSP validity.
>
>            This flag should only be set in an emergency
>            to enable a service to work.  Setting this flag
>            Is NOT RECOMMENDED.”;
>
>
> Is this what you want?
>
>
>
>
> Paul
>
>
>
> Kent
>
>
>

v2.23.0 | Report a Bug | By Email