Re: [nfsv4] Concensus call for draft-ietf-nfsv4-rpc-tls (RFC to be 9289) on AUTH48 changes
David Noveck <davenoveck@gmail.com> Tue, 30 August 2022 11:42 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29EE4C14F6EC; Tue, 30 Aug 2022 04:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IzMGkRikcxD8; Tue, 30 Aug 2022 04:42:21 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42920C14F735; Tue, 30 Aug 2022 04:42:21 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id b44so13784772edf.9; Tue, 30 Aug 2022 04:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=CTs4CBYLqYe74s75l7r7osk/N7Snq2xRSyiwRGT1QxA=; b=Ux7uYsRfOnXGyHp5KVkoukRc+pAu8S36HIMgTGYC4gWoweynO8le0RGYPSye7F4x1C XMTHM4wjHXkU1ixVvcd9uRyi8ZxBliwPBbhSqn6eYcrSzFdDLF9HD7BubGDs91TKjJEy HgxDclEXv2+PDpQrRtee0UW3+QeZN4asZHGrRbIy50VfD2bSWZaQq6noHaL8HZrPZbv1 QAskzHbhsBdX2+VUtunLDA3qPRwXf6PvHe8NLs8Bll0YZvXTvHkS2lv7wAk3zvCJaRqh ejuDrWNOIYATzD5tmwq5/brlMuo5LqtL3Rw7UT+fyU+cz1/nWmAqJkkIQOauLb8BMxB9 QNxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=CTs4CBYLqYe74s75l7r7osk/N7Snq2xRSyiwRGT1QxA=; b=BI4blrv14V+CfMhRr6cemZApvm6eWV94u49g1ws/oGv4iRRPElzFxMkiDBzTA+15up uGKhoz9wPumI/s3lmGWl3ArfWCw1uE5KQvuzl7AaFlCvC/NaJV5xa78ZJ5CBJ4oVoMs8 2gmEkq4yodCkrlGuvcSoJKambhWv8vmb7UvdB6BmICP0LHAY9l6weetRLd+AuYu9Kw3a 2QR4qCoh6Vcimdqff2YusMQHz67zAO1Ybmy4/mPNU4010Np7a8NpUlwY1mMkqRyMmX+9 Wc5Ljt84dI23MXAHQBl3fSA6YLaBp+hODapAG77Uie2KzFes2greneo98Rgo50sL/yvz GC6A==
X-Gm-Message-State: ACgBeo1Qs75lNRBglIyvOIffHUUgiWsa7bCjHhEKCwauaxXjdqm4DHZz BTZ3RhH5TDipdP3ziXsP04RYgDZyi2a4kENm4MM=
X-Google-Smtp-Source: AA6agR7EZrW8VSwb/TIFEl3tseMtxrD1f1dnufPY+maDzqxZe7PN09zPz/J5nlyiftH9lu1ktFZZ8PJQkRehkUr/khc=
X-Received: by 2002:a05:6402:1215:b0:448:1431:465e with SMTP id c21-20020a056402121500b004481431465emr12807687edw.395.1661859739152; Tue, 30 Aug 2022 04:42:19 -0700 (PDT)
MIME-Version: 1.0
References: <HE1PR07MB41873E02A0EF6307B9255DE59F799@HE1PR07MB4187.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB41873E02A0EF6307B9255DE59F799@HE1PR07MB4187.eurprd07.prod.outlook.com>
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 30 Aug 2022 07:42:08 -0400
Message-ID: <CADaq8jcoB5YEZkuXZLxAgYp=g+hqhPPRxOqVFWNo_YPwn6-kcQ@mail.gmail.com>
To: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
Cc: NFSv4 <nfsv4@ietf.org>, draft-ietf-nfsv4-rpc-tls.authors@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b360c05e773df66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/4OnD-hPhIsaUe7j2TMKN5Nbhfgo>
Subject: Re: [nfsv4] Concensus call for draft-ietf-nfsv4-rpc-tls (RFC to be 9289) on AUTH48 changes
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 11:42:25 -0000
I approve all of these changes and feel the document is ready for publication. Thanks to the authors and Russ for their work on this. On Tue, Aug 30, 2022, 3:59 AM Zaheduzzaman Sarker < zaheduzzaman.sarker@ericsson.com> wrote: > Hello working group, > > > > draft-ietf-nfsv4-rpc-tls-11 is in AUTH48 state and there are substantial > changed since -08 version in response to different reviews. All these are > good. > > > > I have also seen the previous plan for updates ( > https://mailarchive.ietf.org/arch/msg/nfsv4/Enoo1fkQPxaf4CupTZddTarDQNQ/). > However, due the sheer amount of changes in the normative language, I would > like to catch the attention of the working group again to the changes. Here > is diff from -08 version > https://www.ietf.org/rfcdiff?url1=draft-ietf-nfsv4-rpc-tls-08&url2=draft-ietf-nfsv4-rpc-tls-11&difftype=--html > . > > > > Please review the changes and confirm/disagree with those within next one > week ( ends on 06th September, 2022). When I see confirmation and absent > any crucial drawbacks, I will approve the changes. > > > > Following changes are not considered as editorial by the RFC editor and > needs AD approval. > > > > > > 1. > > <!