[Anima-bootstrap] comments on draft-kwatsen-netconf-ownership-voucher

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 15 September 2016 00:31 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79C4A12B02F; Wed, 14 Sep 2016 17:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.409
X-Spam-Level:
X-Spam-Status: No, score=-3.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iu5oYymYTURi; Wed, 14 Sep 2016 17:31:40 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABC4F12B008; Wed, 14 Sep 2016 17:31:39 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id A57F32009E; Wed, 14 Sep 2016 20:44:17 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8B30F6392D; Wed, 14 Sep 2016 20:31:36 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima-bootstrap <anima-bootstrap@ietf.org>, Kent Watsen <kwatsen@juniper.net>, netconf@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Wed, 14 Sep 2016 20:31:36 -0400
Message-ID: <16280.1473899496@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/9e8sBTO_yqM-ClojzqpbaaSapVk>
Subject: [Anima-bootstrap] comments on draft-kwatsen-netconf-ownership-voucher
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2016 00:31:41 -0000

Kent, I read the quick document you crafted yesterday.  I think it captures
most of what matters, thank you!

   module: ietf-ownership-voucher
         +--rw voucher
         +--rw assertion          enumeration
         +--rw owner-id           string
         +--rw unique-id*         string
         +--rw created-on         yang:date-and-time
         +--rw expires-on?        yang:date-and-time
         +--rw nonce?             string
         +--rw additional-data?

I think that additional-data is probably undesireable.
I think that we need to say that owner-id is actually a hash of public key.
I don't think we can let it be a DN, as that implies some of connection to
some PKI to verify it, and the only point is that we don't have anything
that the vendor didn't burn in.

I would appreciate an example mapped out in JSON.
Could it really be a JWT?  Do we already have such a mapping elsewhere?
Is there any reason we couldn't use the JWT/rfc7519 notation, so that the
mapping just works out?  Maybe I'm missing the value of the YANG here.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-