IETF Logo Mail Archive

[radext] Re: Deb Cooley's No Objection on draft-ietf-radext-radiusdtls-bis-15: (with COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 28 February 2026 19:04 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3D89DC08FFA8; Sat, 28 Feb 2026 11:04:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-rnA_9B5PIx; Sat, 28 Feb 2026 11:04:30 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DC194C08FFA3; Sat, 28 Feb 2026 11:04:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id A7BBE38DEE; Sat, 28 Feb 2026 14:04:24 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id lL6Jvg3x82kB; Sat, 28 Feb 2026 14:04:22 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1772305462; bh=ApVymRjE75MqMwcgzb9QpV7QPs+ZX2aJz6my1YDcveQ=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=wwylZI0Uyf3pwj9o4JUsNpmLntBCqtjbY1f1GpEqopbsVgPfbkYOLy8F/+IES/Syu lJS18devojJS3QahRGD44THjyjMu2fAZ0qeN38CUyU6Bk25pni6vlS6qRWpc9HsLyy 52Lgg+SRWBOcYLtKFhQmwYf8FQKxLAWSUrSKKwLy4nxHfGVfGZ196XcqBs3Vg6rRwb 5V5ueaNTU3D/n+MFJglUYCLLVlzfZjRDIkM0eNFMUyfdTHDp2tRyZB/BsIyP5gARut Fk4OTtoIvtk/LUuFp79YqMjO0E/gVXg2KfJhuTMVi3w/4wFys02ROWeLllmbJHmbsF xe2wzEjzhYh3w==
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3E4FA38DED; Sat, 28 Feb 2026 14:04:22 -0500 (EST)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id B04DE182; Sat, 28 Feb 2026 14:04:21 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Deb Cooley <debcooley1@gmail.com>
In-Reply-To: <177228288906.3152394.3904250162381070877@dt-datatracker-6ff7c68975-7k42g>
References: <177228288906.3152394.3904250162381070877@dt-datatracker-6ff7c68975-7k42g>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 28 Feb 2026 14:04:21 -0500
Message-ID: <8759.1772305461@obiwan.sandelman.ca>
Message-ID-Hash: 5RHB7ER2FQXWTEQITHFD3SIGNG4UNLLZ
X-Message-ID-Hash: 5RHB7ER2FQXWTEQITHFD3SIGNG4UNLLZ
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-radext-radiusdtls-bis@ietf.org, mrcullen42@gmail.com, radext-chairs@ietf.org, radext@ietf.org, valery@smyslov.net
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Deb Cooley's No Objection on draft-ietf-radext-radiusdtls-bis-15: (with COMMENT)
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4ywsi9bXHxaiZnTCzpu2YueNRxg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

<#secure method=pgpmime mode=sign>

Deb Cooley via Datatracker <noreply@ietf.org> wrote:
    > General:  TLS 1.2, is there a reason to allow this?  While RFC9325 mandates
    > TLS1.2, draft-ietf-uta-require-tls13 (in AUTH48-done state, also will be under
    > BCP 195) updates this to deprecate TLS 1.2.   Perhaps one could ref BCP195 and
    > remove the references to TLS 1.2 (or at least reference both 9325 and the uta
    > draft)?

Yeah, so the choice for many deployed systems, which could get minor bits of
new functionality, like replacing their radius client library with one that
does DTLS, is that they won't get a new core system library before they are
EOL.  Some might be EOL already.  So the choice really is:

1) cleartext radius with MD5
2) (D)TLS 1.2, (probably via openssl 1.1.x, could be older!)

(DTLS *APIS* are a disaster for any version.  I tried to get them fixed
starting in 2018, but I have gotten nowhere.  DTLS 1.3 libraries are not yet
common.  For many, they will go to TLS/TCP rather than to DTLS)

The text has recommended 1.3. We all want to go there.
But, implementations have to be ready to support 1.2.

Can we stop this witch hunt?  The world is not all browsers.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.46.0 | Report a Bug | By Email | System Status