Re: [radext] Discussions about RFC6614bis
Alexander Clouter <alex+ietf@coremem.com> Sun, 01 January 2023 16:47 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6C2AC14F721 for <radext@ietfa.amsl.com>; Sun, 1 Jan 2023 08:47:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b=bhYIZp1s; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=TX+8Z/6I
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSSZLuSosE0G for <radext@ietfa.amsl.com>; Sun, 1 Jan 2023 08:47:42 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 140D5C14EB1C for <radext@ietf.org>; Sun, 1 Jan 2023 08:47:41 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 82601320031A for <radext@ietf.org>; Sun, 1 Jan 2023 11:47:39 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Sun, 01 Jan 2023 11:47:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1672591659; x=1672678059; bh=8yTjW9KPzR i1NTxEDzKfMPhHGzspvS6OW3cE2Jc3eFI=; b=bhYIZp1sAjMelUgLI+RUTAZ/54 LeDeMJw1AkvF0KQLz757i9rVok2mIJfm20yW8BQOsvCkS1WHzpts+BG5gKEkd4uE Lnnnu56iBJ+SwlR/YPrERFyx7LSwKNfcBDCwR1AxLXF8xClcm8+a6pJENc8C0IFk Qhp4+0Cl/Z6FoTk9/1Sxmkjct3uJNE4krfen398ubFY2oRlOlMWCLw/0IYiteIH0 0AvPfbWnVfgYMZmV81a2CtId+/jokKz0TgOreNy23u51dIVUaAaHOC72+dViUGk4 XPLcoAjpA7+YENW/sQuy4JpqWKktWF4McYDzKWZImCzO3YU99mjqwEqLU1Hw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1672591659; x=1672678059; bh=8yTjW9KPzRi1NTxEDzKfMPhHGzsp vS6OW3cE2Jc3eFI=; b=TX+8Z/6IJPY/WP7jNAAX6u3AuRHpebPBAt++vRcSyOIe 1l2mR7JCLVclJvQo1bWHfA6xmVku1UlWWNwC5aOTDo26QQWiDpNiuWVPqaD5GaRf rqjZ2LcTu85vJ4uYOqbbagYVELDicgN3xWwHg5pLoxztekdQw+276kGEKEvonTPe Lg/Sxet1zHlEuNHXZS+v/gVyoeotF2wiEo2kBuiCy9GL0+cc4FJffNj44/8YYs6S ct49jm1AhQzKACGSvl3eEDp98KUb53hkSLoNrMnYS95c0mR+ARnSY/TeCmKFs0lj P5I/n3LJE8MIR4UEOK0XRCRzw/21piqPXnyByTsRRA==
X-ME-Sender: <xms:KrmxYyrDnv9chjVgkGl5fETULEBFkl5VCHp4A_O2Khpw29TVqbxriQ> <xme:KrmxYwrxnhiz9rmMRKa72nmEifU7EZMzGjNhv2B2vz4g1E0VMhAYIU-9KQdok26PU JWme0-ZaHVltPkeUg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrjedtgdeludcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpeeutdduff fftdevkefgfeevffelveegffefgeffgedvkeeftddvjefhteevkeetleenucffohhmrghi nhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomheprghlvgigodhivghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:K7mxY3P10yAH4as35KKbabACOWfaLmf9vU8EWJxCuLKwYwFglIqshQ> <xmx:K7mxYx5ArK1j6BMdLq8e1DN9XPXFx0SpNUm3VDMYNTcZTrXSnshK8A> <xmx:K7mxYx4F3g9swBhtWDP0Gu8dki6jtVx11QBr5hChifReuHKpelJCTQ> <xmx:K7mxYzGpEGaEfSa9iMq2UiKxIGwyID5rIy5iCT3st0vAYkGYopxgTA>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DF6382A20080; Sun, 1 Jan 2023 11:47:38 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1185-g841157300a-fm-20221208.002-g84115730
Mime-Version: 1.0
Message-Id: <ac645b73-52ba-4cce-b74f-ead7bac515e5@app.fastmail.com>
In-Reply-To: <a53edd01-f255-7a9d-5ff1-5ca1d28aee59@dfn.de>
References: <a53edd01-f255-7a9d-5ff1-5ca1d28aee59@dfn.de>
Date: Sun, 01 Jan 2023 16:47:18 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/rjUAl5_zx2ctrMs_3nJzzIfnCyo>
Subject: Re: [radext] Discussions about RFC6614bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2023 16:47:46 -0000
On Mon, 5 Dec 2022, at 15:48, Jan-Frederik Rieckers wrote: > > we have started some discussions on the RFC6614bis draft on Github: > https://github.com/Janfred/draft-rieckers-radext-rfc6614bis Section 1.2: "TLS 1.2 is now the minimum TLS version, TLS 1.3 is included as *recommended*.", should 'recommended' be 'RECOMMENDED' (caps and bold)? On the MTI front here, RC4 is prohibited since RFC7465, not sure if that means a reference to it needs to be included to say "please do not use it"? Section 2.2: "The RADIUS/TLS nodes MUST NOT offer or negotiate cipher suites which do not provide confidentiality and integrity protection.", did we want to include PFS as a RECOMMENDED too as credentials are flying around on the wire? Section 2.3.2: "and support for the more contemporary *has* function SHA-256 is RECOMMENDED.", typo should be 'hash'. Do we want to label the SHA-1 fingerprint as a SHOULD NOT to deprecate it and highlight that people really should not be using this for certificates (as per RFC9155)? Section 5 looks mostly retained from RFC6614 section 6 which includes a note stating SHA-1 probably will be removed at some point. Maybe that moment is now? Thanks
- [radext] Discussions about RFC6614bis Jan-Frederik Rieckers
- Re: [radext] Discussions about RFC6614bis Alexander Clouter
- Re: [radext] Discussions about RFC6614bis Heikki Vatiainen