Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication
Kent Watsen <kwatsen@juniper.net> Fri, 31 October 2014 21:42 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CDD1A6F05 for <netconf@ietfa.amsl.com>; Fri, 31 Oct 2014 14:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PadK8fWS-HDp for <netconf@ietfa.amsl.com>; Fri, 31 Oct 2014 14:42:44 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0742.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::742]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FB931A6F04 for <netconf@ietf.org>; Fri, 31 Oct 2014 14:42:44 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB457.namprd05.prod.outlook.com (10.141.72.141) with Microsoft SMTP Server (TLS) id 15.1.6.9; Fri, 31 Oct 2014 21:42:21 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.172]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.172]) with mapi id 15.01.0006.000; Fri, 31 Oct 2014 21:42:21 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Alan Luchuk <luchuk@snmp.com>, netconf <netconf@ietf.org>
Thread-Topic: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication
Thread-Index: AQHP9RWsg/t9lw3qYUakrH+lFZuVkpxKed4A
Date: Fri, 31 Oct 2014 21:42:20 +0000
Message-ID: <D0796A85.87191%kwatsen@juniper.net>
References: <201410311419.s9VEJQWY009047@mainfs.snmp.com>
In-Reply-To: <201410311419.s9VEJQWY009047@mainfs.snmp.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [66.129.241.11]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB457;
x-forefront-prvs: 03818C953D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51704005)(189002)(199003)(164054003)(51444003)(76176999)(31966008)(101416001)(40100003)(64706001)(66066001)(20776003)(92566001)(92726001)(50986999)(86362001)(62966003)(106116001)(105586002)(106356001)(4396001)(122556002)(99396003)(120916001)(99286002)(95666004)(107886001)(107046002)(97736003)(54356999)(87936001)(21056001)(83506001)(77156002)(46102003)(77096003)(36756003)(2656002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB457; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <10AF6DB77124D24790798BFE9418EEFE@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/kKNm-3Zl4TAMBwUfPt1wVwOnM24
Subject: Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 21:42:46 -0000
>>I think that limiting this I-D to mutual X.509 authentication resolves >>the issues that have been raised. > >+1 I also +1 to limiting 5539bis to just mutual X.509 auth. That said, I thought that this was already the case, or at least the intent, with all the references to RFCs 5280 and 6125 and what not. >Also, included below is the following new proposed text for Section 2.4.1, >and a new section 2.4.2. The new section 2.4.2 would displace the >existing >section 2.4.2 to have 2.4.3, and so on. Thoughts on this? I'm not sure if adding more sections or more words is needed - maybe this is a case where less is more? Maybe we *only* need to 1) state that server authentication MUST be via PKIX as defined in RFCs 5280 and 6125 and 2) state anything not already covered by RFCs 5280 and 6125. Also, I noticed that you didn't touch the original section 2.4.2. (Client Identity). This is the section that is currently missing a statements along the lines of: - the client MUST present a X.509 certificate - the client MAY also present a chain of intermediate certs to a trust anchor the server is expected to trust - the server MUST authenticate the client's certificate - the server MAY authenticate the client's certificate using PKIX to a configured trust anchor - the server MAY authenticate the client's certificate if it's an exact match to a previously trusted client certificate. Also, I think the last two paragraphs in 2.4.2 should be moved to 2.4.3 (group everything about usernames to one section) and the add a statement to 2.4.3 like: - the server MUST have a configurable mapping from the presented client certificate to the NETCONF username, such as the cert-to-name algorithm defined in section 4.1 of draft-ietf-netmod-snmp-cfg-08 Thanks, Kent
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… Alan Luchuk
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… Kent Watsen
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… t.petch
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… Alan Luchuk
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… t.petch