[nfsv4] Concensus call for draft-ietf-nfsv4-rpc-tls (RFC to be 9289) on AUTH48 changes
Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com> Tue, 30 August 2022 07:59 UTC
Return-Path: <zaheduzzaman.sarker@ericsson.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A43D2C14F734; Tue, 30 Aug 2022 00:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.678
X-Spam-Level:
X-Spam-Status: No, score=-2.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMo9jpfOQedW; Tue, 30 Aug 2022 00:59:40 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2072.outbound.protection.outlook.com [40.107.22.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93CB1C14CE44; Tue, 30 Aug 2022 00:59:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rgm6dXFzW5S5bd4xPw2pj8fZRgPyWuisrTGNVrgOwZ3YBKqrFfZyqnTUYNpToTsHl8hBVq6aI3tSAJyxQOo2LAGphTsNxoI4O8Z9gCT5OA+22MYAeLnUjbGRhjI+Os5ZRUtYDDwJcbca0wO7TGc9jL94omHVvi4p+iXf+gRGdzyKyyZoVj3eR+G/SxFS5hSnq1Tf+T0qXRg2w1TF4YiA/MVL3e5MEnSy8ejKEcH+r05wPgkA/ke5QYzHOpRVNe+9td8UB1wN3izgsHfgnrGc2DdaojUzkzaKaRG4uB+iEv+69pfKQ24UWSrPfL1Fnz2r4URGcGSQ2DbsPk7fo+X89Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MXKTuKIsiI9Ouo+7EK3gFRpjGU5dXagGpB6F2cqm3fk=; b=K52G1O2o2wR+PK/X5kAGtOg+HO/7nAsIQN+AkyuIy9sWbGuX3QRPWUct598tPKIrhynSleSN+7/qDOtLFlIf1S0bmNTfGLehezU9Czp7/fio2zgQCn9SuHHbhuOYXmXmUh8fVjkkrha9aiL73xjR4G/7KcBUdy1PITvxnUE3I+e1P3O9gjHFK/L68e/MAaIsD6AEsU5KDQVzF9cXuKDnFW6M6LmJGFFNbCwqTGc95D4RBW1eiqGL2DW/flC6hL7GPTJghJoqQLJ8hUu/pzf/ux7pwTAVumXD49J/QEg0AsPH0QcnNbMIF1ZdN0a74/Q6TkpN+1/wsXd33dEG9dZjhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MXKTuKIsiI9Ouo+7EK3gFRpjGU5dXagGpB6F2cqm3fk=; b=jzMcUGBNLRU1zdQFJy6oI5OY4FWkr22CQyKnXrGfFpJdMSqtMawBg4xIjV/Oq1v51jkSyTKgpCbufT1zBXAlMprOyH6oyLDJfk2NcLPU/d85JKNMV683nukvCiJ9GsRaUNBqTuUme15P//dNeP86oq0UGXYM1n5KIKu0xQQqoB8=
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com (2603:10a6:7:98::23) by AM0PR07MB6097.eurprd07.prod.outlook.com (2603:10a6:208:110::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.10; Tue, 30 Aug 2022 07:59:34 +0000
Received: from HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::8c0c:8e73:d392:471]) by HE1PR07MB4187.eurprd07.prod.outlook.com ([fe80::8c0c:8e73:d392:471%4]) with mapi id 15.20.5588.010; Tue, 30 Aug 2022 07:59:34 +0000
From: Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>
To: NFSv4 <nfsv4@ietf.org>
CC: "draft-ietf-nfsv4-rpc-tls.authors@ietf.org" <draft-ietf-nfsv4-rpc-tls.authors@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Thread-Topic: Concensus call for draft-ietf-nfsv4-rpc-tls (RFC to be 9289) on AUTH48 changes
Thread-Index: Adi8RhspGF0wZzyNRt2JBiBewslwkA==
Date: Tue, 30 Aug 2022 07:59:34 +0000
Message-ID: <HE1PR07MB41873E02A0EF6307B9255DE59F799@HE1PR07MB4187.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c2b80bb3-46e9-4994-24d4-08da8a5d9409
