Secdir Review of draft-ietf-netconf-rfc5539bis-09

ietf

Secdir Review of draft-ietf-netconf-rfc5539bis-09

2015-03-09 09:50:15


This is an update to netconf over TLS with mutual X.509 authentication.

In general, this looks fairly good.

I'd ask the security ADs to take a look at two things:

* The text on certificate validation in section 5.
Certificate validation has a number of options, none of which are
described or specified in this text.
Is that good enough for this application?  (Probably)

In section 7, there is a description of how the netconf server finds the
username of the client.
It talks about a certificate fingerprint without a reference to a
specific algorithm.
I'm aware of multiple algorithms for fingerprints.
This text is probably too vague for interoperability.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Secdir Review of draft-ietf-netconf-rfc5539bis-09, Sam Hartman <= Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, t.p. Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, Sam Hartman Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, t.p. Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, Juergen Schoenwaelder Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, Viktor Dukhovni RE: Secdir Review of draft-ietf-netconf-rfc5539bis-09, Ersue, Mehmet (Nokia - DE/Munich) Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, Juergen Schoenwaelder

Previous by Date:	Re: Last Call: <draft-farrresnickel-harassment-05.txt> (IETF Anti-Harassment Procedures) to Best Current Practice, Sam Hartman
Next by Date:	Re: secdir review of draft-ietf-mpls-lsp-ping-relay-reply, lizho(_dot_)jin(_at_)gmail(_dot_)com
Previous by Thread:	IETF 92 - Early-Bird Registration Ends 13 March 2015, IETF Secretariat
Next by Thread:	Re: Secdir Review of draft-ietf-netconf-rfc5539bis-09, t.p.
Indexes:	[Date] [Thread] [Top] [All Lists]