Last Call Review of draft-ietf-netconf-rfc5539bis-09
review-ietf-netconf-rfc5539bis-09-secdir-lc-hartman-2015-03-12-00
| Request | Review of | draft-ietf-netconf-rfc5539bis |
|---|---|---|
| Requested revision | No specific revision (document currently at 10) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2015-03-11 | |
| Requested | 2015-03-02 | |
| Authors | Mohamad Badra , Alan Luchuk , Jürgen Schönwälder | |
| I-D last updated | 2015-03-12 | |
| Completed reviews |
Secdir Last Call review of -09
by Sam Hartman
(diff)
Opsdir Last Call review of -09 by Stefan Winter (diff) |
|
| Assignment | Reviewer | Sam Hartman |
| State | Completed | |
| Request | Last Call review on draft-ietf-netconf-rfc5539bis by Security Area Directorate Assigned | |
| Reviewed revision | 09 (document currently at 10) | |
| Result | Ready | |
| Completed | 2015-03-12 |
review-ietf-netconf-rfc5539bis-09-secdir-lc-hartman-2015-03-12-00
This is an update to netconf over TLS with mutual X.509 authentication. In general, this looks fairly good. I'd ask the security ADs to take a look at two things: * The text on certificate validation in section 5. Certificate validation has a number of options, none of which are described or specified in this text. Is that good enough for this application? (Probably) In section 7, there is a description of how the netconf server finds the username of the client. It talks about a certificate fingerprint without a reference to a specific algorithm. I'm aware of multiple algorithms for fingerprints. This text is probably too vague for interoperability.