x-ms-traffictypediagnostic: AM0PR07MB6097:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uN4IJuXXrj6RB56m4v29xRsxwjoyy1x0hZYOvGwuUWRsR/VvQViL8dToE6wO+wQN52Vjh+W08Rq7bcpIRzlYEe+Ap10X+Mbc3qoXf6Y7rbPJU7LqLnDQRXG74t+yERRbwJaTSyr1riqUWH8KFfInbMfschubPF9UiSqim4L8ixnRQBRTImUBJ7zoxSySkjyggnnupoLi7T8VwtRued1PdSwAMITSuHFdcXBu9tYf8K1MWzJqdp0kUiahtNldi6b2UzVhN08pNi2O/FfyndXPvKEfsmVXJDct95XZf4SDf4pKMheOiqdLgPkEqa/dRjr/6BDfF1W4JGZNh/jIzK7TB73+Bz+c6fLEuVl029pp6eF6WSUarnIGn/8Fpq1p9WKR+iO5uJyq3dW98+9WufaAivRLXE03KoPNmLIXmnH9vfXdWPex6bdlRCDZc08hQziWjA7mwMdK8HKoKQQcJFdA86grPRmKkQ16HGXSmmJzGFlnOxb3OtnxKyKJixWLVJZKrMidPOeGIoHWCO0ZeLieQhvh4dM8ZzgiyrD+fxIaiQ8tzhV4A9jZEprMKhSeCOiIakAhs3dmVTotyelmfGmne3PjDK2g2PT8uIKrTbmlWsPqaF4A7mkJNeFwZq2orfqvlg6vBWgZSJb4oTLJM/PwmnTuA2buVy//V4ILGRe1kC2KXh41deuEX2WoFZlkEmPdnOpDQqfcQU1L2525GbN4ln7s77MfvShrD/3ZcrANJCBEsiuzIxRQmCeHLQCNxOu1gR0It+eojKft75LIxtGWOw7sccMXnQaBeHx6bSCpmB/6zHuiE38p+GnN4pp8lrPevHbhQy7PO61sA5FFYBqXuw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4187.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(396003)(136003)(39860400002)(376002)(346002)(9686003)(82960400001)(6506007)(38070700005)(26005)(478600001)(33656002)(122000001)(186003)(83380400001)(86362001)(41300700001)(71200400001)(7696005)(966005)(66946007)(8676002)(64756008)(450100002)(6916009)(76116006)(66446008)(316002)(54906003)(66476007)(166002)(8936002)(21615005)(66556008)(4326008)(55016003)(44832011)(52536014)(5660300002)(2906002)(38100700002)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: s6ahScKceLVGFgNlLxcjJpePOesgDA34ZpPMe5Bp3M5toyYN/AcH56NkU5VLclwLJiWWfwIIG+c092/jVX+PrX2GCCE4XWAoiCWA4irq9T9hM8x7zBsnPOhO0he4Q0ErPYNTsC4Yjlq24TMUqk40UIlzid6xHRlZooJQ8m5GAOjLAPovoV+knSrW3bvDAEVrTPB2N5mG/qV6HUwkKTX574Lt3ZsqoXNPjkL7/ijUCZBaEA9IzFVHyPR/30Y8ynIazvL9YeyxHaTh/iXwbGo+2vjVxmtqOI/vUYIKPY8fv2qsW8YuAWxB2Wp2+mZKX13QsDq18aZNLg3rYA7du3x3XC4aw+7iO1oBuZlNg5V9yWEHIp9Lbns6c9D89la0by9E4wncBdh09jTFG7OKWOe8LFOd00Zh1qRMcqTYDGfuGT0yE3dRtlmmTbj9l4WyTizyqpPgTZUk7zZ9TcTL2hmb3/DPh1ucUw2ipPr5eiDYqdsGI0+NsQgXPDS73rmwLlMD9YSEjgmV64nW65FoRMkJgt88U/HX7obahgGsHZEh7PNdL2mZiTYfn5BzbHUhrO/zic7MGVbNHyHxPLv1wQ4ZBiqTG2qpQCBky6mS7l8szuXtnhh1LO5FOv4gcZFPP8QncwDjOOntmtXOF0gwamgww9ht4AVZF1Y46O9Dm1Lq2bPiZfiUDedUYCKPCO1RF1QkzVlUgRokxs7sV0/xCUc46NDTvwIerLHmXhJN4/Pbd/PTHgnyldfocwKGE6uQkV3Mx3ph20pEho+X5BQO9Zc4c5ExlEK9pcVsMQLHP15ntD9Ajux4pns1KulzG+nOQxblLF3GLznnEq0Z18GcheKytOTnkeqRhZvG71HHT1R5BRctj179Ck5pk+ooBGFr+4OZt2QMGKwtK9BnVL7F9uC8loGNJJX3NQGiJqQWGmulMZHI8hLJSLD7tx4f/xmsz8Szr2YRyeeQS5Hlav6vso3wz5Wazx96Vg1jwrt75O7iq8X9BicBFkjtmdI+MEUzk3opP1ryaoRCBx553Mnekaw1aTVmAcoUfnGjiS1/D9uZFfwTybUZWXFCFnqMi8sfLLdU/2fj0xHpwbHzxoOLGeH+c44uf0e2KvCT6pAMTgFtaHuFGQXUxVvOhQLtBecor7tO1Mk4dxHhXxsDDOimJTdU7tZuQFe3wHbadFf5LBDqvidZvmejgE3DsI83vzSl/tW8T0I+7gnLnfhEYKNoDtZlS9f9/gB9bIU//MNbkmQFvfNgs0N0wU0EM3NM3DmFcqCgIF569D4lKlANkwPX6D66PMU4deat3ZN2SS4NmYwt7Ju0OSRrp/+e1fOn3aU5Fkr69pIxXRY5mSZzMlNPIgaI4lSiyTRTbCp8qGhZfg9diROpFfdP4wgkvCPclj3+5dHHtPikyg4IO1VA3mSRoLq2zbfoi4gZxri615QfONI9GOZzE0ujT3ivsVf3hH+o93hNTH6VJJcFs6POIR5EjClYzrIRXDtMSeWkMKOgIxMKLqSeSYjn0OdpzQ7BEFGhiqWcVhzhHkNFY2A6792fu80/PaspboKSEgVaFtk+n4apkLNpsvWbL+4xxLxZdvY0KxsDrkRnKWU1q/AQCz2KyBZZ+Q==
