Re: [Anima-bootstrap] voucher yang

Kent Watsen <> Wed, 01 March 2017 22:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 854F8128AB0 for <>; Wed, 1 Mar 2017 14:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HcWrDoG0fagN for <>; Wed, 1 Mar 2017 14:14:40 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E36BB126D73 for <>; Wed, 1 Mar 2017 14:14:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qIRYVsTvE5wJvYwUNtTCOAaci7btgIhwdkj7iYhaG4o=; b=g2AUJedxHkMsM9/TZhP44nGtsTYVPf0AsWw4OkaFv4UKmmn2rnSXcZAZdGDGn2DDIrZKV6mILm6n5eb/hcjptrMUk9Z2QHYG5G6fqvsZXGw6fFhl+QhlCWludhQMiFqJpv8dbclLDzrdWxDseOOaohQftn3g7ikSRWBV/w6lN4k=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.2; Wed, 1 Mar 2017 22:14:38 +0000
Received: from ([]) by ([]) with mapi id 15.01.0947.011; Wed, 1 Mar 2017 22:14:38 +0000
From: Kent Watsen <>
To: Michael Richardson <>, anima-bootstrap <>
Thread-Topic: [Anima-bootstrap] voucher yang
Thread-Index: AQHSke6O/yztceHfnUmp6ovkVBK+rqGAOr6A
Date: Wed, 01 Mar 2017 22:14:38 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.1f.0.170216
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 36eda6e6-893f-4968-b812-08d460f05a49
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR0501MB1442;
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1442; 7:lxOM+vLPXn/agLPjQj0ka/TAU2N84/N5RHdHf1G4x4iCTWCx0pevJ0nRmqozsJhZlDoE24KtXekkO9cOqLLS8PYDEZqSP/hVUUcSDOohlaXHeu7Q5CsDU77xKcGacAVH1rdyMaWLupD6Z0FXKE1Gax3jFEX2j7myG8xEsMtiVzm774cHVWV4fe4BdGBo/lobe4dBjI9zKArANTDQRaGcKS0lrSOzD+Z908g/NOV4yw/4zi61GOeJsi4ZfHbORAlSPyVU/TrPSVBklLHW/3akoI9SiDrIpIeaIeSQBt5cYo4iWvdWJ9JXyqIfVRNlo50eCrPoiDNO0u5lplEpxAAUrg==
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123558025)(20161123555025)(20161123560025)(20161123562025)(20161123564025)(6072148); SRVR:BN3PR0501MB1442; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1442;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39840400002)(39410400002)(39860400002)(39850400002)(51444003)(51914003)(7736002)(2900100001)(92566002)(83506001)(2906002)(36756003)(122556002)(6246003)(305945005)(82746002)(25786008)(3660700001)(6506006)(33656002)(6116002)(83716003)(6486002)(2950100002)(6436002)(3846002)(102836003)(99286003)(77096006)(3280700002)(86362001)(106116001)(189998001)(38730400002)(4001350100001)(6512007)(5660300001)(81166006)(8676002)(8936002)(76176999)(229853002)(50986999)(54356999)(66066001)(53936002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1442;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 22:14:38.8030 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1442
Archived-At: <>
Subject: Re: [Anima-bootstrap] voucher yang
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Mar 2017 22:14:41 -0000

Hi Michael,

> Kent, thanks for the updates to the YANG for the voucher.
> Some comments:
>      leaf assertion {
>        description
>          "The assertion is a statement from the MASA regarding how
>           the owner was verified.   This statement enables pledges
>           to support more detailed policy checks.  Pledges MUST
>           ensure that the assertion provided is acceptable before
>           processing the voucher.";
>I think that it's more about the registrar than the pledge activity.

While the registrar can inspect the voucher, it ultimately must pass
it to the pledge unmodified.  Also, note that there no "registrar" 
concept in the NETCONF zerotouch draft.

>        leaf subject-hash {
>          type binary;
>          description
> Will there be an update to RFC5280 that will unlock us from SHA-1?
> Are all of subject-hash/cn-id/dns-id required, or is it one of the above?

As the description statement explains, SHA-1 is used because it is
interoperable with OpenSSL.  We could hardcode SHA-256, or even allow
it be to parameterized, but that would put more code on the pledges,
do you want to go this route?

>      leaf-list device-identifier {
>        type string;
>        min-elements 1;
>        description
>          "A non-empty list of POSIX regular expressions, each
>           identifying one or more device identifiers (e.g., serial
>           numbers). For instance, the expression could match just
>           a single serial number, or it might match a range of
>           serial numbers.
>           When processing a vouchers, pledges MUST ensure that their
>           unique identifier matches at least one regular expression in
>           the list.  If no matching regular expression is found, the
>           pledge MUST NOT process this voucher.";
> Oh, wow. I'd really rather not have a regex here!
> I'm more worried about the possible Turing-completeness of the regex rather
> than the code space issue.  I think in IoT, if the device hasn't got a
> regex parser, then the vendor just won't issue vouchers with regex in them,
> so that is okay.
> If we have to, I guess I'd rather have a PCRE if we can find a specification
> for that.

I'm okay with PCRE in theory, but I've read that a compiled stripped 
library is large, do you know?

>      leaf nonce {
>        type string;  // unit64?
> I think it should be binary?

A 'binary' type would allow the nonce to be any length octet sequence,
which is converted to base64 encoded string for JSON.  Is this what 
you want?