[secdir] Secdir Review of draft-ietf-netconf-rfc5539bis-09
Sam Hartman <hartmans-ietf@mit.edu> Mon, 09 March 2015 12:10 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190541A8833; Mon, 9 Mar 2015 05:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.165
X-Spam-Level:
X-Spam-Status: No, score=0.165 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YD37JgE2T6r; Mon, 9 Mar 2015 05:10:37 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22A151A878A; Mon, 9 Mar 2015 05:10:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 36CB120655; Mon, 9 Mar 2015 08:09:24 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5YmM7uykHrU; Mon, 9 Mar 2015 08:09:23 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-177-26-195.hsd1.ma.comcast.net [50.177.26.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 9 Mar 2015 08:09:23 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 2A3BD80430; Mon, 9 Mar 2015 08:10:24 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf@ietf.org, secdir@ietf.org, iesg@ietf.org
Date: Mon, 09 Mar 2015 08:10:24 -0400
Message-ID: <tslioeagymn.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/jFZeIH-ZepMTW4tWGKemYBKvudI>
Cc: draft-ietf-netconf-rfc5539bis.all@tools.ietf.org
Subject: [secdir] Secdir Review of draft-ietf-netconf-rfc5539bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 12:10:42 -0000
This is an update to netconf over TLS with mutual X.509 authentication. In general, this looks fairly good. I'd ask the security ADs to take a look at two things: * The text on certificate validation in section 5. Certificate validation has a number of options, none of which are described or specified in this text. Is that good enough for this application? (Probably) In section 7, there is a description of how the netconf server finds the username of the client. It talks about a certificate fingerprint without a reference to a specific algorithm. I'm aware of multiple algorithms for fingerprints. This text is probably too vague for interoperability.
- [secdir] Secdir Review of draft-ietf-netconf-rfc5… Sam Hartman
- Re: [secdir] Secdir Review of draft-ietf-netconf-… t.p.
- Re: [secdir] Secdir Review of draft-ietf-netconf-… Sam Hartman
- Re: [secdir] Secdir Review of draft-ietf-netconf-… Juergen Schoenwaelder
- Re: [secdir] Secdir Review of draft-ietf-netconf-… t.p.
- Re: [secdir] Secdir Review of draft-ietf-netconf-… Juergen Schoenwaelder
- Re: [secdir] Secdir Review of draft-ietf-netconf-… Ersue, Mehmet (Nokia - DE/Munich)