[OPSAWG] Mail regarding draft-ietf-opsawg-tacacs-tls13
Anthony Somerset <Anthony.Somerset@liquid.tech> Wed, 09 November 2022 11:24 UTC
Return-Path: <anthony.somerset@liquid.tech>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 713E5C1524A2 for <opsawg@ietfa.amsl.com>; Wed, 9 Nov 2022 03:24:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=liquid.tech
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-QWqt6w-CYj for <opsawg@ietfa.amsl.com>; Wed, 9 Nov 2022 03:24:45 -0800 (PST)
Received: from eu-smtp-delivery-182.mimecast.com (eu-smtp-delivery-182.mimecast.com [185.58.86.182]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E788C14CE31 for <opsawg@ietf.org>; Wed, 9 Nov 2022 03:24:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liquid.tech; s=mimecast20210406; t=1667993082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lKNs8Nfn8sSPqnRTOK335bwl8s3s/AxeYSZxROOD9S0=; b=Dimp5ez9LM3UAb1WUvKa0v3ZBMekCvxNL0Ug8A4H5cNC/oGJdVZMtXo7h9OLewIR+oL6px Dvjqh8u8ZsoCBmOQY8ZLS3VV5abiz+eRCQAh0RfTHg1rpgbtPZLuYQJ0y7USCxP4NIDB6J R4qteeGYjlymSsDUh7QTVKna2zXwZR0=
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04lp2055.outbound.protection.outlook.com [104.47.12.55]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id uk-mta-139-seeELJGxPay3PWHt8cNDaw-1; Wed, 09 Nov 2022 11:24:41 +0000
X-MC-Unique: seeELJGxPay3PWHt8cNDaw-1
Received: from AM9PR03MB7881.eurprd03.prod.outlook.com (2603:10a6:20b:434::18) by PAWPR03MB9948.eurprd03.prod.outlook.com (2603:10a6:102:365::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Wed, 9 Nov 2022 11:24:40 +0000
Received: from AM9PR03MB7881.eurprd03.prod.outlook.com ([fe80::5cea:921b:860f:fb0e]) by AM9PR03MB7881.eurprd03.prod.outlook.com ([fe80::5cea:921b:860f:fb0e%4]) with mapi id 15.20.5791.027; Wed, 9 Nov 2022 11:24:40 +0000
From: Anthony Somerset <Anthony.Somerset@liquid.tech>
To: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Mail regarding draft-ietf-opsawg-tacacs-tls13
Thread-Index: AQHY9C3bGCTVwiq3IE241DM3Q8Pxhw==
Date: Wed, 09 Nov 2022 11:24:40 +0000
Message-ID: <BE35653C-384B-4C54-9C5D-9F8A1B6B3343@liquid.tech>
Accept-Language: en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM9PR03MB7881:EE_|PAWPR03MB9948:EE_
x-ms-office365-filtering-correlation-id: 2f364476-f668-4cfd-a7c9-08dac244fe2b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: xB6uAU41G8dneti7mHWi4GD0EUPOooEShjVqkgfSw3fkX3BPPnwasPUCx3vb0Ar3jrIWIRH8e3AH1UX2xgHvna5jIWFLxD8tHj1AhfPekb9WIWvecmvPxxpWO7IjPI6WOuRqEJugRsvBx0Q/mbTuubicdCyG4sn23iYj1GulpOpjcFTS3kxZWi3r7YACVXtxOv60nlpXuY3RbYVaQiHmprEOfh/G5rVtfHlO70VNA8ca6QljqVmk2LOh+EzGBASVCL0+046qYR0f+v5cU1v7cWK6oEfSnmZPDsklh5JNWszlGy0xe4QUChpFqt7Ck7uNpxtW1BAkXeoyyy83SPr9uLHj3Yi6Y8g8kOAJgXQyPUPFYGjzZcZO95Qd4pkoyo0X0dPQUSzBgdyGVJ2NhkLGwhFiK1zeaa/vluTLWx8QI80ysRVDeTnYSLxGRVOQ62glg6BzTL/Tj+mPN4ZUPEY5u0+frJlVe3ushxr6qoY6mkUtJLTkDNIIJmIWHfPQeBlnB7oOCnuK+psq/cRqWs//TbQmlMFc6W9/EkX+mDjOK6MnmEi6dSkGrVXKEBOW93A4wwsN4NVzWhzA7hKfrpLLtk5/2q7Zgni6oJEG/1Hj3pBq+07OHWus3cE8s/H8T9BbcPzoouczH8FrKTvbH3skJwM4CM98JSIgillqZgn6E/fVnSA5eIAjT5IXnyAMNT99ubt7rXQLe+gJDu0768c1Y38DsmDVxPivfmb4ji20w/Dv3I5nQiE8D1e9oQvxpmNRw6uB8pAsCLs4TPXojYZXDKXTq2X2npNhHka/0XwOpJA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM9PR03MB7881.