Thanks for the update, Douglas! As I read through your email, you eventually hit all my questions. As a contributor, I think this will be valuable work.
As chair, when you publish -00 of this draft, it might be good to summarize to the list (to kick off the discussion) as to why certificate matter was dropped and anything else that occurred in off-list calls that might be relevant context for the WG. When do you think a -00 will be ready? Joe From: Douglas Gash (dcmgash) <[email protected]> Date: Friday, March 6, 2026 at 04:58 To: Joe Clarke (jclarke) <[email protected]>, EBALARD Arnaud <[email protected]>, [email protected] <[email protected]>, [email protected] <[email protected]> Cc: John Heasley <[email protected]>, Thorsten Dahm <[email protected]>, Andrej Ota <[email protected]> Subject: TACACS+ extension for SSH keys Transfer … with slightly more appropriate subject. Dear OPSAWG, Med, Joe, Arnaud. We plan to specify how SSH keys may be transferred over TACACS+ protocol, with idea that this specification document may be of interest to OPSAWG team to enhance interoperability. The approach was originally included in a general TACACS+ security document that also included TLS transport, however it was determined that the two subjects would best be handled by separate documents. The TLS part is completed, so we return to the SSH key transfer part. This note is intended to set the scope of the document. Based upon the feedback of the scope, we will follow up with the first revision for the document itself. 1 Purpose: (TLS) TACACS+ protocol extensions for transfer of public SSH Keys from the AAA server to the AAA client 2 What will be specified: * How the fields in the Authorization packets are used: * by the TACACS+ AAA Client to request, the Keys, * by the TACACS+ AAA Server to encode the Keys, * how the flow will be coordinated and completed. * Description of TACACS+ Role in the complete AAA SSH session flow (Authentication/Authorization/Accounting), and which phases are optional 3 Clarifications/Limitations * There is no intent to extend the actual SSH authentication out of the device over TACACS+ to the AAA server. The authentication flow is purely for the retrieval of the Keys. Consequently, other than abstaining from sharing the publicly available materials, the authorization phase is the only step where the TACACS+ Server may actually enact Policy Decision in the overall flow (as now). * There has been a previous call to including the distribution of other material (Certs for HTTPS authentication), this option has been dropped after further discussion.
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
