[netconf] AD review of draft-ietf-netconf-crypto-types-26
"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 22 March 2023 09:39 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52F4FC14CE4C; Wed, 22 Mar 2023 02:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.599
X-Spam-Level:
X-Spam-Status: No, score=-14.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="TY8MEctO"; dkim=pass (1024-bit key) header.d=cisco.com header.b="ch138NsZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Z3Gly7WTTjM; Wed, 22 Mar 2023 02:39:25 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0699BC14CE38; Wed, 22 Mar 2023 02:39:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22765; q=dns/txt; s=iport; t=1679477965; x=1680687565; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=jsw9ChmpXpXfspP43mAYyfGiyF9Ye6YCWW6iJen3h/s=; b=TY8MEctO0pytOWyAEN5UgRe+x6ksoFCe4apKRhJCMKdhcBVMPJSB3SO4 wkpfY+xNQyV54+TPEhxwRtnRS23FWZbZw7ZYDRd3e6+bPgNaF1hoVHVtR p2iTLj+8PubtUXktgNvNNG2vWRSAnicgAOTpcXFfN8KTzSVmCRqz+Sd1Y Y=;
X-IPAS-Result: A0AeAgCJyxpkmI0NJK1QAQYDHgEBCxIMQIFEC4FcUnMCWTtGiB4DhS+IMZwrgSwUgREDVg8BAQENAQE5CwQBAYFSAYMyAoU1AiU0CQ4BAgQBAQEBAwIDAQEBAQEBAwEBBQEBAQIBBwQUAQEBAQEBAQEeGQUOECeFaA2GbhUTBgEBJQQHCBEBOAZCJgEEARoTB4JcAYJcAwEPpQUBgT8Cih94gQEzgQGCCAEBBgQEnyADBoFBhEKLVIEfBwEfG4FJRIEVQ4FmhCECgTMBEgIaPwYIg0KCLo11gmeHXmqBNHaBIA6BPYEEAgkCEWuBEghrgX1BAg1lCw5xgUsCZE0zNwNEHUADC3U/FCEGDiAFBFV2IyQFAwsVKkcECDkGTxECCA8SDyxEDkI3NBMGgQYLDhEDT4FHBHOBGwJPnBAJBiAVMQUBWQsEDQsXAyABFDIgH0sPDCgUBRE6kjywcQqDeqEiFoN9jGaGapEQYpdqIKJYhHkCBAIEBQIOAQEGgWM6gVtwFTuCZ1IZD44gGYNZhRSKZXU7AgcLAQEDCYhsJAmCKgEB
IronPort-PHdr: A9a23:CjVjRh9I+asOl/9uWCXoyV9kXcBvk7n3PwtA7J0hhvoOd6m45J3tM QTZ4ukll17GW4jXqpcmw+rbuqztQyoMtJCGtn1RfJlFTRRQj8IQkkQpC9KEDkuuKvnsYmQ6E c1OWUUj8Wu8NB1eGd31YBvZpXjhhQM=
IronPort-Data: A9a23:yrOp+aw+KS66r7zMMhx6t+cYxirEfRIJ4+MujC+fZmUNrF6WrkVVn WMWWGqEOfaPYTb3ct8gO9/i80gBvMTQmt8xQQRvr1hgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJloCCea/H9BC5C5xZVG/fngqoHUVaiVakideSc+EH160Uk5wbZg6mJVqYHR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyV94KYkGE2EByCQrr+4sQKNb 72rILmRpgs19vq2Yz+vuu6TnkYiGtY+MeUS45Zbc/DKv/RMmsA9+ps/EMofZ3tssW6AjfRAw +wKipWCFy58a8UgmMxFO/VZOyh6OasD87jdLD3v98eS1EbBNXDrxp2CDmlvYtZeobgxWDoIr