[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETCONF over TLS

To: Simon Leinen <simon.leinen@switch.ch>
Subject: Re: NETCONF over TLS
From: Phil Shafer <phil@juniper.net>
Date: Mon, 18 Jun 2007 10:28:06 -0400
Cc: badra@isima.fr, j.schoenwaelder@jacobs-university.de, Andy�Bierman� <ietf@andybierman.com>, �Netconf�� <netconf@ops.ietf.org>
In-reply-to: Your message of "Mon, 18 Jun 2007 13:46:32 +0200." <aafy4pv61z.fsf@switch.ch>

Simon Leinen writes:
>I think you mean: "...the SERVER needs a cert the CLIENT recognises,
>so the client isn't throwing a password at a third party."

Yup, my bad.

>If the client had a cert that the server recognises, that might be
>useful, but for a different reason: The server could use that cert to
>derive user identity or other attributes that it could use to
>authorise access to the NETCONF agent (login) and/or to individual
>operations.  Then you would not need a NETCONF <login> operation at
>all.  NETCONF could then use TLS like it can use SSH or BEEP (it's a
>little less clear with SOAP); namely as a provider of user
>authentication/identity.

Yup, this is the part (user certs) that we didn't do in JUNOS.

Thanks,
 Phil

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Re: NETCONF over TLS
  - From: Simon Leinen <simon.leinen@switch.ch>

Prev by Date: Re: NETCONF over TLS
Next by Date: Re: NETCONF over TLS
Previous by thread: Re: NETCONF over TLS
Next by thread: Re: NETCONF over TLS
Index(es):
- Date
- Thread