Re: Genart last call review of draft-ietf-rtgwg-yang-key-chain-17
"Matthew A. Miller" <linuxwolf+ietf@outer-planes.net> Mon, 10 April 2017 16:05 UTC
Return-Path: <linuxwolf+ietf@outer-planes.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1543412957C for <ietf@ietfa.amsl.com>; Mon, 10 Apr 2017 09:05:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stA-DCv5TNIO for <ietf@ietfa.amsl.com>; Mon, 10 Apr 2017 09:05:11 -0700 (PDT)
Received: from mail-oi0-x242.google.com (mail-oi0-x242.google.com [IPv6:2607:f8b0:4003:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9451C12956D for <ietf@ietf.org>; Mon, 10 Apr 2017 09:05:07 -0700 (PDT)
Received: by mail-oi0-x242.google.com with SMTP id g204so13043617oib.2 for <ietf@ietf.org>; Mon, 10 Apr 2017 09:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=UPM72sq92ZDu4opqFNzUO6qFYswQGFh9okmQcjhj6qA=; b=JYO9gr/R36dtSc3aBjtpSL1iQgWymi8w5R95X11Xr+9rZaduwz1qw6VMFoiscJZo+T oPFRGTFSenS39Oer5CfRZQzj8CxqucSRY9lFMzy4zlK5idSUP5lWPYvAzW5zAfd73JV5 Rf4oIk7yWf8hzl0GwiiWf3B4TFONrCt0dkUkyEY9unu0stuxFj9CydYSweAKUqLn974Z kDOWwY1iosHGDfmsQW+GtnjvN3i6+9J6mJ60n/Hep5S35pFRUC/12ndpu2lZxHgd1nyN lI6KUjgAuy+yOEOVKEsnx1QNeHwQSasIt/E5og3ksXcUD1Selkp1PpwQimfe0eVMZCA8 Ny2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to; bh=UPM72sq92ZDu4opqFNzUO6qFYswQGFh9okmQcjhj6qA=; b=qsCo0u8DM8ulHnLf5sDeNhvpzxXfodjRyPsZkrYpazqMCSl0j6GZmMrGW41QSxhT7C DKrtWJMydc6eBYl595waUQfTWQWZCWsbDuKMkBvbxqbYWwdXZYqEtBgA3d4TsHHYu0pU cMhN3SUxtkCmgEPz+Ft8ZurYknwYANR+mGTN0ksdHX7mVoTLSJtXsEq3qa4Zf3YedAnW 2E/GLmFoHRoIqlI8HjmbMx2x7WjXx6UdTHP8Vm9kHRLmG2Ct0g+lU5WabwGnHHIcFN8f mNdu+w6Wfz4z+CkYiYiimlpqi0l/nhiYhfngk8LFi6121MKc+gOh55SDt+fMwxnwbGzb Vzyw==
X-Gm-Message-State: AN3rC/6PMSuqrtgxYhMKE4H2jisNcFxGkm60auESNBL3AIVe9yNxpjeaFTyoVI6saLt+Nw==
X-Received: by 10.202.96.132 with SMTP id u126mr1797762oib.183.1491840306789; Mon, 10 Apr 2017 09:05:06 -0700 (PDT)
Received: from [10.6.23.170] ([128.177.113.102]) by smtp.gmail.com with ESMTPSA id y198sm6407011oie.8.2017.04.10.09.05.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Apr 2017 09:05:05 -0700 (PDT)
Sender: Matthew Miller <linuxwolf@outer-planes.net>
Subject: Re: Genart last call review of draft-ietf-rtgwg-yang-key-chain-17
To: "Acee Lindem (acee)" <acee@cisco.com>, "gen-art@ietf.org" <gen-art@ietf.org>
Cc: "draft-ietf-rtgwg-yang-key-chain.all@ietf.org" <draft-ietf-rtgwg-yang-key-chain.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
References: <149158793224.11224.1489071223626497682@ietfa.amsl.com> <D50ED999.A7F47%acee@cisco.com>
From: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Message-ID: <6f34a4cc-6492-a354-f257-412b0f5e84a1@outer-planes.net>
Date: Mon, 10 Apr 2017 10:05:09 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <D50ED999.A7F47%acee@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="QkgNiHQAfBscnI68RtA2QqVf0dI9QJ52c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/NJr0XIIoJ0p8zSU1Twvwq01N1HY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 16:05:13 -0000
