Re: [nfsv4] New Version Notification for draft-dnoveck-nfsv4-security-08.txt
Chuck Lever III <chuck.lever@oracle.com> Tue, 19 March 2024 14:38 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CB54C14F6FC for <nfsv4@ietfa.amsl.com>; Tue, 19 Mar 2024 07:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com header.b="L79/9eaf"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.b="Jj7aqcQS"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMGrYkYNeQor for <nfsv4@ietfa.amsl.com>; Tue, 19 Mar 2024 07:38:33 -0700 (PDT)
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2B1C14F6F0 for <nfsv4@ietf.org>; Tue, 19 Mar 2024 07:38:33 -0700 (PDT)
Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 42JAHnoP005068; Tue, 19 Mar 2024 14:38:32 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2023-11-20; bh=8tgMrCBZwA6VoIZMcesBj8qF81wKScGhqIRItgq6GzU=; b=L79/9eafWKW3m+DZO2laCYQ31kF8Huls/+t7ii11sAQrxQ0K9vxyWPchrAOJeDsdG8PV nGCDXOHOgolzzXcmQeY9tBqG1Crwqn101sA6I2ke3OQPB6Lh4JlVW93q0nfc3lkXuSUZ RSF33U1tO4adgaX7UcQ7jq/flBnndzylMYl190jN42b61DEeF0mRWyHV+ZFcb6k9VkuA TX5IPE61miWEck3t5pdEgfPwKhoDjaAY8xQqk7DXByKQa5MY6QJXqfYiFZMwRqqc8GNm DMUvcxh7MMkyJHMhScCMsX/Q2Bv3vRuF7vowGvZGG9pXXxAXkQQp18JAOeGvSQHuu/fX LQ==
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ww3aadksd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Mar 2024 14:38:32 +0000
Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 42JDwWUx028733; Tue, 19 Mar 2024 14:38:30 GMT
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3ww1v6b86y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Mar 2024 14:38:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qp4nFtV55FG7mzTOd+Nqkdoa3ZDPeAa762FdPyUq4o7vdE+yJaUizWOjzVPQCKc8GhFpHEWe7bcIyTDd6EE0SSFTslWN4fPm9VgvwzjEjSgRG1Qc5OIdGucF20VDOTCvDtKixw06IsOtBqTa1ayMWDluLiQgO0u/etD0uO5frT72vtHND8YbLMPKRlDhVSaFNXTSMPn+C0kkvfCxqRBjp1ktXFamJkPTiFZvTPoC98qDJ2IWa3xh/H2UrQwwVO3usy8mSl3CiYTW4slDYu4kTWixutz/4pZkCWvRtTvNpxQyErv36h90OK13g7Io8Sl3awR+5E7esGLWZy5eOP84gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8tgMrCBZwA6VoIZMcesBj8qF81wKScGhqIRItgq6GzU=; b=VPBRr/vHPyPUGOiJntw08It0FBClZZGftUmioNUUI3vQmjRGLkcH1oN+A8HS7XRR2zT0V+u4HYKUfxWjTY0ktu7VjuMcxjukmmtJJjkr/5v7vlN8JKIPzRV3lD9vOoNUJiV+rjZPcVQ2UGjQXBK3ZJBUoR/qd+2suaVuqeffdzQrL0fG1Sgt4S00mzOm7hjYn4u19NojxblhGN6nYJYWDIpDODBkaVdPu2+LoMUruyW5FIP+vvaAbglHFu+DgL6gm9dNnKguZzd3HMuuagPcHvv5+C+P7rPuh4GVY4s0MxNi5U2cgAx3HrswCH5zbW+6xdp1+abKGhOcTbrbqveQYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8tgMrCBZwA6VoIZMcesBj8qF81wKScGhqIRItgq6GzU=; b=Jj7aqcQSfbqKB9yPfczXJWSduhxQjcoEr/BgwCytAmljSEp8lifr1sJHhiSw9FbSmiTLkie8ZzMvlbfJvgNyVLU2V+6VcJFG+5+Dk3lZIVibqRwFTVCcU3pdmo/3ayiQyFPiMgZW3FpXdTkiYfejdR1wivHTwCxCliQjXHID+7A=
Received: from BN0PR10MB5128.namprd10.prod.outlook.com (2603:10b6:408:117::24) by PH7PR10MB5722.namprd10.prod.outlook.com (2603:10b6:510:126::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.25; Tue, 19 Mar 2024 14:38:04 +0000
Received: from BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::ad12:a809:d789:a25b]) by BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::ad12:a809:d789:a25b%4]) with mapi id 15.20.7386.025; Tue, 19 Mar 2024 14:38:04 +0000
