Hi Tom, Joe, Thanks for your review and comments. The issues will fixed in the next revision.
For 'leaf shared-secret', the following text will be added: "It is highly recommended that shared keys are at least 32 characters long and sufficiently complex with mixed different character types." Best regards, Bo -----邮件原件----- 发件人: tom petch [mailto:[email protected]] 发送时间: 2021年3月17日 19:00 收件人: Joe Clarke (jclarke) <[email protected]> 抄送: [email protected]; [email protected]; [email protected] 主题: Re: [OPSAWG] Last Call: <draft-ietf-opsawg-tacacs-yang-09.txt> (YANG Data Model for TACACS+) to Proposed Standard From: Joe Clarke (jclarke) <[email protected]> Sent: 16 March 2021 13:04 To: tom petch On 3/16/21 06:13, tom petch wrote: > Some editorial quirks > > YANG > revision reference > the text value is not quite the same as the title of the I-D; perhaps > both are not quite right Good catch. These two should be normalized. Perhaps the better title is YANG module for TACACS+. <tp> or else A YANG Module for TACACS+ I like the indefinite article there but it is perhaps a matter of taste > leaf shared-secret > /shared keys/shared secrets/ Yes, agreed. > > should we recommend improving the entropy with mixed case, digits, > punctuation? I note that the example lacks punctuation. A plus sign might > be appropriate! Given the weakness, this couldn't hurt. This could be called out in both Security Considerations as well as in the leaf description. I like the cheeky notion of a '+' in the example. <tp> Yes, probably both. I have signed up to a lot of services in lockdown and have been exposed to a wide variety of rules about permissible secrets. One that caught my eye required nine characters while the one that has stayed with me forbad the use of punctuation! I do think that for all the very clever things that come out of the IETF's Security Area, better guidance on the basics, such as entropy, would do a lot more to improve the Internet! Tom Petch Joe > > Tom Petch > > ________________________________________ > From: OPSAWG <[email protected]> on behalf of The IESG > <[email protected]> > Sent: 15 March 2021 14:08 > To: IETF-Announce > Cc: [email protected]; [email protected]; > [email protected] > Subject: [OPSAWG] Last Call: <draft-ietf-opsawg-tacacs-yang-09.txt> > (YANG Data Model for TACACS+) to Proposed Standard > > > The IESG has received a request from the Operations and Management > Area Working Group WG (opsawg) to consider the following document: - > 'YANG Data Model for TACACS+' > <draft-ietf-opsawg-tacacs-yang-09.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > [email protected] mailing lists by 2021-03-29. Exceptionally, > comments may be sent to [email protected] instead. In either case, please > retain the beginning of the Subject line to allow automated sorting. > > Abstract > > > This document defines a TACACS+ client YANG module, that augments the > System Management data model, defined in RFC 7317, to allow devices > to make use of TACACS+ servers for centralized Authentication, > Authorization and Accounting. > > The YANG module in this document conforms to the Network Management > Datastore Architecture (NMDA) defined in RFC 8342. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-yang/ > > > > No IPR declarations have been submitted directly on this I-D. > > > The document contains these normative downward references. > See RFC 3967 for additional information: > rfc8907: The Terminal Access Controller Access-Control System Plus > (TACACS+) Protocol (Informational - Internent Engineering Task Force > (IETF)) > > > > > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg > > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg > _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
