[netconf] Roman Danyliw's No Objection on draft-ietf-netconf-crypto-types-30: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Thu, 08 February 2024 19:29 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: netconf@ietf.org
Delivered-To: netconf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C612C1516EB; Thu, 8 Feb 2024 11:29:08 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-crypto-types@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org, mjethanandani@gmail.com, mjethanandani@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.4.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <170742054836.21097.11420102928962274820@ietfa.amsl.com>
Date: Thu, 08 Feb 2024 11:29:08 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/dXuJG-w8ZQc3-pJLLqI_1XvYqvI>
Subject: [netconf] Roman Danyliw's No Objection on draft-ietf-netconf-crypto-types-30: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 19:29:08 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-netconf-crypto-types-30: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netconf-crypto-types/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Valery Smyslov for the SECDIR review. I support the Paul's DISCUSS position. Thanks for addressing my DISCUSS feedback and most of my COMMENT feedback. ** Section 3.5. When accessing key values, it is desireable that implementations ensure that the strength of the keys being accessed is not greater than the strength of the underlying secure transport connection over which the keys are conveyed. However, comparing key strengths can be complicated and difficult to implement in practice. I don’t understand the guidance in this section. I would have benefited from clarity in the following areas. -- Explain the impact of using keys whose strength exceeds the underlying transport connection (i.e., it doesn’t offer more security) -- The verb “accessing” is confusing. Let’s say that an implementation notices a discrepancy between key strength, what is it supposed to do? -- The last sentence (“However, comparing ...) seems to acknowledge (correctly) that this advice might not be practical. Is the WG sure the text is needed? ** Section 3.6 Implementations SHOULD only use secure transport protocols meeting local policy. A reasonable policy may, e.g., state that only ciphersuites listed as "recommended" by the IETF be used (e.g., [RFC7525] for TLS). -- Would there be instances where implementation would use secure transport that _doesn’t_ meet local policy? -- RFC7525 has been obsoleted. s/RFC7525/RFC9325/
- [netconf] Roman Danyliw's No Objection on draft-i… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's No Objection on dra… Kent Watsen