Re: [netconf] netconf-tls wasRe: Summary of updates

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 26 May 2021 11:53 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7279B3A2BBE for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 04:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7SsX3XPYC5u for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 04:53:17 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2084.outbound.protection.outlook.com [40.107.22.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D3A3A2BBD for <netconf@ietf.org>; Wed, 26 May 2021 04:53:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aHhIRygRfAdBWBZH28PBxskpTv3kZ7qWGqK4qcJGJp5t7+fSePad5J/OmdntTbpGEs7bn2nE+HJMBGrQW+hGGrVQ+nUDZbsDBC1WRm46YR3xSVREpt7iPQhruMwFwshMpLMB5dVqyHKwtcNE8k8dxVp2zUbBB6ZmZwKTix9qLIVRUgZ8VhQkMnoD70fS3VdJvzCLfWBLD7zWcwDwS8JNOuWWCU2C1daa3k5J0+st96hYJOD/0T9GaLE75NF4+/ygay2byxf4/tVo+HTXDkfYgGRWh5BFRkckP+J7Mkf5fm8EsQH4TMNIIGy6fe8G52doVa9diw/F9p/v0WxnrQledg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LqJoe7xxavX6C9zWN8MLYKmxHtvfWqQvjUORyNhNFJ8=; b=aHQWILASSLpjyPj4KoGtGMlVzuL0LXM+ck3WEmMENpGGbFVHtbNoykHTxZITXQIXmbvExgewzlLLs5hiMjLaHNDWEP2mgFluQkklrAhpiMxB0y241Khf7f/fmzTJlZ03G/SDwvC1uZcnTigmt/F8tqd04G1W/4kaDi7HR13x3VV2G/G++73z47o2cDYBNy2cYjFt9oTEUaOAtYb1aLGTwsiCPFiS3Syv6Ejh00f8L08NvWbjoaNpt2Hj2w6f7MFRtsf5kWnZ/r+xcZqiwYGInJgukUq2lHeHHIlcDPQH0V1EyaRgToaHhlpzbwEvfh02EWd8OTl4RAD0cmaVgpr+nQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LqJoe7xxavX6C9zWN8MLYKmxHtvfWqQvjUORyNhNFJ8=; b=Kg96Wg++uDRyT8uGfVomXIzUseaSEOFkk8kvT8o9Fm97tx29/Ox/adXlDuUj/OzMNoJbE8NWS2My8VHuBTLJODTBzJVUY8Jule/lgVtKZRMfH8vmwQRddaajG0ax+15YDvcFSCfeT158KkxqTFIHRVLJUzkX168SIVSgF+rMufQ=
Authentication-Results: btconnect.com; dkim=none (message not signed) header.d=none;btconnect.com; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1666.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3e5::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20; Wed, 26 May 2021 11:53:14 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4173.021; Wed, 26 May 2021 11:53:14 +0000
Date: Wed, 26 May 2021 13:53:10 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: tom petch <ietfc@btconnect.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210526115310.gysua6ghz5xqnmfz@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: tom petch <ietfc@btconnect.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com> <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de> <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525162921.ec2l7yc276yonzfb@anna.jacobs.jacobs-university.de> <AM7PR07MB62480023243A6DAFD2829191A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AM7PR07MB62480023243A6DAFD2829191A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: AM8P251CA0019.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:21b::24) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by AM8P251CA0019.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:21b::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Wed, 26 May 2021 11:53:14 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7c35d964-adc4-4600-6d64-08d9203cd7d5