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(376002)(346002)(136003)(39860400002)(396003)(366004)(451199015)(5660300002)(41300700001)(8936002)(122000001)(186003)(2616005)(38100700002)(33656002)(86362001)(38070700005)(36756003)(83380400001)(6512007)(2906002)(66556008)(478600001)(6916009)(316002)(6506007)(66946007)(8676002)(64756008)(6486002)(66446008)(91956017)(66476007)(66899015)(71200400001)(76116006)(45980500001); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XxMmW/KhtNgzlZXxKYHWLEj1HkeWXVjyFoBT51DhBose4r6ynMZPRXcha/RoVe/ugI+T6lIk1j2hCGOLitjvvdGD0FlpZeR6P1V9sgIcHqk6/Y95/0FCo2y976Fomcv4j7Jg0yG2QBPO1AwNhDe6WMnsNgn6FHqP6cEXCrAtYU1qPhg11DZnMXvinuH1CeqeVmMCsZjBx4fHBxjlQeuPCYXDzqSjLK7HTXNFzdfLyxFEaBYUN8WA+mzYAhXyUfAqKE/+vhCxjg0jO5Vg7SH/PHbQ5fAgBM14Yy7rjVRpj055j5j2TicIgwIrTx3jgJgEusvXrBIssubeQvJKtbqXJdJPT069+R9dbXin7zWK8MmaPdn5v3KIPvlQMxk/Y0GhZrouf2y69esj/qguduKL2KxduNQ7h8+72+a5aY7hyRTB3MxOL05MO22NergVasJPgkRcjd6W5tNdt73kcot9OcCMFUNkNd6Fb5lBqXn0NsYiGilOjvYRgzEttLMAnB0ut/20qCtQiDjrKdgScT5GZsE09C0tLZLzrhH62mByJ/GZGWtehxAGVCAzmHQJqb83ZFyldyKVApU4Ppv1GzvlY/Pq+zwltfuUWbmH1dZ7X2W1eTHlbhocHuvgGZlORZDxG0XwyeLWu2Swzuq+4Nn7TMB4yX8yW2f+g1u77P+Z4SaNMHFmJHjrdm5FpPcI2AC6eqYK8LzeDdJ831zhD4+/9yKhPp+W241PB5YB0VwHH1rPpEpg+Q/9VtrF4z33x6cz8gdSbqCfxHoPu59i/EhomTyfgYOcq39/AomzqijgQCOuANxeHRIqrmIQT9Usa+RnKqv+UEMYNhVhgutlj56qh2cFDt65cubkHUrZV2RbY7/89UkGUszac3fVkBmRSppKFt7ib5FLkHUoxJ0z3vYBUwZGhwsLcgAy2AVKdoxsh60jvHfCeAay3fzEzKLrwXs3PE/8CCQm3l1fgzR6zWZBEU8qsRJ7zR7Yz6yuhDW6kqmpAIpseXkcDE5EhlZKhKhdEWZB+ep8/ZA6fPuGW1FIt2yTq3sqXMhNOaplGcGkJg7rlJ44Zm27VpTJommJ8SjfhzD6LXhMU0o+n4ReE7a6Y4h45ncEfGV++LfYsI5Bzuca8xJp0g7VvF1BYPzo/xgcY1RSF3fhEYS7jmzuChrLTUKp3lIHYO3+oREkHyqkhuoekbDrdiIpoWJzRu0ERbXSFgA77H3tuA/+FsVIYNh3cbupzo2rBMMCKn8JPsIW0d+gQYK1jgmG1ihXXMj+9cN5W3j1PqsYkOizpgnCFynStjSbBt7EXBedsIxLNJyeCDpxLxqaj+SuCbAiHLX5Gf72W3RcmmE0Z0UiWCS5Wp9xgcpwhbMc4mzDPh5gyUpZQu057nhNFhL2huWKxa5kuhfKcvgJmEbPBFvuzjQY5uLlhB/76ewzOV8SoxstUydZ6RpBm1TYw1NVlcEIfrPjwv5mcHmjR+jKfq6dLCQVXmWaV7KgDmhlu6se37m0VfDbiNx/0+DP/24X+PZlBLOffEuNPxMfJTLeQmI5iHgm42CLmOpxW2kzJkwgoFH4mJoOd2Guum6lyjAxPz/2Q/k2ki3S2MwPboxzfXt3Hgo7xKiWoKnIusAoxF5EAz8J2QvHGHFHGol/MgrsbEUvt9o35PrTEIqFvR09O/TQJYto6gmw03Y9UCo5acsjbHnHv1ZJbnQ=
MIME-Version: 1.0
X-OriginatorOrg: liquid.tech
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM9PR03MB7881.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2f364476-f668-4cfd-a7c9-08dac244fe2b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2022 11:24:40.3560 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68792612-0f0e-46cb-b16a-fcb82fd80cb1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tJ6lPJ9l4fXDLQ6QeuFjn4nvX3oGQjNeMgUjE5+zoMfGIphDK5MGAKJsQLkXZGfQizRkbBRl2EPx2WJj/zRG1FWrHwhONOSO4kFKNSRQc8E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR03MB9948
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: liquid.tech
Content-Language: en-US
Content-Type: text/plain; charset="WINDOWS-1252"
Content-ID: <C06A92CC2D7ED9498453BE33A9CAD429@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Fcey1ywhBpmzvgFvPtlmO7SjK4I>
Subject: [OPSAWG] Mail regarding draft-ietf-opsawg-tacacs-tls13
