Re: Genart last call review of draft-ietf-rtgwg-yang-key-chain-17

"Acee Lindem (acee)" <> Sat, 08 April 2017 22:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C5A912714F; Sat, 8 Apr 2017 15:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.623
X-Spam-Status: No, score=-12.623 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cXtyUZw2JLQz; Sat, 8 Apr 2017 15:55:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 98F6F1250B8; Sat, 8 Apr 2017 15:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2806; q=dns/txt; s=iport; t=1491692140; x=1492901740; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=zkVtu0DpB2Azi2hOQXUF+XPu8DkbyNAYSk2OO6g01JI=; b=e2S1wqGEecRZhBbvHwIf0oWaumhFFzA91H4dQs4rGQwESOPZ62Qms7w4 c8iZlU5/GiTXxY+XfEDVjHWbGmPQpeksgIvleBU6UDnlfFkqt+I7bp6HA SzJXzf8Q8SHffB0mJwXUsNXHxscCPPs+QETtu7qWpyCwbR5+cPf+9+Mz3 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.37,174,1488844800"; d="scan'208";a="409393167"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Apr 2017 22:55:39 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id v38MtdX4015015 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 8 Apr 2017 22:55:39 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sat, 8 Apr 2017 18:55:35 -0400
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Sat, 8 Apr 2017 18:55:36 -0400
From: "Acee Lindem (acee)" <>
To: Matthew Miller <>, "" <>
CC: "" <>, "" <>, "" <>
Subject: Re: Genart last call review of draft-ietf-rtgwg-yang-key-chain-17
Thread-Topic: Genart last call review of draft-ietf-rtgwg-yang-key-chain-17
Thread-Index: AQHSr8ihxBldHKjCb0K6BYj9/alinKG8FuQA
Date: Sat, 8 Apr 2017 22:55:35 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Apr 2017 22:55:43 -0000

Hi Matt,

Thanks for the review.

On 4/7/17, 1:58 PM, "Matthew Miller" <>

>Reviewer: Matthew Miller
>Review result: Almost Ready
>I am the assigned Gen-ART reviewer for this draft. The General Area
>Review Team (Gen-ART) reviews all IETF documents being processed
>by the IESG for the IETF Chair.  Please treat these comments just
>like any other last call comments.
>For more information, please see the FAQ at
>Document: draft-ietf-rtgwg-yang-key-chain-17
>Reviewer: Matthew A. Miller
>Review Date: 2017-04-07
>IETF LC End Date: 2017-04-07
>IESG Telechat date: 2017-04-13
>This document is almost ready to be published as a Proposed Standard,
>once the issues noted herein are resolved.
>Major issues:
>Minor issues:
>* Forgive me for my limited knowledge of YANG, but is there a reason
>key-strings are only representable as either a YANG string or
>hex-string type, and not the YANG binary type?

Let me ask why I¹d want to use this type? I can get all the entropy I want
with a hex string and implementations are familiar with this
representation. I¹m not really fond of the obscure base64 representation
used by the YANG type and if one consults Benoit¹s search tool, the type
is not widely used.

>* This document does not provide much guidance around AES key wrap
>other than it can be used and the KEK is provided
>For instance, AES key-wrapped key-strings probably require using

Yes - I¹ll add that.

>  Also, assuming I'm reading the model
>it appears this feature applies to the whole chain, which I think is
>worth calling out.

In YANG, if you support a feature, it is for the entire model.
The per-chain boolean indicates whether or not it is applies to all the
keys in that particular key-chain. I will clarify this.
>* This document warns against using the "clear-text" algorithm, which
>reader is lead to understand is for legacy implementation reasons.
>However, is there not a similar concern with cryptographically weak
>algorithms, such as md5 and (arguably) sha1?

I can add something for MD5.
>Nits/editorial comments:
>* In Section 3.2. "Key Chain Model Features", the word "of" is
>between "configuration" and "an" in the phrase "support configuration
>acceptance tolerance".

Good catch. I will fix.
>* I note that idnits is calling out some odd spacing issues, but I
>they are safe to ignore.

Though the line numbers don¹t match the draft, I was able to fix these.