X-MS-TrafficTypeDiagnostic: AM9P190MB1666:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB1666D4D2D19380C26B926785DE249@AM9P190MB1666.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:3044;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1Yd4felBi9ArKp/LqfjEepTcld3s43Q7/jI96KAhdO9rqO1TZY5rBrt/IBPGUiN7IWCcN627rEy0znBlqSSeDcvpzjLcDni3nYRzO+gOfBJ77cekwmQrZKG0kN3Cd520sP2ZysPmIfz3Bhr7eF6TOKg4L5exE0Q5LtsT1G5pnL6htaYUbCIHh1XAjnQMcahxqIs29XGNI7MAESuUXSPCSZu9PEVUmvEdTB79+zES8dqJBrQM00waJ62si5YS9KVC6ObIzVnK40quHTXozMCO2HR8KzQWAQg8hFKsThP2npYWGCVfSr+wnB+Ln7o2GJmYnhg4n67RSm8IOVtz9eNUY37HYhYjhaV7zzQWg+FcE1jWxZ5mJHrrq/JGVHmQOUMFg9MNa+PqrwH5imxMg21MthCZsd+mTwHdKFXmxsre1r75qTsmW8kxLdUc07AVkC2h+VaRLy1E2woQP6JuIFbfziOOaEga+tjssSgLAITr7dR3adK6VSMjdFWPM4rglObAzLJ6Bhv+my1SRLOxMWjfnhFiSq7iFLzPdVqBwQ2dSXtCDhG4sm9j2ZghEWkJdDiPCt/M//4LEV7HpBmpCpGOirAVIf7Fjq1GkyRpisVZJ9P9Gr0qASk8KbPAe09swcM/ArmhzesUcfiMhI8fTDoWaf9DbpaY6fZjpDabWK1+1Iq+zXPQ45w2q0mpWGPeuf7zxc5BK2UbaITGpflDaXvm41YRkTvHYWTJsO5QCugdnUibhQEbeoIqir+NRVF6sZuIVuEwCgSPnFR8pfCLLBMftKyZHZZvPSEVelpsPLXvdjo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(376002)(396003)(346002)(366004)(39840400004)(296002)(316002)(786003)(1076003)(956004)(6916009)(86362001)(5660300002)(54906003)(6496006)(6666004)(26005)(478600001)(16526019)(186003)(66946007)(66556008)(6486002)(38100700002)(4326008)(83380400001)(3450700001)(38350700002)(52116002)(2906002)(8676002)(66476007)(15650500001)(8936002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?IFqlCUJNiHBDecu7iFgNS09XbFeTyLSrcf3bLPbasIy8bvsd+syFM2HejFKc?= =?us-ascii?Q?rjDxWDS8z/rW53iiC7yY4gZ7YVUl3xtmagWHa495qzgCQ97uZM/shUjsV+4H?= =?us-ascii?Q?DhsX2TIqqlBV6YwnzBUX8beFAW6Pv9AYJORr7l5LhOt5rYi6cixalR+y13Ue?= =?us-ascii?Q?1hZ/o4qikypLCczhLSX0imMrAshFJQSs8Squxewk2n8V+/Lo6RrmL+Zmufyo?= =?us-ascii?Q?uHd5qzznxf+Sh3bRummUyqzrUdEQVFzJRIQ85HuDwY3H3MmtXB6elGWQ8Og7?= =?us-ascii?Q?pnYJsv9fUe9+FTG2u6LToCJwNq3kl1hfmZYHP6Ystfj1oMfWSv2DKJAkeD4E?= =?us-ascii?Q?zCw1+qaOSGHURNbFENL8Ax+q19yrB4xjsaktGW0KEF88r5o/PlIJEPC1rHoo?= =?us-ascii?Q?kn1FKalsy2pPebZ3ossHfMSMUNWbJsvd1HloFBfYf+fYJ594/glJrhXDbPTX?= =?us-ascii?Q?U203NFyg7YxS6r96qoWE70YVMRwe+eZ1DBmqO6qgVTEfHFHh0HsOV22IhZO+?= =?us-ascii?Q?cI/3ZrE8rH7fZhmhIWuv0KV+HY8YCjCUsWRzPqHNNzKfghFZTgFsdRnN1KEV?= =?us-ascii?Q?fqA2jBItfC7b2WM8IqQ+Gowle5HC6maX6+/RgobTxtJvha6/8P/7Jtj9RZG5?= =?us-ascii?Q?PKaJxm/uQp+Q+ZM+X6hfaXLapjo4z3v2p36b0urAfAVRxk7v7Kc3syCIXnyG?= =?us-ascii?Q?CBS4eOw9swNPxLZddvsYgG7L91oU2oOa2W2XUhVOoW0k0tQ5QbvT68PJBsGa?= =?us-ascii?Q?cp3Z8fZsE0IVAcd3ntISA8sx595tajafGwxfYvxaRICbgV8OcPYXFiyzJ1LU?= =?us-ascii?Q?v+Tp5zNg9oCYsKs4tbXg/aLSB0QeWXKUxGvZhLwwshUSLBnMgyQPW2B6FHsU?= =?us-ascii?Q?MGl5P03uMWygQKS4vN1REd7E/t59pQe+aj5iEcwUsQLyvg4wp06BxTg7268o?