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB41873E02A0EF6307B9255DE59F799HE1PR07MB4187eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4187.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c2b80bb3-46e9-4994-24d4-08da8a5d9409
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2022 07:59:34.6096 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M5ah5Z/JHLrtf5cESjBsDvm0C65BaoJQaq1iDGJX5fFkb95hUdSj/vEfiEBB0WwO+xfG3/yNv9Ts62lrPzISu93OpkLcJFYVhPjFk272bSttrFLZWFyyAsyWc6UywnMM
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6097
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ZcoiksgOA90G5Z3dziOrmVc8PTE>
Subject: [nfsv4] Concensus call for draft-ietf-nfsv4-rpc-tls (RFC to be 9289) on AUTH48 changes
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 07:59:44 -0000
Hello working group, draft-ietf-nfsv4-rpc-tls-11 is in AUTH48 state and there are substantial changed since -08 version in response to different reviews. All these are good. I have also seen the previous plan for updates (https://mailarchive.ietf.org/arch/msg/nfsv4/Enoo1fkQPxaf4CupTZddTarDQNQ/). However, due the sheer amount of changes in the normative language, I would like to catch the attention of the working group again to the changes. Here is diff from -08 version https://www.ietf.org/rfcdiff?url1=draft-ietf-nfsv4-rpc-tls-08&url2=draft-ietf-nfsv4-rpc-tls-11&difftype=--html. Please review the changes and confirm/disagree with those within next one week ( ends on 06th September, 2022). When I see confirmation and absent any crucial drawbacks, I will approve the changes. Following changes are not considered as editorial by the RFC editor and needs AD approval. 1. <!-- [rfced] Section 5: *AD, in the following paragraph, normative text was removed between versions -10 and -11. Please let us know if you approve of the update: Version -10: * Negotiation of a ciphersuite providing confidentiality as well as integrity protection is REQUIRED. Support for and negotiation of compression is OPTIONAL. Version -11 and Current: * Negotiation of a cipher suite providing confidentiality as well as integrity protection is REQUIRED. -> 2. <!