From: Chuck Lever III <chuck.lever@oracle.com>
To: Rick Macklem <rick.macklem@gmail.com>
CC: David Noveck <davenoveck@gmail.com>, NFSv4 <nfsv4@ietf.org>, Chuck Lever <chucklever@gmail.com>
Thread-Topic: [nfsv4] New Version Notification for draft-dnoveck-nfsv4-security-08.txt
Thread-Index: AQHaegsMltL8vqV9kk6ItSHwnKHUWA==
Date: Tue, 19 Mar 2024 14:38:03 +0000
Message-ID: <9DBE4C96-42B7-43E7-8430-D87FC337CDA3@oracle.com>
References: <170947740288.2806.283512371684207764@ietfa.amsl.com> <CADaq8jeHa0PPye1xtUyHipFa60tuCOufW_7uXmY3UV9RwuySqg@mail.gmail.com> <CAM5tNy4JpwZmPAQH8SFFPvAWE3qWmxrgdDTw5+StNFxzOAcpbw@mail.gmail.com>
In-Reply-To: <CAM5tNy4JpwZmPAQH8SFFPvAWE3qWmxrgdDTw5+StNFxzOAcpbw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.400.31)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0PR10MB5128:EE_|PH7PR10MB5722:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YrRM1GTRZcGjOFvnxzwHTcXftGvz5h3XuZnP4xSURNDsDL6WmEpOSNIFnLDWk6gXvrL3jBEjsQU/zfgr2aC/wQZkswDi5GcxLFtU3YOvua8S1NPKHUS5t5/ZZz5pkqWoHyQzdr00qiGuz0b4U2BTvp8UR8ClIdO51hyYMPM+xQWHuVhtMAiuY4fanLCLEYXThuhBo5vt37qiA+xRsvXmf98vQqtycDm81Pdy3V8t7UKxhJJX5Hm0p+Lg91Q5bmJYnRfQij6rYOS9xTjVGvy5Qor1L/NmY7o7kgYBozsO9vwBWbtFgzjCW6ZrPcdkC1K4NleyRJcNU2igcI+znyVOLlKXJV7aaW51c3BS8tdUgJPEOAIXkG+xsLQ9GlIaplAJSwPX0L13CFunWY/Ko2m2a3tMCAHDcpj6cvn0JVAiZfMXiil6yxPuBgKCpgjIIFYymSn76hNV17jcEutwZb/R5Nn3s8sh1YJD5jcHfdjGk0MELwbV5eW28TYpf41sc+UJxZfRyShmCOneSYF7+mNAhCF0DnzuKThpCbYypNFNQcla8MZXatYlT/+My0fztd6+Go+vOiGRuMF1L/y/eOy0wB9In+xeQMKKBdvN6P33rzECXYZdpH7gKhBV0ZUbyRu7oqTa7SXAuD/ppyARwtJiRZC6pIpwPhoHvWVTa7L0U30=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0PR10MB5128.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SmbUV7vPbaKEHOGuDOBAZPhte78gBFmVu5ColCFtRIjncvL2fc1Vr0U1QwwHafeK83pEVpDIsDMd+mbwEyUVCslgEn2cE5zG0WDqL78UZzX6q/521M6eP/aqLmpwb/YXScR48xk5uVNMp3/n5YBXC6Eo6u7z4ZLGVZQz8LM0y8Er4WX8jwjzBdpEPkXKVhhYMr7SvDh70wvPJjxkim897G21YtUIP5cmZ+QMoen+Ed0caqvQXvW5O45VSeBYqA5jzvx3S4uEKRSMeyKq7XgiHfLKoetkaTH6lTnE3mL1K/eVsQCNnmjGMNfq1Sp1GGTim8SspymCbJnt0SBJ8XeuheTUa8PEz84HFbQtUgk1k4pqUTRfGa8kK8Vw1RNE1Za1BqBMxgBkPAeWmTG4nviQtg/JNSx0hinlLviQz2QLC1i4nest7WqggLmxj+CxFoiAG2uWLkzkTYepkz6u7BYoB+3QyVUIxIRMTRktEMeF+4GVrvAqhMTD4snrWHFYBYxWMsjQXoWImDdhgQNwZZZc7RVCMP0rpgrJZgqnTCYuIBXp17JgSIr0OVM9iNSddoIWAlO/xKsGSqe3dmIO4EuWg1xncJR8w158GX4hvNy3cf8W66V9NkjSf1RYWAu4qZDhHXqBL9WtU3rzmrYawHfYj1ubyXrHUSEBpaMeJhd2iOTXhh2MZf9rCvHXKepLgdNhW1U+L2HYCBvbKyM5+sE5W/uZnv78Ilv5RcH0o/OpUjKCDekgSGB15iWt2Y4NtTsBTsp5lZM1Hnpriz2NpX0fCCe8QbMTjQFyFeYRpe4o2S6ZmnhbZhybxRG0W9eFpFKcCOg1BSbGSPX8eb3DjTFapKtLbdIfcnPr4sWR9HPZAfsFm53KlWpbc8bAS0KLFjGEvWF58YmO1Dxxfelrwwu/ppIaImuuD30CPF+S6UlPgnV0qpolCmKvaZHwX4AElTL/hWIxHkqv5e7Fee9ZZPjAwy4NHDXYpmrcudoBaEsan60AvxMVtzHPMVv9YkT/9vRDC9VP1TseiIWkmCMy/g/qUQSNHgiAQ8Fqal5A/ry0qzsQ861713LAadfvVUiZscOeRHoGk1fFR2EH8tXoOxJDER+swDbCwnTxE+k9ykOsxxm0Z/iWgRuianjdmUv55Lzrt6vrQHx/0YBz0lw6pjlHK7kTsqCG9fX9s0HU/CLxW93G8wqUNJbJFCVVYUxAQPvFcoJkGv0stkJQjXz0mCjPTrZEK+pi+cXiOwkHPlmPtlBGH7CbFZ9sY0C+/9s5bMSVWqNeTPe+GgttYTxj0dhSHuWG7O6ZaTQXZy0cveRW0lYttHpheTCJ7gVBmK16qy08+M2Qkw5VKRbukQcI2VBuB0FBcludhz+QdXQ5X8TRzOphpWzDCuJ8+MmLYLVrfe87tw8XMMyNw3+8QVb+87+1iJmHsBnQivimRTaRGn4GNsM0zgE0ROVnbeWdo1t+fl3nTMOZht+JjZ6uDECDwGuWZN19zDeK8dCX7625Pulq3wHJnjDc2tANa/FGiv5EMAZdE3UKJajMCWA3IQvNTy1oCAP8sEs/FSUrnpNr4uRPnXqLF5+trqUTjvk3iH3gwRj6xyglZtdb4+0Oj0myXNv1YA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <5B8B7346BB728F4FAD68A8D403E66E74@namprd10.