> 5 > > Perhaps add a note that TACACS+ TLS servers and clients SHOUD NOT use > well-known CAs. i.e. CAs from the web PKI. Doing so would allow clients to > connect to any server, and would allow anyone to issue client certs.
I think that you mean something like, SHOULD NOT, unless the client also authenticates the server, which it should. Correct? > 5.1.4 > > ... Operators should be cognizant of the potential of TLS TACACS+ server > and/or client isolation from their peer's CA by network failures. Isolation > from a public key certificate's CA will cause the verification of the > certificate to fail and thus TLS authentication of the peer to fail. > > I'm not sure why it's an issue if the CA is unreachable. The TACACS+ TLS > server has to be configured with the CA cert, and all intermediate certs. > The client should ideally also be configured with the CA cert. There's no > need to contact the CA, the CA cert is just a file on disk. > > Why does the CA have to be online? Unless the client (or server) has a complete cache of its peer's issuer path, the certificate can not be verified following rfc5280 methods. It is reasonable to expect that a network device might not have this, whether the CA is well-known or private. If it can not be verified, and the client (or server) strictly requires it, which it should, then the connection should be abandoned. No? Therefore, if the operators wishes it to always work, this must be considered. > Alan DeKok. _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
