Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
Kent Watsen <kent+ietf@watsen.net> Tue, 13 February 2024 18:54 UTC
Return-Path: <0100018da3d1c4bb-16794945-524e-46d4-8bd9-963eb8fe4fdc-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87E4AC15155F; Tue, 13 Feb 2024 10:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8v2J2Mcyt4We; Tue, 13 Feb 2024 10:54:12 -0800 (PST)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 729C4C151552; Tue, 13 Feb 2024 10:54:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1707850450; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=NALBmN/Vb/dOZWLpjL/dg+NbJLt03llGYgxu7D9uMj4=; b=BptXoyzuqyQeDTxYZK7CiemFNFwuOMvXGnr5klsM3fJRP+xJ//NWYZYDIzc78Mwg o2yTTTv+3Dw5OgaQsEue81rPJPRN/fpFaa5id3UyBLEJ4+BiZmEU3m0b1/mpGrcyg3A u4zzBXTjYSOQJz/SbhHU+KNrEn7gLa9H2ZgT6H8A=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018da3d1c4bb-16794945-524e-46d4-8bd9-963eb8fe4fdc-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2C4847A6-F51C-4A6B-A5E9-AE38C0AE5BE0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Tue, 13 Feb 2024 18:54:10 +0000
In-Reply-To: <CAGL5yWYWtbfzEJGqGst5rwz8g9A8eSs=zvbsYGjSjK7Ag-Na8g@mail.gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-crypto-types@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
To: Paul Wouters <paul.wouters@aiven.io>
References: <0100018d8e79728d-53c71957-dd1f-4113-ab63-e1b028486824-000000@email.amazonses.com> <7F7D8261-D97E-4FBE-BE0C-6BC0953FC1FD@aiven.io> <0100018d9eda2bba-34bbb7e9-9d31-4651-a098-a3b62abe5d76-000000@email.amazonses.com> <CAGL5yWYWtbfzEJGqGst5rwz8g9A8eSs=zvbsYGjSjK7Ag-Na8g@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.13-54.240.8.88
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/a1CWDVl_2X4WFtU5iFHopIu0D94>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 18:54:12 -0000
NETCONF WG, Paul below suggests me ask something of the WG. The question regards if the crypto-types draft should include, as a sibling to the “cert-data” node, a configurable switch for strict enforcement of CRL/OSPF checking. Pros: - solves potential outage issues. - important Cons: - not widely documented or implemented - is libreswan unique in having such a flag? - may be difficult to support with some crypto stacks - we could use a “feature” to resolve this objection - the libreswan approach may not be used everywhere - documentation would be loose to have broad coverage? Thoughts? (See below for more) Kent > On Feb 12, 2024, at 4:58 PM, Paul Wouters <paul.wouters@aiven.io> wrote: > > That is different from our usage of crl-strict=yes > > For us (libreswan) strict means: > - If CRL is expired, block everyone > - If OCSP not available, block attempt > > non-strict means: > - if CRL expired, but cert is in CRL, still reject. But if it is not in CRL, allow it > - if OCSP not cached and fails, still allow client > > But if the cert itself is invalid, we never allow it. > > I'm not sure if we would need to add this. I'm fine either way. Perhaps chat with the WG, or don't add it now? > > Paul > > On Mon, Feb 12, 2024 at 2:45 PM Kent Watsen <kent+ietf@watsen.net <mailto:kent%2Bietf@watsen.net>> wrote: >> Hi Paul, >> >>> On Feb 11, 2024, at 9:37 PM, Paul Wouters <paul.wouters@aiven.io <mailto:paul.wouters@aiven.io>> wrote: >>> >>> I have no good advice to give on strictness of CRLs and OCSP. Obviously a per connection setting would be better than a global setting but that might not be easy. Eg libreswan has it as global option partially because it keeps a global store of received certificates. >>> >> >> Granular is better. >> >> I’m thinking to add the following to the `trust-anchor-cert-grouping` and `end-entity-cert-grouping` groupings: >> >> leaf disable-stict-enforcement { >> nacm:default-deny-all; >> type boolean; >> default false; >> description >> "Disables strict enforcement of this certificate. >> Ignore issues regarding, e.g., the certificate's >> validity period or CRL/OCSP validity. >> >> This flag should only be set in an emergency >> to enable a service to work. Setting this flag >> Is NOT RECOMMENDED.”; >> >> >> Is this what you want? >> >> >> >> >>> Paul >> >> >> Kent >> >>
- [netconf] Paul Wouters' Discuss on draft-ietf-net… Paul Wouters via Datatracker
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Kent Watsen
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Kent Watsen
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Kent Watsen
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Kent Watsen