Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Wed, 26 May 2021 15:46 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0ADF3A327D for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 08:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jObuohmdejSM for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 08:46:00 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130139.outbound.protection.outlook.com [40.107.13.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456563A3279 for <netconf@ietf.org>; Wed, 26 May 2021 08:45:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F+U2ziIf4IzJItMFJqqzcjHhcHj0KUmAWKxvIKLwMveryl3OLLWkZBgKT88KwDeKJWnLsDQY83nY7aRVvZaYLQgxNEaCAeR0XTKmmaQP+GFfV5/+/62JHccXSL2Qe/hjvioOLIZFr3cVClk0kiI5ZeAemFC9iX71aI+fZUO2iRUmzGoPn5f659C8zUuFXq5VV+rrPCzwt3LPUT5kJ/Cc6brnCyn9FP2ls8d2iSBINDSf8jUXHN4gC5MHx33xilv6ofg0xbc7GdEM1UJi5hUo1/xaffGG4unzEM5Zt2E5gDNfhuQWXOxBIbKs/W92hgBVhyRc7SIls88xSs8InyOA+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UXCB25fI3jwtmq85UgmW+jSLMhnCGRnbMbtMHbIDdOE=; b=W/S0G8HxXzpiHaHmpNU2KtwRfnnekinVkO8j1BwsdVxNE2/+CtCAsx1QH++aM/FBmI+JDuWLSinaEnvuezwd+X9brYb/xLm9vB78grF9swaFZZiJKYX4dktHXD5GAAVD+vZ+g/GjVux5lEVOBd+OPbim8BdqMWILSWRRyUnn50//gxEzYnJtciESWAtk+f52t/Tc+rZ/W1SpINIOZ7Oj2dR5bNZoab5jQPnv9SbvDlXeIO7dCd2LtRA/KRq79R4UB4bjLd8bMO1ebQvx3PZkAJPtZdGVlnQBvCPRIxEOOwPo+tKved4SMGh9zVLIXuuhngH6/PNNs92nsP1hLcKryg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UXCB25fI3jwtmq85UgmW+jSLMhnCGRnbMbtMHbIDdOE=; b=F/EBNu+nu2saURwMGcSUV19HtsF93Wzhc10PV/Ke0l1GUkgPN791wsAsKH6uuoSd3qW0f4HWd7btKRICZUiKjxBJTMjirYiUhVwIvzD6/EUlMChHbEq5yXAkjkEqLY0hfEaZqYYI1chr3InQEj97jCtCOnz+irdQBGkHlMfh+JE=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM5PR0701MB2772.eurprd07.prod.outlook.com (2603:10a6:203:74::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12; Wed, 26 May 2021 15:45:57 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.020; Wed, 26 May 2021 15:45:57 +0000
From: tom petch <ietfc@btconnect.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] netconf-tls wasRe: Summary of updates
Thread-Index: AQHXUU2yri0EENaQXUOJipepn/woM6r0OwUAgAAKPQCAABCh7YAADbyAgAEWW6+AAC7QAIAAQIAW
Date: Wed, 26 May 2021 15:45:57 +0000
Message-ID: <AM7PR07MB624899F2ABA5B7251C9E026EA0249@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com> <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de> <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525162921.ec2l7yc276yonzfb@anna.jacobs.jacobs-university.de> <AM7PR07MB62480023243A6DAFD2829191A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>, <20210526115310.gysua6ghz5xqnmfz@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210526115310.gysua6ghz5xqnmfz@anna.jacobs.jacobs-university.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ecd44798-f70c-4e7f-5e5f-08d9205d5a92
x-ms-traffictypediagnostic: AM5PR0701MB2772:
