Mon, Nov 17, 2025 at 10:38:10PM -0800, Sandy Ginoza: > > On Nov 13, 2025, at 2:13 PM, [email protected] wrote: > > > > Wed, Nov 12, 2025 at 03:28:45PM -0800, Sandy Ginoza: > >> Hi John, > >> > >> I’m not sure if we’re saying capitalized “Peer” is correct or if there is > >> a preference for the other update Med suggested: > >> > >> NEW2: > >> TLS TACACS+ connections are generally not long-lived. The connection > >> will be closed by either a peer if it encounters an error > >> or an inactivity timeout. > > > > hi. Sorry, I mean that capital P is correct. Meaning that either the > > server or the client may close the connection. > > > >> Regarding capitalization, seemingly, lowercase is consistent with use > >> throughout the document. The term is capitalized as the definition entry > >> in Section 2, but it is lowercased in running text. > > > > As editor, please educate/correct me. My understanding is that "Peer" is > > not the same as "peer"; the former having been defined in section 2. The > > distinction disambiguates which definition is intended. > > While we see that “Peer” is defined in section 2, the capitalized form only > appears in the instances noted below. Because “Peer” only seems to appear as > a term or at the beginning of a sentence, we did not realize capitalization > was important here. If changes are needed, please let us know. We are not > confident we can accurately differentiate between peer in general and Peer > defined in section 2. > > Peer: The peer of a TACACS+ client (or server) in the context of a > TACACS+ connection, is a TACACS+ server (or client). Together, the > ends of a TACACS+ connection are referred to as peers. > > > 2. Peer authentication: The authentication capabilities of TLS > replace the shared secrets of obfuscation for mutual > authentication. > > > Peers implementing the TACACS+ protocol variant defined in this > document MUST apply mutual authentication and encrypt all data > exchanged between them. … > > Peers MUST NOT use obfuscation with TLS.
Hi Sandy et al, We have reviewed the entire document and came to the conclusion that since "peer" is never used in any other context than the one defined in Section 2, there is no need for it to be capitalized. So, I retract my comment. We also discussed changing the term. I am not sure that we really came to a conlusion on that other than wondering whether it is necessary given the above. However, having read through the entire document again, we flagged a few things that should be corrected in our opinion. As follows, based on https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-tacacs-tls13-24 : Handling of the term "Obfuscation" is inconsistent. For one, the capitalization of "Obfuscation" is inconsistent. Like "Peer", this can be made lower-case (in S2). Second, which I just noticed while writing this email, at some point the term "MD5 obfuscation" appears to have been coined. That has not been defined. Obfuscation uses MD5, but is otherwise referred to as "data obfuscation" (rfc 8907) or "TACACS+ obfuscation" and defined simply as "obfuscation" in S2. I have not mentioned this to the other authors, but it seems like "MD5" should be removed in all occurances. We would value your opinion as well. On to the simpler typos, etc. S1: < The security mechanisms as described in Section 10 of [RFC8907] are extremely weak. > The security mechanisms as described in Section 4.5 of [RFC8907] are > extremely weak[, as described in section 10 of RFC8907]. Refer to 4.5, not 10. This seems clearer. The mechanism is described in S4.5 and S10 describes why it is insufficient. < obsoletes the use of TACACS+ obfuscation mechanisms (Section 10.5 of [RFC8907]). < obsoletes the use of TACACS+ obfuscation mechanisms. References 10.5, again. Just remove the section reference, since it is in the previous paragraph. S3.2 < Minimum TLS 1.3 [RFC8446] MUST be used for transport, it is expected > Minimum TLS 1.3 [RFC8446] MUST be used for transport. It is expected comma -> new sentence. S5.1 < This document outlines additional restrictions permissible under [BCP195] > This document outlines additional restrictions permissible under [BCP195]. Missing period. < including the mandatory support, are not relevant for Secure TACACS+ > including the mandatory support, are not relevant for Secure TACACS+, Missing comma, IMO. S5.1.4 "The approach mentioned in Section 3.4.1 can help address this and should be considered where implemented. " "where implemented" should be removed. S3.4.1 requires implementation of bundles. S5.3 < However, co-existence of inferior authentication and obfuscated, > However, co-existence of inferior authentication and obfuscation, typo. "obfuscated" -> "obfuscation" S4 < Section 5.2 of [RFC5425]. Such a method is weak. > Section 4.5 of [RFC8907]. Such a method is weak. or > Section 4.5. Such a method is weak. Completely wrong reference. -- auth48archive mailing list -- [email protected] To unsubscribe send an email to [email protected]
