Hi Doug, all, Thank you for preparing this update.
Please find below minor items that you may fix before or after the WGLC. Fixing them before would be my preference, though :-) * Header OLD: Updates: RFC8907 (if approved) OLD: Updates: 8907 (if approved) * Title OLD: TACACS+ over TLS 1.3 NEW: Terminal Access Controller Access-Control System Plus (TACACS+) over TLS 1.3 * Section 3: Redundant normative language CURRENT: option for MD5 obfuscation, and specifies that TLS 1.3 MUST be used and CURRENT: TLS 1.3 [RFC8446] MUST be used for transport, I suggest to revert back the first one. * Section 3.2: nit OLD: Single Connection Mode Section 4.3 of [RFC8907] NEW: Single Connection Mode (Section 4.3 of [RFC8907]) * Section 3.2.1: (1) nit OLD: Implementations MUST support the TLS 1.3 mandatory cipher suites (TLS 1.3 [RFC8446] Section 9.1). NEW: Implementations MUST support the TLS 1.3 mandatory cipher suites (Section 9.1 of [RFC8446]). (2) consistency: the text already says that it inherits the TLS1.3 MTI, which is a reco. OLD: This document makes no cipher suite recommendations, please refer to [BCP195] for guidance. NEW: This document makes no additional cipher suite recommendations. Readers should refer to [BCP195] for guidance. * Section 3.2.2: normative language OLD: Unless disabled by configuration, a peer MUST not permit connection NEW: Unless disabled by configuration, a peer MUST NOT permit connection * Section 3.2.2.1: nit OLD: revocation must be handled as it is not part of the standard. . NEW: revocation must be handled as it is not part of the standard. * Section 5.1.1: expand on why 3365 readers should look at 3365. CURRENT: It is NOT RECOMMENDED to deploy TACACS+ without TLS authentication and encryption, unless within test and debug environments. Also see [RFC3365]. * Section 5.1.3: readability OLD: Also useful are TLS 1.3 specifications themselves (TLS 1.3 [RFC8446]), which prescribes mandatory support in Section 9. NEW: Also, Section 9 of [RFC8446] prescribes mandatory support in Section 9. I'm tempted to simply delete that text given the discussion in 3.2.1. * Section 8: Please list Tiru and Valery reviews. Thanks. * Section 9: (1) Move FIPS-140-3 to be listed as informative. (2) Delete this entry as it is not cited in the text [RFC7605] Touch, J., "Recommendations on Using Assigned Transport Port Numbers", BCP 165, RFC 7605, DOI 10.17487/RFC7605, August 2015, https://www.rfc-editor.org/info/rfc7605. Cheers, Med De : Douglas Gash (dcmgash) <dcmg...@cisco.com> Envoyé : mardi 21 mai 2024 19:03 À : opsawg@ietf.org; BOUCADAIR Mohamed INNOV/NET <mohamed.boucad...@orange.com>; tirumal reddy <kond...@gmail.com>; Valery Smyslov (s...@elvis.ru) <s...@elvis.ru> Cc : Andrej Ota <and...@ota.si>; John Heasley <h...@shrubbery.net>; Thorsten Dahm <thorsten.d...@gmail.com> Objet : Re: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt Dear OPSAWG et al, We have uploaded a version with initial responses to the reviews and insights kindly provided by Tirumal and Valery, and will be happy to make good any omissions or needed corrections ASAP. Many thanks, The Authors. From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> Date: Tuesday, 21 May 2024 at 17:57 To: Douglas Gash (dcmgash) <dcmg...@cisco.com<mailto:dcmg...@cisco.com>>, Douglas Gash (dcmgash) <dcmg...@cisco.com<mailto:dcmg...@cisco.com>>, Andrej Ota <and...@ota.si<mailto:and...@ota.si>>, John Heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>>, Thorsten Dahm <thorsten.d...@gmail.com<mailto:thorsten.d...@gmail.com>> Subject: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt A new version of Internet-Draft draft-ietf-opsawg-tacacs-tls13-09.txt has been successfully submitted by Douglas C. Medway Gash and posted to the IETF repository. Name: draft-ietf-opsawg-tacacs-tls13 Revision: 09 Title: TACACS+ over TLS 1.3 Date: 2024-05-21 Group: opsawg Pages: 15 URL: https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.txt Status: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/ HTML: https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.html HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-tacacs-tls13 Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-tacacs-tls13-09 Abstract: The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol provides device administration for routers, network access servers and other networked computing devices via one or more centralized servers. This document adds Transport Layer Security (TLS 1.3) support to TACACS+ and obsoletes former inferior security mechanisms. This document updates RFC8907. The IETF Secretariat ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org