Eliot, The certificate part seems basically right (I think you should require specific KeyUsage bits).
Maybe I missed it, but I didn't see anything about the level of trust you should have in cases where you can't reliably tie the endpoint's transmissions to its certificate. -Ekr On Fri, May 18, 2018 at 3:46 AM, Joe Clarke <jcla...@cisco.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chair hat on: > > We would like to give this call for review a week timeout with the WG. > > Please pay special attention to the security changes Eliot has > described below when reviewing the new text. > > We are looking to push this forward EOD on May 25. > > Thanks. > > Joe > > On 5/17/18 11:36, Eliot Lear wrote: > > Hi everyone, > > > > This draft is intended to address all IESG comments. Thanks to the > > IESG and reviewers for their contributions. A summary of the > > changes is below, but people may wish to do a side by side review. > > > > Eliot > > > > > > * Small edits to the abstract * Clarity in the introduction that > > the focus is on protecting the device. * Many grammatical/wording > > improvements * Clarity when MUD is most effective. * MUD controller > > -> MUD manager * Normative language boiler plate change * Clarity > > on what should happen when a MUD manager can't reach a MUD file > > server * A few reference updates * Clarity on the validity time of > > a MUD file * Added references to RFCs 5911 and 5912 for SMI > > changes * one additional data element (documentation) * one change > > based on an update to the ACL model during its last call * > > Subsection numbering for node descriptions. * Improved text around > > "controller", direction-initiated. * Simplified MUD-URL text. * > > Optional reserved space added to DHCP, LLDP options * Simplified > > DHCP processing. * A new certificate field to bind the manufacturer > > certificate to the mud signer. * A content type definition for the > > SMI. * Updated security considerations. > > > > > > -----BEGIN PGP SIGNATURE----- > > iF0EARECAB0WIQTMiWQHc8wChijkr7lvaI+K/hTPhwUCWv6vBgAKCRBvaI+K/hTP > hwzAAJ4gQdPZ93IFCwO7nWOca4gu7xbwkwCeJPLWlBoGGKDtuQp8sUHVJy+2lmY= > =CyhD > -----END PGP SIGNATURE----- > >
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