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 6HpV7jQ36ijMxb8SGkC4DerZIdz3A/c6OV8YNWbfq6pvPvGBzPCVcdQ0jwYhZ81nZ6nPYAicBWSE5w6kpopFQy6zgOtk5INBDGI4hmeaAja07rDPCWusH+kIaxc7OJWRaKgyrtvh9NbVWbP0W9+04CYxUkPxKVgEWDzjg9AJ0gEmmCONvQcVaeXYO4+bGamYbVPTD64BJPd9ck4uaufNP4SKyzvGmWFWoO5MH05zOD2btiqh1i6FePhMtLdjp/bF0/5Vl3dDWP8iVhdBlHe09N6NhlXMYexuC6qrjMJRQAU6gptJDz1jr3lx6geJSFVYMgXU3dL2YpkMtaOLQ8QzCuAu9Gn+nWBAPMVg3yb2n3QD2q0IpnnpE0ibF++BbReQL0hUMKPFdPpWTLMQ5YZLNt5aSmnUOj0ZfxUhAmfAvPggaeHC3mBA8CXxvkg5Se93ohJ0PklrMve7Aupbyga4LldqJT/Sqj+kUOiUB0m32I2bkvaw5cIL/gMQifyBs3EQ+G07xqg4qhxKN2m0liyAfwJiV6GVMeONrCaTt9rM85Su3h9Cmow0rCpYJl/9eCLGlNDfpU8oUgXt9+sqCNlbHmxMIcq7PKQ6pYQ/Lw/SWeQ=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5128.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b36a5e5-ba9c-4c07-a67d-08dc48222f55
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2024 14:38:03.9768 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zn7KckBxnTW3XUW8mr9q9o8xT3/tqYhT8fghY4Lmyo8X1xrR46wJH+FLakWxLAZeJOdh/wKjuIl0/I5HKYVhxg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR10MB5722
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-19_04,2024-03-18_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 suspectscore=0 malwarescore=0 spamscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2403140000 definitions=main-2403190111
X-Proofpoint-ORIG-GUID: vcoEQ4vR9VKQOy1P7HPCM4GuK7jaMp9N
X-Proofpoint-GUID: vcoEQ4vR9VKQOy1P7HPCM4GuK7jaMp9N
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/gnmRGHbpNjwewYLSaBq2DCjrIk4>
Subject: Re: [nfsv4] New Version Notification for draft-dnoveck-nfsv4-security-08.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 14:38:37 -0000
> On Mar 19, 2024, at 10:27 AM, Rick Macklem <rick.macklem@gmail.com> wrote: > > There are a couple of issues that this RFC could discuss/define related to this. > - Chuck and I diverged w.r.t. how to implement this. > a) I preferred putting the user name in the X.509 certificate presented during > TLS handshake. > b) Chuck preferred a database on the NFSv4 server, keyed on certificate > issuer/serial#. > (Chuck may have changed his mind, since his post was related to > implementation a).) > This can be considered just an implementation detail chosen by NFS server > implementors, but it might be nice to have some standardization (for > example, the > exact format of the field in the X.509 certificate for a)). IMO this falls in the category of server implementation detail. I don't recall saying a serial# database should be required. But, not something that goes on the wire, certainly, and therefore outside the purview of the IETF. -- Chuck Lever
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Brian Pawlowski
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-dn… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III