Re: [netconf] Éric Vyncke's Abstain on draft-ietf-netconf-crypto-types-29: (with COMMENT)
Kent Watsen <kent+ietf@watsen.net> Mon, 29 January 2024 15:13 UTC
Return-Path: <0100018d55c8baeb-02f275ef-c496-43da-bd55-22a1dab88501-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB8BC14E515; Mon, 29 Jan 2024 07:13:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvsvO3X6Gdst; Mon, 29 Jan 2024 07:13:58 -0800 (PST)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C7CC14F5F1; Mon, 29 Jan 2024 07:13:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1706541235; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=rE7SyGCpjMLYvkXjSVp6nzE9mLkHbl/bNDMtZwAnczA=; b=iKn/o3AEFX5YCobP8FyOOsB0d0uGKl0HNmj4fZg9JQSkTFa7rkkihYFQOl12jVsl Eg/hb1vb91RdNGei3hQHh0fkI3y+12tmwp+IcV38PF/jtbB9ikfgxGiz4AI2To1kxE0 n5OB755a7ifVm9nU08zSBXKXgrmmaoARSB3TWL/4=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d55c8baeb-02f275ef-c496-43da-bd55-22a1dab88501-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_44FC8A95-0F11-4CE0-9CE1-0FC628F2DF8F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Mon, 29 Jan 2024 15:13:54 +0000
In-Reply-To: <170653713829.978.7694069584066312450@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-crypto-types@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Mahesh Jethanandani <mjethanandani@gmail.com>
To: Éric Vyncke <evyncke@cisco.com>
References: <170653713829.978.7694069584066312450@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.01.29-54.240.8.33
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Tukr_Tz-97NbV8IpyrwO09yWE2U>
Subject: Re: [netconf] Éric Vyncke's Abstain on draft-ietf-netconf-crypto-types-29: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jan 2024 15:13:59 -0000
Hi Éric, Thank you for your review. Please find below my responses to your comments. Kent > On Jan 29, 2024, at 9:05 AM, Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > > Éric Vyncke has entered the following ballot position for > draft-ietf-netconf-crypto-types-29: Abstain > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-crypto-types/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for the work done. > > The shepherd's writeup would benefit from a better justification of the > intended status. There is not much I can do about the shepherd writeup… ;) The document’s header says the Intended Status is "Standards Track”. - is this okay? > Is there a reason why there are several NETCONF WG crypto-related I-Ds rather > than a single one ? Do you mean the suite of documents - 9 documents in total? I guess because each document has its focus and can be referenced by other documents individually. For instance, other WGs have documents that reference the “keystore” document, while others reference the “tis-client-server” draft. If there were a single document, those references would be too course. Makes sense? > I was about to DISCUSS the following point but balloting ABSTAIN as I am unsure > about the use case: the model has cleartext and encrypted passwords (the latter > is a hint that the password can be decrypted back to cleartext) but what about > password hashes if the remote party should also be authenticated over a > protected channel by sending a clear text password ? The password documented here is for when configuring a server to connect to a remote system, in which case the cleartext password is needed. Elsewhere (in the "ssh-client-server" and "http-client-server" drafts), there are passwords used for local users (i.e., users logging into the server itself). The configuration for those passwords use the “crypt-hash” type from RFC 7317. Makes sense? > Another near-DISCUSS point: what about key rollover when 2 keys/passwords could > be used ? What do you mean? Can you say some more? > As in another document, it is nice to have a certificate expiration date but > what about a 'not valid before' date ? This is similar to the previous point of > key rollover. The “certificate-expiration” notification is an asynchronous message used to alert when a certificate is about to become invalid. AFAICT, there isn’t a need for an asynchronous notification that a certificate isn’t valid yet, or even when a cert is about the become valid, and hence not notification is defined for this case - make sense? > Please add a reference to `rainbow attacks`. A rainbow attack is used to crack hashed passwords. As mentioned above, RFC 7317 defines the “crypt-hash” type, which is used by other documents in this document-series (specifically the "ssh-client-server” and "http-client-server” drafts). The “password-grouping” defined in this document isn't for local users, where hashed-passwords would be used, but rather to configure clients to connect to remote systems, where a cleartext password is needed. I don’t understand why this document might reference rainbow attacks. Perhaps RFC 7317 could’ve referenced rainbow attacks, but it didn’t. Please let me know if there is anything I can do to improve the text! Thanks, Kent
- [netconf] Éric Vyncke's Abstain on draft-ietf-net… Éric Vyncke via Datatracker
- Re: [netconf] Éric Vyncke's Abstain on draft-ietf… Rob Wilton (rwilton)
- Re: [netconf] Éric Vyncke's Abstain on draft-ietf… Kent Watsen
- Re: [netconf] Éric Vyncke's Abstain on draft-ietf… Eric Vyncke (evyncke)
- Re: [netconf] Éric Vyncke's Abstain on draft-ietf… Kent Watsen