Thanks Med, good catch, we’ll add this to the next version (16) From: mohamed.boucad...@orange.com <mohamed.boucad...@orange.com> Date: Tuesday, 26 November 2024 at 13:05 To: draft-ietf-opsawg-tacacs-tl...@ietf.org <draft-ietf-opsawg-tacacs-tl...@ietf.org> Cc: opsawg <opsawg@ietf.org> Subject: BCP 195 RE: [OPSAWG]Re: draft-ietf-opsawg-tacacs-tls13: Debugging TACACS+ over TLS Hi Doug, all,
I remember that the draft was updated to refer to BCP195 per a comment from Valery (https://mailarchive.ietf.org/arch/msg/opsawg/U3mPq3WlRF48blMmr2uCF80KLiI/), however I see that there some very few places to udpate: OLD: RFC9325 offers substantial guidance for implementing protocols that use TLS and their deployment. Those implementing and deploying Secure TACACS+ must adhere to the recommendations relevant to TLS 1.3 outlined in RFC9325, or its subsequent versions. This document outlines additional restrictions permissible under RFC9325. For example, any recommendations referring to TLS 1.2, including the mandatory support, are not relevant for Secure TACACS+ as TLS 1.3 or above is mandated. NEW: [BCP195] offers substantial guidance for implementing protocols that use TLS and their deployment. Those implementing and deploying Secure TACACS+ must adhere to the recommendations relevant to TLS 1.3 outlined in RFC9325, or its subsequent versions. This document outlines additional restrictions permissible under [BCP195]. For example, any recommendations referring to TLS 1.2, including the mandatory support, are not relevant for Secure TACACS+ as TLS 1.3 or above is mandated. Thank you. Cheers, Med > -----Message d'origine----- > De : BOUCADAIR Mohamed INNOV/NET > Envoyé : mardi 26 novembre 2024 13:49 > À : 'Alan DeKok' <al...@deployingradius.com> > Cc : Heikki Vatiainen <h...@radiatorsoftware.com>; opsawg > <opsawg@ietf.org> > Objet : RE: [OPSAWG]Re: draft-ietf-opsawg-tacacs-tls13: Debugging > TACACS+ over TLS > > Re-, > > Sounds like a plan :-) > > When that work is started, I'd recommend you set it under: > https://www.rfc-editor.org/info/bcp195. > > For the specific tacacs+ case, citing BCP195 instead of RFC 9325 > would allow us to inherit these guidelines in the future. > > Thank you. > > Cheers, > Med > > > -----Message d'origine----- > > De : Alan DeKok <al...@deployingradius.com> Envoyé : mardi 26 > novembre > > 2024 13:42 À : BOUCADAIR Mohamed INNOV/NET > > <mohamed.boucad...@orange.com> Cc : Heikki Vatiainen > > <h...@radiatorsoftware.com>; opsawg <opsawg@ietf.org> Objet : > Re: > > [OPSAWG]Re: draft-ietf-opsawg-tacacs-tls13: Debugging > > TACACS+ over TLS > > > > > > On Nov 26, 2024, at 7:27 AM, mohamed.boucad...@orange.com > wrote: > > > I'm afraid that we need to handle this globally (e.g., in UTA > > WG), not for every application. > > > > I agree. > > > > I spoke with Eric Vyncke in Dublin, and explained that while > RFC > > 9325 is good, RADIUS and TACACS+ were having similar issues > with TLS. > > i.e.. The TLS RFCs largely describe what TLS does, but are > somewhat > > thin on how applications can use TLS. The RADEXT WG has spent > > substantial time digging into a number of issues, and updating > drafts > > with what we've found. > > > > His suggestion was the same as yours: This needs to be done > in UTA. > > He also pointed out that as someone involved in RADEXT, and as > > co-chair of UTA, I was the ideal person to write this document. > > > > The good news is that much of the necessary text is already > in the > > RADEXT drafts, so perhaps the work isn't as large as it could > have > > been, > > > > I'll try to find some time. > > > > Alan DeKok. ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