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 11:24:51 -0000
Hi There Thanks for the work on this draft it would be great to get this done soon. Apart from a few minor grammatical nits this looks pretty good, just one query from me. Section 3.2.2 could do with some clarification regarding Mutual Auth, My understanding is that Client will connect to Server, Server will present a certificate so that client can validate it is the correct server etc and otherwise close if not verified Client will present its certificate to the server and the server will authenticate the client identity on the basis of this certificate - and this largely replaces the shared secret based obfuscation method of identification However there is also mention of TLS PSK (5.1.3) in the draft but its not clear if this is something that is mutually exclusive of the mutual cert auth or its an alternative that could negate the requirement for client authentications and allow for a traditional 1 way verification common in a client/server connection. So perhaps there could be some clarity or at least separation of server verification, vs client verification/identification. I would also recommend that anywhere that suggests non default config to do things like disabling verification (3.2.2) that some wording to the effect that this is not recommended outside of lab environments Thanks again Anthony Somerset This email disclaimer applies to the original email, all attachments and any subsequent emails sent by Liquid Telecom. This email contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure, intended only for the named person or entity to which it is addressed. If you are not the intended recipient of this email and you received this e-mail in error, any review, use, dissemination, distribution, printing or copying of this e-mail is strictly prohibited and may be unlawful and/or an infringement of copyright. Please notify us immediately of the error and permanently delete the email from your system, retaining no copies in any media. No employee or agent is authorized to conclude any binding agreement on behalf of Liquid Telecom with another party or give any warranty by email without the express written confirmation by an authorized representative or a director of Liquid Telecom. Nothing in this email shall be construed as a legally binding agreement or warranty or an offer to contract. Liquid Telecom will not be responsible for any damages suffered by the recipient as a result of the recipient not taking cognizance of this principle. Liquid Telecom accepts no liability of whatever nature for any loss, liability, damage or expense resulting directly or indirectly from the access of any files which are attached to this message. Any email addressed to Liquid Telecom shall only be deemed to have been received once receipt is confirmed by Liquid Telecom orally or in writing. An automated acknowledgment of receipt will not suffice as proof of receipt by the Liquid Telecom. This email disclaimer shall be governed by the laws of South Africa.
- [OPSAWG] Mail regarding draft-ietf-opsawg-tacacs-… Anthony Somerset