x-microsoft-antispam-prvs: <AM5PR0701MB277286BDB744242BA046ABBEA0249@AM5PR0701MB2772.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3044;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zXvJJdcVZWAFDesZ1jeIksu9NrarFAbu8waMSddKogY7/gLWO5rUqqB5nTpgBmKPYmIj2eCxraUf1ibnDa7tqolWFERHNzGKO6AoJL++OFtSCYMTeKwLgz1bVKILTkgEgW2EZaDuW0zpLuR3q4FKMs5A7OTRsNzAU3qPnLL6V9DVEhEq0rDp6GsoA4bGkhHrFEBANTH/Zzeiq4c8PxLakMmJnraCBPYwmuhY2HSD6xcERyi9nMRx1tYEbnBcFjyftpV/anPUW7Ad+ZKneDlC/ejy6DYXqa+rg+TlWB4Z5Z2CrniMy8k5rKKrWF+AIjHk5oDyAW7IACzEes74KbIZCWMBxVSIhagp+7nfIi+zmA7qxqqbGW3evOcHBtBsMkSsn1tNvhUCGWbDCKP+k67Byf72nSEwqWu0x66JktRgS40qOiD0NdO01/ElQBhlY37XpRkznQH5PvK2Gy0cDv7gJ309s4gVGXZnu3iIWGSCAMI2XTJWhLMgJ8pKW6RKj30m0ZshkQL2ktBSNn2UV+0KtLDlePBkSHsB/AA0chN0AgKgwO7HG89VnmXOnaPJB2O9ddfJD1Ic4lgW/IcEsRlOYdr98cpZCrMhWJnbp6/A2fTy+AsCH+ksXB+BFG/KHPPNwsX4es/MutuvjDj8jy7S1ND7+GoSyC5pVCj/8S5KomoJrDPSDLNu48+9ffRz6mf7lPD/EqDaFjt5ppEWYEOpEHrRLOB57L6De9hb/J80EQM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(376002)(396003)(136003)(346002)(366004)(76116006)(9686003)(91956017)(55016002)(8676002)(5660300002)(316002)(52536014)(7696005)(64756008)(66556008)(2906002)(54906003)(38100700002)(66446008)(8936002)(71200400001)(86362001)(66476007)(66946007)(478600001)(26005)(186003)(33656002)(15650500001)(122000001)(4326008)(83380400001)(6916009)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?Jur4z58NNgyiqyytOkddUEvqD2TRAGHSAJ3XecQEWc9Ce3S3ljZGpe7kgd?= =?iso-8859-1?Q?B3xM3LAWsXETbS4QFiRPdR69z2MDKmEOWVqtaRWx/rnm+dTJ7RmTQ3dCLR?= =?iso-8859-1?Q?ewtkAgUO7AbsCgsNOh/qSRM3kOGAcD/BTS1lIPknfT3AO7AdNL3aSTUX3W?= =?iso-8859-1?Q?jUjN05NgVsrvR+LG1UbEmSPsjpMl6D/72otkr+aQG+6/6PrA2WUD5s08BI?= =?iso-8859-1?Q?rXHP/KwhB0LmiHzShFyEAK3I7kN7F3CAmf3UjVQgMGNsDPXaiseaBVyoyI?= =?iso-8859-1?Q?EijBYS1vIjDNNmfSNiFstEri3XVkc2uLimyL6bG5G3CBhuL44UcYPklMKS?= =?iso-8859-1?Q?AtsuZe2uGqZzL+QAvRMfEYSzFVo2CYQUUkQIHh9877IoxRBsTvRGD+HqTi?= =?iso-8859-1?Q?63vtnm0lxqGPNyjemcMJ1pcbTFFNV6wgDdf82yfjjgiXEvWzGlvQrNxH7v?= =?iso-8859-1?Q?g0AfuhkB05C2u+byhAyXVlzyeYLTRe8kQw6qB+UJBRjuhcQ88nWPQMH4pY?= =?iso-8859-1?Q?vcyExjcHSPJj7Tc+kcfMmNn+eec71Ef8/0nv2TSfKQPnhIeTu3UNn5aHU4?= =?iso-8859-1?Q?O7PS0owWiH0ik94Gr1tFrEFsO/j7TqDvQUP1Ftst8+PENIPyTtFWAw4UsE?= =?iso-8859-1?Q?PX95ywHOKtiCtyKfo5/frwHjQ9mIHqnaHlnXnPU7hErV9Wmzr3mlvrESG2?= =?iso-8859-1?Q?X5OtYZjvc+52UXFNbWp6JNAznoko3u6LogaqE46jzmfRJaZ9rbjWhIJH7T?= =?iso-8859-1?Q?CRIzv/fftnMLZ9NuF9XXob0OSSAjCtTy5SPwwoDUNKecII4wKGo6Lscl3o?= =?iso-8859-1?Q?+O9JQFKCjlXFcFfqWrXSeuFf1QzUd04ATHGxOroeEvNSVukwJeVvgej8DO?= =?iso-8859-1?Q?BXmL+kyNaVoB5NZAraSdd7zcZR+3L7LNCg1uLb4eB5NGp77Kvnp8ggJyMg?= =?iso-8859-1?Q?51+oDQUa8Ms4ctY5Xo68U5xpVyjbbq5tKoaqSma4YQUHEHOnFOwr2cU/6k?= =?iso-8859-1?Q?tzpFcGZakRK92Z+P+ffktY8ickL/rPPhc+qYhCEIERoBIsEczs1ooOal+D?= =?iso-8859-1?Q?vLdlztEqYbQUf7Mr7Q5AdcFenbOETY9TxuOuFdRbm8t4hXLgTeftppQ/x1?= =?iso-8859-1?Q?mhS+OcgZdS39EYlw/uMh1cnDafI1wYan7NjGXPMf65+f9SZYUcxf9sOJH1?= =?iso-8859-1?Q?jZlUE3Yo39Eu6oX6CnPgHR6d1PvcQF1fcmG6qAoZXxB20Ys+JvB0V+2alr?= =?iso-8859-1?Q?420+/DKv4bsQbIS1tr9W97xi4rZu++VK8DjGyvpynjT6K2i2hVJcL6lf7B?= =?iso-8859-1?Q?gmYH7hdLVrlsCmCtt+vuJrrrWVIC9YnqX/LByvTTdCkiTcc=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ecd44798-f70c-4e7f-5e5f-08d9205d5a92
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2021 15:45:57.1771 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bEAjTQlUHtZmx+f/aN2gGKWd4L9u/ygjQ15jGscGS6YEKLMpWVNpkTs429CQp4MAKCKnHdxPO+tQNx/hSu3+Vg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2772
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/aFurA6fHoFWmba47-cdnaRCH0MI>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 15:46:13 -0000