= =?us-ascii?Q?IyOe9oSo7cLwJ0/AElmmfzJu8U2pxqgwNh6FCaxYVZx0W2dfQWlxhsHrXobk?= =?us-ascii?Q?Pv7bvPW9cE6xrhJBweRMdnHiEYXOJUtYwnUH1HPdolGH9Hs3PMY0yBN7F2b0?= =?us-ascii?Q?ttDELWS9fyknu7qMwEyZz0N6UZOM05xAZmKyftfclTHeW9aBs6rPAtKC4AWI?= =?us-ascii?Q?FoImglp8ncAoZ9lmaBWQIqfYJeB3+iRS4sxNZTJ9CYh84ZmwwH+hTt8dDpaZ?= =?us-ascii?Q?c5ByH7vQHEpQfEzEvzsWhJ586zMepBCww0V3r4wfK5lga56xA3VK4D5BqpnH?= =?us-ascii?Q?j5gXExl9VtqN4vX64crPI92ARUR6R8FPczLY5ZiKpLjtq3a5DBsthKO1HvL9?= =?us-ascii?Q?pugqb4Ve+WHOKFJWy1AbyScB?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c35d964-adc4-4600-6d64-08d9203cd7d5
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2021 11:53:14.3061 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: nCr2GYXzmQm/XXXRlct5FtgiQPYTvSPnuUq/LfUWVlTLvnw42deRq8e1vkp6sP70w5riu2NEJhMEm/Vr5Ie9k2DqjRrAemUcEOkQ35TCcYs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1666
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/XAj0D7F6-2GuJrx0-9GWgjDGFxM>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 11:53:22 -0000

This sounds like 'lets wait and see what comes out of the RFC 6125
revision' is the best approach for now.

/js

On Wed, May 26, 2021 at 09:23:17AM +0000, tom petch wrote:
> From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> Sent: 25 May 2021 17:29
> 
> On Tue, May 25, 2021 at 03:58:10PM +0000, tom petch wrote:
> >
> > I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
> > perspective to tell the WG if any changes are needed so that the WG
> > can take an informed decision whether an update of RFC 5539 is
> > necessary or whether what we have is good enough.
> >
> > <tp>
> > Well, I tend to forget that RFC5539 is obsolete, obsoleted by RFC7589 which is X.509 certificate only; no PSK, no naked public keys.  My concerns with TLS1.3 mostly relate to PSK which allows data to flow before the handshake is complete, before authentication is complete, which is a problem for some applications as I mentioned before; but staying with X.509 authentication only for Netconf makes life simpler for a 7589bis, replace 1.2 by 1.3 and think about the extensions to see what may be needed.
> >
> 
> So regarding a possible update of RFC 7589, what is needed?
> 
> + Require TLS 1.3 (update section 8)
> 
> Which extensions should one think about? Do you mean RFC 8773 or
> something else?
> 
> <tp>
> It is more a question of going through 8446 s.4.2 s.9.2 to see what we want by way of an Application Profile.  Thus I would like to prohibit PSK but that prohibits session resumption which is fine by me but I have limited exposure to what the world is doing so may be it is not that simple.
> 
> There is another problem which I see as larger and that is that the TAPS WG is revising RFC6125 and this leans heavily on that RFC and that might take a year or two to get revised.  I don't have a sense of where a 6125bis is going.
> 
> Tom Petch
> 
> /js
> 
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>