Re: [nfsv4] NFS over TLS for laptops

Chuck Lever <chuck.lever@oracle.com> Thu, 31 December 2020 17:07 UTC

Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Date: Thu, 31 Dec 2020 12:07:32 -0500
Cc: Benjamin Kaduk <kaduk@mit.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B2B3381-8D20-496A-B353-14354362C26F@oracle.com>
References: <YQXPR0101MB096816C0EA985F65FE6562E5DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB0968AA3A97C80B8140BFC845DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <8B3A77F6-15DE-4F4B-B246-385DD447C743@oracle.com> <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com> <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <1113F47A-BDA1-4C34-95B4-1EB8076BA071@oracle.com> <20201229190707.GB89068@kduck.mit.edu> <0D8595B7-4636-4E6A-A5C1-E0FE85D820D0@oracle.com> <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
To: Rick Macklem <rmacklem@uoguelph.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/FhlwxHGOhmoLd8wBgERsXfkvpLc>
Subject: Re: [nfsv4] NFS over TLS for laptops
Precedence: list

> On Dec 31, 2020, at 11:53 AM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> 
> I do think that TLS squashing done via a database keyed on
> issuer+serial could be a useful alternative (for larger deployments or ...).
> I also think the database structure/access should be specified in detail,
> so that all server implementations can use the same database deployment.
> --> Possibly use secure LDAP?
>       I do not know how to specify LDAP data, but there must
>       be a way?

Fwiw, such an effort might be modeled after RFC 7532, which was produced
by the nfsv4 working group years ago. Note however that there currently
is no LDAP working group within the IETF, so we would have to scrounge
some LDAP expertise for expert review.

I also have some contacts on Red Hat's IPA team, who could give insight
about convenient ways to organize squashing information. Two cents.

--
Chuck Lever

[nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops David Noveck
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Craig Everhart
Re: [nfsv4] NFS over TLS for laptops Chuck Lever
Re: [nfsv4] NFS over TLS for laptops Craig Everhart
Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
Re: [nfsv4] NFS over TLS for laptops Rick Macklem
Re: [nfsv4] NFS over TLS for laptops David Noveck
Re: [nfsv4] NFS over TLS for laptops Magnus Westerlund
Re: [nfsv4] NFS over TLS for laptops Chuck Lever