Re: [Isms] (D)TLS question (#1): selecting a client certificate to use

To: "Purvis\, Ray" <rpurvis at mitre.org>
Subject: Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Tue, 07 Jul 2009 10:04:04 -0700
Cc: "isms at ietf.org" <isms at ietf.org>
Delivered-to: isms at core3.amsl.com
In-reply-to: <547D5A0BAE35D24E92102CBF0A8D62320B3E25548B at IMCMBX4.MITRE.ORG> (Ray Purvis's message of "Tue, 7 Jul 2009 12:49:23 -0400")
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sdprcls3zo.fsf at wes.hardakers.net> <E6658A5CB6378B46A7F9C43757A73977044944E2 at de01exm63.ds.mot.com> <sdy6r72ecc.fsf at wes.hardakers.net> <E6658A5CB6378B46A7F9C43757A7397704494BE6 at de01exm63.ds.mot.com> <sdfxddk863.fsf at wes.hardakers.net> <547D5A0BAE35D24E92102CBF0A8D62320B3E25548B at IMCMBX4.MITRE.ORG>
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Tue, 7 Jul 2009 12:49:23 -0400, "Purvis, Ray" <rpurvis at mitre.org> said:

RP> I saw the opinions welcome clause at the end and decided to jump in.
RP> :)

Always!  And thanks for the opinion.

RP> Additionally, a deletion of the snmpTargetParamsTable entry should
RP> cause a deletion of the 1..N entries in tlstmParamsEntry that these
RP> rows are tied to.

FYI, there is only a 1:0..1 mapping.

RP> This brings up my next question.  I haven't seen the new table
RP> structure since you decided not to augment the params table.  I would
RP> assume that with your current thoughts on the tlstmTargetParamsTable,
RP> you would include a column that references the snmpTargetParamsName?

In MIBs there are multiple ways of referencing rows in another table, or
in this case, "adding additional information" to rows in another table.
The AUGMENT clause is designed for the 1:1 case where rows exist
simultaneously and always in both tables.  In this case, we actually
have a 1:0..1 case and the best way to achieve that is by using
identical indexes in the second (tlstmTargetParamsTable) table.  So the
indexing now looks like this on my local disk:

  tlstmParamsEntry OBJECT-TYPE
      SYNTAX      TlstmParamsEntry
      MAX-ACCESS  not-accessible
      STATUS      current
      DESCRIPTION
          "A conceptual row containing a locally held certificate's hash
          type and hash value for a given snmpTargetParamsEntry.  The
          values in this row should be ignored if the connection
          that needs to be established, as indicated by the
          SNMP-TARGET-MIB infrastructure, is not a (D)TLS based
          connection."
      INDEX    { IMPLIED snmpTargetParamsName }
      ::= { tlstmParamsTable 1 }

The INDEX clause now matches (exactly) the clause from the
snmpTargetParamsTable.


RP> This in turn would change your rowStatus verbiage to not allow the
RP> row to become active until the certificate info is in place and the
RP> snmpTargetParamsName exists and is filled in.

I haven't written up that potential clause yet since it's not entirely
clear where consensus lies yet.  I'll post new text when/if I do though
and your review of it would be welcome.
-- 
Wes Hardaker
Cobham Analytic Solutions

References:
- [Isms] (D)TLS question (#1): selecting a client certificate to use
  - From: Wes Hardaker
- Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
  - From: Donati Andrew-MGIA0477
- Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
  - From: Wes Hardaker
- Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
  - From: Donati Andrew-MGIA0477
- Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
  - From: Wes Hardaker
- Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
  - From: Purvis, Ray

Prev by Date: Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
Next by Date: [Isms] (D)TLS question #2: expecting a server side certificate
Previous by thread: Re: [Isms] (D)TLS question (#1): selecting a client certificate to use
Next by thread: [Isms] RFC 5590 on Transport Subsystem for the Simple Network Management Protocol (SNMP)
Index(es):
- Date
- Thread

Re: [Isms] (D)TLS question (#1): selecting a client certificate to use

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.