From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Sent: 26 May 2021 12:53

This sounds like 'lets wait and see what comes out of the RFC 6125
revision' is the best approach for now.

<tp>
WFM

I do have an element of FUD about this (as I have about TLS1.3) which hopefully will diminish with time.

Tom Petch

/js

On Wed, May 26, 2021 at 09:23:17AM +0000, tom petch wrote:
> From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> Sent: 25 May 2021 17:29
>
> On Tue, May 25, 2021 at 03:58:10PM +0000, tom petch wrote:
> >
> > I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
> > perspective to tell the WG if any changes are needed so that the WG
> > can take an informed decision whether an update of RFC 5539 is
> > necessary or whether what we have is good enough.
> >
> > <tp>
> > Well, I tend to forget that RFC5539 is obsolete, obsoleted by RFC7589 which is X.509 certificate only; no PSK, no naked public keys.  My concerns with TLS1.3 mostly relate to PSK which allows data to flow before the handshake is complete, before authentication is complete, which is a problem for some applications as I mentioned before; but staying with X.509 authentication only for Netconf makes life simpler for a 7589bis, replace 1.2 by 1.3 and think about the extensions to see what may be needed.
> >
>
> So regarding a possible update of RFC 7589, what is needed?
>
> + Require TLS 1.3 (update section 8)
>
> Which extensions should one think about? Do you mean RFC 8773 or
> something else?
>
> <tp>
> It is more a question of going through 8446 s.4.2 s.9.2 to see what we want by way of an Application Profile.  Thus I would like to prohibit PSK but that prohibits session resumption which is fine by me but I have limited exposure to what the world is doing so may be it is not that simple.
>
> There is another problem which I see as larger and that is that the TAPS WG is revising RFC6125 and this leans heavily on that RFC and that might take a year or two to get revised.  I don't have a sense of where a 6125bis is going.
>
> Tom Petch
>
> /js
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>