-- [rfced] Section 5.2.1: *AD, from version -10 to version -11, text was added to the beginning of the first two bullets of the following list. This new text may impact the interpretation of the normative text that follows it. A third bullet containing normative text was also added. Please review and let us know if you approve of these additions: Version -10: * Support for the DNS-ID identifier type [RFC6125] is REQUIRED in RPC-over-TLS client and server implementations. Certification authorities that issue such certificates MUST support the DNS-ID identifier type. * DNS domain names in RPC-over-TLS certificates MUST NOT contain the wildcard character '*' within the identifier. Version -11 and current: * The DNS-ID identifier type is a subjectAltName extension that contains a dNSName, as defined in Section 4.2.1.6 of [RFC5280]. Support for the DNS-ID identifier type [RFC6125] is REQUIRED in RPC-over-TLS client and server implementations. Certification authorities that issue such certificates MUST support the DNS-ID identifier type. * To specify the identity of an RPC peer as a domain name, the certificate MUST contain a subjectAltName extension that contains a dNSName. DNS domain names in RPC-over-TLS certificates MUST NOT contain the wildcard character '*' within the identifier. * To specify the identity of an RPC peer as a network identifier (netid) or a universal network address (uaddr), the certificate MUST contain a subjectAltName extension that contains an iPAddress. -> 3. <!-- [rfced] Section 5.2.1. *AD, between versions -10 and -11, text was modified in the following normative statement ("trust base" was changed to "set of trust anchors"). Please review and let us know if you approve. Verion -10: When the configured trust base changes (e.g., removal of a CA from the list of trusted CAs; issuance of a new CRL for a given CA), implementations SHOULD reevaluate the certificate originally presented in the context of the new configuration and terminate the TLS session if the certificate is no longer trustworthy. Version -11 and current (we have expanded the acronyms CA and CRL in the following): When the configured set of trust anchors changes (e.g., removal of a Certificate Authority (CA) from the list of trusted CAs; issuance of a new Certificate Revocation List (CRL) for a given CA), implementations SHOULD reevaluate the certificate originally presented in the context of the new configuration and terminate the TLS session if the certificate is no longer trustworthy. -> 4. <!-- [rfced] Section 5.2.2. *AD, please review the following normative text that was modified between versions -10 and -11 and let us know if you approve. Version -10: At least the following parameter of the TLS connection SHOULD be exposed at the RPC layer: * PSK Identifier Version -11 and current: The PSK Identifier SHOULD be exposed at the RPC layer. -> The only non-version-related approval we require from you is the addition of Section 7.4, which can be seen here: https://www.rfc-editor.org/authors/rfc9289-auth48diff.html //Zahed
- [nfsv4] Concensus call for draft-ietf-nfsv4-rpc-t… Zaheduzzaman Sarker
- Re: [nfsv4] Concensus call for draft-ietf-nfsv4-r… David Noveck