Re: NETCONF over TLS

[Simon Leinen <simon.leinen@switch.ch>]

Phil Shafer writes:
> Also you should specify (if it's not there already) that the
> client needs a cert the server recognises, so the client isn't
> throwing a password at a third party.

I think you mean: "...the SERVER needs a cert the CLIENT recognises,
so the client isn't throwing a password at a third party."

If the client had a cert that the server recognises, that might be
useful, but for a different reason: The server could use that cert to
derive user identity or other attributes that it could use to
authorise access to the NETCONF agent (login) and/or to individual
operations.  Then you would not need a NETCONF <login> operation at
all.  NETCONF could then use TLS like it can use SSH or BEEP (it's a
little less clear with SOAP); namely as a provider of user
authentication/identity.

This is also what Martin hinted at in message
<20070617.145658.29449012.mbj@tail-f.com>, I think.
-- 
Simon.

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>