-- [rfced] Section 5: *AD, in the following paragraph, normative text > was removed between versions > > -10 and -11. Please let us know if you approve of the > update: > > > > > Version -10: > > > > > > * Negotiation of a ciphersuite providing confidentiality as well > as > > integrity protection is REQUIRED. Support for and negotiation > of > > compression is > OPTIONAL. > > > > > > Version -11 and > Current: > > > > > > * Negotiation of a cipher suite providing confidentiality as well > as > > integrity protection is > REQUIRED. > > > —> > > > > 2. > > <!-- [rfced] Section 5.2.1: *AD, from version -10 to version -11, text was > added to the beginning of > > the first two bullets of the following list. This new text may impact the > interpretation of the > > normative text that follows it. A third bullet containing normative text > was also added. Please > > review and let us know if you approve of these > additions: > > > > > Version > -10: > > > > > > * Support for the DNS-ID identifier type [RFC6125] is REQUIRED > in > > RPC-over-TLS client and server implementations. > Certification > > authorities that issue such certificates MUST support the > DNS-ID > > identifier type. > > > > > > * DNS domain names in RPC-over-TLS certificates MUST NOT contain > the > > wildcard character '*' within the > identifier. > > > > > Version -11 and current: > > > > > > * The DNS-ID identifier type is a subjectAltName extension > that > > contains a dNSName, as defined in Section 4.2.1.6 of > [RFC5280]. > > Support for the DNS-ID identifier type [RFC6125] is REQUIRED > in > > RPC-over-TLS client and server implementations. > Certification > > authorities that issue such certificates MUST support the > DNS-ID > > identifier > type. > > > > > > * To specify the identity of an RPC peer as a domain name, > the > > certificate MUST contain a subjectAltName extension that > contains > > a dNSName. DNS domain names in RPC-over-TLS certificates MUST > NOT > > contain the wildcard character '*' within the > identifier. > > > > > * To specify the identity of an RPC peer as a network > identifier > > (netid) or a universal network address (uaddr), the > certificate > > MUST contain a subjectAltName extension that contains > an > > iPAddress. > > > —> > > > > 3. > > <!-- [rfced] Section 5.2.1. *AD, between versions -10 and -11, text was > modified in the following > > normative statement ("trust base" was changed to "set of trust anchors"). > Please review and let us > > know if you > approve. > > > > > > Verion > -10: > > > > > > When the configured trust base changes (e.g., removal of a CA > from > > the list of trusted CAs; issuance of a new CRL for a given > CA), > > implementations SHOULD reevaluate the certificate > originally > > presented in the context of the new configuration and terminate > the > > TLS session if the certificate is no longer > trustworthy. > > > > > Version -11 and current (we have expanded the acronyms CA and CRL in the > following): > > > > > When the configured set of trust anchors changes (e.g., removal of > a > > Certificate Authority (CA) from the list of trusted CAs; issuance > of > > a new Certificate Revocation List (CRL) for a given > CA), > > implementations SHOULD reevaluate the certificate > originally > > presented in the context of the new configuration and terminate > the > > TLS session if the certificate is no longer > trustworthy. > > > —> > > > > 4. > > <!-- [rfced] Section 5.2.2. *AD, please review the following normative > text that was modified > > between versions -10 and -11 and let us know if you > approve. > > > > > Version > -10: > > > > > > At least the > following > > > parameter of the TLS connection SHOULD be exposed at the RPC > layer: > > > > > * PSK > Identifier > > > > > > Version -11 and > current: > > > > > > The PSK Identifier SHOULD be exposed at the RPC > layer. > > > —> > > > > > > > > The only non-version-related approval we require from you is the addition > of Section 7.4, which can be seen here: > > > > https://www.rfc-editor.org/authors/rfc9289-auth48diff.html > > > > > > //Zahed >
- [nfsv4] Concensus call for draft-ietf-nfsv4-rpc-t… Zaheduzzaman Sarker
- Re: [nfsv4] Concensus call for draft-ietf-nfsv4-r… David Noveck