Thanks for responding Acee, I look forward to the next revision. Responses inline ... - m&m Matthew A. Miller On 17/04/08 16:55, Acee Lindem (acee) wrote: > Hi Matt, > > Thanks for the review. > > On 4/7/17, 1:58 PM, "Matthew Miller" <linuxwolf+ietf@outer-planes.net> > wrote: > >> Reviewer: Matthew Miller >> Review result: Almost Ready >> >> I am the assigned Gen-ART reviewer for this draft. The General Area >> Review Team (Gen-ART) reviews all IETF documents being processed >> by the IESG for the IETF Chair. Please treat these comments just >> like any other last call comments. >> >> For more information, please see the FAQ at >> >> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. >> >> Document: draft-ietf-rtgwg-yang-key-chain-17 >> Reviewer: Matthew A. Miller >> Review Date: 2017-04-07 >> IETF LC End Date: 2017-04-07 >> IESG Telechat date: 2017-04-13 >> >> Summary: >> >> This document is almost ready to be published as a Proposed Standard, >> once the issues noted herein are resolved. >> >> Major issues: >> >> NONE >> >> Minor issues: >> >> * Forgive me for my limited knowledge of YANG, but is there a reason >> key-strings are only representable as either a YANG string or >> hex-string type, and not the YANG binary type? > > Let me ask why I¹d want to use this type? I can get all the entropy I want > with a hex string and implementations are familiar with this > representation. I¹m not really fond of the obscure base64 representation > used by the YANG type and if one consults Benoit¹s search tool, the type > is not widely used. http://www.yangcatalog.org/yang-search/yang-search.php > Thanks for explaining. I asked because (more) efficient transfer of binary data has come up for other textual formats (read: JSON), and the rough consensus was for base64. That said, if the community is already fine with hex, then I consider this a non-issue. >> >> * This document does not provide much guidance around AES key wrap >> other than it can be used and the KEK is provided >> out-of-band/-context. >> For instance, AES key-wrapped key-strings probably require using >> "hexidecimal-string". > > Yes - I¹ll add that. > Thanks. >> Also, assuming I'm reading the model >> correctly, >> it appears this feature applies to the whole chain, which I think is >> worth calling out. > > In YANG, if you support a feature, it is for the entire model. > The per-chain boolean indicates whether or not it is applies to all the > keys in that particular key-chain. I will clarify this. >> >> * This document warns against using the "clear-text" algorithm, which >> the >> reader is lead to understand is for legacy implementation reasons. >> However, is there not a similar concern with cryptographically weak >> algorithms, such as md5 and (arguably) sha1? > > I can add something for MD5. Thanks. I know I said arguably sha1, but at the apps layer it is considered weak with in-the-wild tools able to produce collisions, which leads to the minimum being sha256. I would consider including a note about sha1 and md5, but I understand that maybe operational realities are such that sha256 is not widely deployed for these devices, or its not otherwise seen as a problem yet. >> >> Nits/editorial comments: >> >> * In Section 3.2. "Key Chain Model Features", the word "of" is >> missing >> between "configuration" and "an" in the phrase "support configuration >> an >> acceptance tolerance". > > Good catch. I will fix. >> >> Non-nits: >> >> * I note that idnits is calling out some odd spacing issues, but I >> think >> they are safe to ignore. > > Though the line numbers don¹t match the draft, I was able to fix these. > > Thanks, > Acee >> >
- Re: Genart last call review of draft-ietf-rtgwg-y… Acee Lindem (acee)
- Re: Genart last call review of draft-ietf-rtgwg-y… Matthew A. Miller
- Genart last call review of draft-ietf-rtgwg-yang-… Matthew Miller