Last Call Review of draft-ietf-netconf-rfc5539bis-09
review-ietf-netconf-rfc5539bis-09-secdir-lc-hartman-2015-03-12-00
Request | Review of | draft-ietf-netconf-rfc5539bis |
---|---|---|
Requested revision | No specific revision (document currently at 10) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2015-03-11 | |
Requested | 2015-03-02 | |
Authors | Mohamad Badra , Alan Luchuk , Jürgen Schönwälder | |
I-D last updated | 2015-03-12 | |
Completed reviews |
Secdir Last Call review of -09
by Sam Hartman
(diff)
Opsdir Last Call review of -09 by Stefan Winter (diff) |
|
Assignment | Reviewer | Sam Hartman |
State | Completed | |
Request | Last Call review on draft-ietf-netconf-rfc5539bis by Security Area Directorate Assigned | |
Reviewed revision | 09 (document currently at 10) | |
Result | Ready | |
Completed | 2015-03-12 |
review-ietf-netconf-rfc5539bis-09-secdir-lc-hartman-2015-03-12-00
This is an update to netconf over TLS with mutual X.509 authentication. In general, this looks fairly good. I'd ask the security ADs to take a look at two things: * The text on certificate validation in section 5. Certificate validation has a number of options, none of which are described or specified in this text. Is that good enough for this application? (Probably) In section 7, there is a description of how the netconf server finds the username of the client. It talks about a certificate fingerprint without a reference to a specific algorithm. I'm aware of multiple algorithms for fingerprints. This text is probably too vague for interoperability.