Hi Doug, all,

Thank you for preparing this update.

Please find below minor items that you may fix before or after the WGLC. Fixing 
them before would be my preference, though :-)

* Header

OLD: Updates: RFC8907 (if approved)
OLD: Updates: 8907 (if approved)

* Title

OLD: TACACS+ over TLS 1.3
NEW: Terminal Access Controller Access-Control System Plus (TACACS+) over TLS 

* Section 3: Redundant normative language

CURRENT: option for MD5 obfuscation, and specifies that TLS 1.3 MUST be used


CURRENT: TLS 1.3 [RFC8446] MUST be used for transport,

I suggest to revert back the first one.

* Section 3.2: nit

OLD: Single Connection Mode Section 4.3 of [RFC8907]
NEW: Single Connection Mode (Section 4.3 of [RFC8907])

* Section 3.2.1:

(1) nit

   Implementations MUST support the TLS 1.3 mandatory cipher suites (TLS
   1.3 [RFC8446] Section 9.1).


   Implementations MUST support the TLS 1.3 mandatory cipher suites (Section 
9.1 of


(2) consistency: the text already says that it inherits the TLS1.3 MTI, which 
is a reco.


   This document makes no cipher suite recommendations, please refer to

   [BCP195] for guidance.


   This document makes no additional cipher suite recommendations. Readers 
should refer to

   [BCP195] for guidance.

* Section 3.2.2: normative language

OLD: Unless disabled by configuration, a peer MUST not permit connection
NEW: Unless disabled by configuration, a peer MUST NOT permit connection

* Section nit

OLD: revocation must be handled as it is not part of the standard. .
NEW: revocation must be handled as it is not part of the standard.

* Section 5.1.1: expand on why 3365 readers should look at 3365.


   It is NOT RECOMMENDED to deploy TACACS+ without TLS authentication

   and encryption, unless within test and debug environments.  Also see


* Section 5.1.3: readability

   Also useful are TLS 1.3 specifications themselves (TLS 1.3
   [RFC8446]), which prescribes mandatory support in Section 9.

   Also, Section 9 of [RFC8446] prescribes mandatory support in Section 9.

I'm tempted to simply delete that text given the discussion in 3.2.1.

* Section 8: Please list Tiru and Valery reviews. Thanks.

* Section 9:

(1)     Move FIPS-140-3 to be listed as informative.

(2)     Delete this entry as it is not cited in the text

   [RFC7605]  Touch, J., "Recommendations on Using Assigned Transport

              Port Numbers", BCP 165, RFC 7605, DOI 10.17487/RFC7605,

              August 2015, https://www.rfc-editor.org/info/rfc7605.


De : Douglas Gash (dcmgash) <dcmg...@cisco.com>
Envoyé : mardi 21 mai 2024 19:03
À : opsawg@ietf.org; BOUCADAIR Mohamed INNOV/NET 
<mohamed.boucad...@orange.com>; tirumal reddy <kond...@gmail.com>; Valery 
Smyslov (s...@elvis.ru) <s...@elvis.ru>
Cc : Andrej Ota <and...@ota.si>; John Heasley <h...@shrubbery.net>; Thorsten 
Dahm <thorsten.d...@gmail.com>
Objet : Re: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt

Dear OPSAWG et al,

We have uploaded a version with initial responses to the reviews and insights 
kindly provided by Tirumal and Valery, and will be happy to make good any 
omissions or needed corrections ASAP.

Many thanks,

The Authors.

From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> 
Date: Tuesday, 21 May 2024 at 17:57
To: Douglas Gash (dcmgash) <dcmg...@cisco.com<mailto:dcmg...@cisco.com>>, 
Douglas Gash (dcmgash) <dcmg...@cisco.com<mailto:dcmg...@cisco.com>>, Andrej 
Ota <and...@ota.si<mailto:and...@ota.si>>, John Heasley 
<h...@shrubbery.net<mailto:h...@shrubbery.net>>, Thorsten Dahm 
Subject: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt
A new version of Internet-Draft draft-ietf-opsawg-tacacs-tls13-09.txt has been
successfully submitted by Douglas C. Medway Gash and posted to the
IETF repository.

Name:     draft-ietf-opsawg-tacacs-tls13
Revision: 09
Title:    TACACS+ over TLS 1.3
Date:     2024-05-21
Group:    opsawg
Pages:    15
URL:      https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.txt
Status:   https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/
HTML:     https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-tacacs-tls13


   The Terminal Access Controller Access-Control System Plus (TACACS+)
   Protocol provides device administration for routers, network access
   servers and other networked computing devices via one or more
   centralized servers.  This document adds Transport Layer Security
   (TLS 1.3) support to TACACS+ and obsoletes former inferior security

   This document updates RFC8907.

The IETF Secretariat
Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.
OPSAWG mailing list -- opsawg@ietf.org
To unsubscribe send an email to opsawg-le...@ietf.org

Reply via email to