KBBQNwORkjra+ae2q26TvVrgOwoLdLgO8UUvXQIITTxXap4Hs6SG/miCdlw3g9sptINJaznZ eVAdSRINg34YiMeNQJCYH45tL742iagG9FCk3qZv6M5/y3SwRB/lb7gLNHSfNLPTt9Ehlqf4 37X52niRBgeMPSexCaLtHW2iYfnmy7nU4UUGpW5++JkxlqJyQQu5AY+XF+/p7yyjVSzHoIZI E0P8S1opq83nKC2cjXjdyC8hE6HsCInYYFZAckL4zjK9aPmvS/MUwDoUQV9QNAhscY3Qxkj2 VmIg87lCFRTXFu9FC71GlC88G/aBMQFEYMRTXRfFVpfs7EPtKl230yREos/eEKgpoCtQVnNL ya2QD/Sbln5pecP06i9lbwsq23x/sCTJuLZC/m+Y45Ixgp9YIjgbIuy5B2Lq/1BN42eCFKGu RDoevRyDshQVflhdwTUH43h+Y1FAd7ealUwZnY0RPEcG8yFoSLLQGyq3BlwJV1yLuEPciLzb UnYtGt5vcEMbSfwNvMsOdzqVazGKJQM8/y4Bpg4ifITPPBMmPOvp0mCmGbJhTm2yRhw+U3BE cjKLa5A8kr2+Yw+nGbpGI/xIJcgxzs1wivIVIvnwhG8uYdyl1bLIYrpxGCmN7hjhIvd+V292 48Ga6OilU4FOMWgOXa/zGLmBQ1QRVAhG4vMotBaHsbaZFIO9JcJUaGBmNvMuuVNwsxoqws/1 irhAhADmAGg3CWvxMfjQikLVY4DlK1X9RoTVRHA937xs5T/Se5DNJsiSqY=
IronPort-HdrOrdr: A9a23:6VdF8a0tNUJaZcoRzeNfKQqjBTNyeYIsimQD101hICG9Lfb3qy n+ppsmPEHP5Ar5AEtQ4uxoS5PwO080kqQFqrX5XI3SFDUO3VHIEGgM1/qa/9SNIVydygc/79 YrT0EdMqyJMbESt6+Ti2PUc6dC/DDtytHNuQ6q9QYKcegcUdAG0+4WMHf/LmRGAC19QbYpHp uV4cRK4xC6f24MU8i9Dn4ZG8DeutzijvvdEFM7Li9izDPLoSKj6bb8HRTd9AwZSSlzzbAr9n WAuxDl55+kr+qwxnbnpiPuBtVt6ZTcI+l4dY2xY/suW3XRY8GTFcdcsoi5zX4ISSeUmRQXeZ f30lId1o9Img7slymO0GfQMk/boXITA7uI8y7fvZMlyvaJAw7SQvAx+r5xY1/X7VEts8p717 8O12WFt4BPBReFhyjl4cPUPisa4XZcjEBS5NL7tUYvJbc2eftUt8gS7UlVGJAPEGbz750mCv BnCIXZ6OxNeV2XYnjFti03qebcF0gbD1ODWAwPq8aV2z9ZkDRwyFYZ3tUWmjMF+IgmQ5dJ6u zYOuBjla1ITMURcaVhbd1xN/efGyjIW1bBIWiSKVPoGOUOPG/MsYf+5PEv6OSjaPUzvekPcV T6ISBlXEIJCjLT4Je1reN2Gzj2MRSAYQg=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.98,281,1673913600"; d="scan'208";a="84676904"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Mar 2023 09:39:23 +0000
Received: from mail.cisco.com (xfe-rtp-004.cisco.com [64.101.210.234]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 32M9dKvY025161 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 22 Mar 2023 09:39:22 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Wed, 22 Mar 2023 05:39:19 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25 via Frontend Transport; Wed, 22 Mar 2023 04:39:19 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UEXjYOc1Kc7CHxuiAotmdMC2JWimgPi+Cw6n27fjqPmyI5aIRWMpOTenNXtlDbQJ5IwgEuRU/AJiwZczIsJA+Nn076VO4A33N52J1lbjekuKoQfHWrL2PmKHYGQT9LJ3xSjfWpXVm5OLGAB27i1szU3uiUImLLZMsuNOGDSrc5xOb38vmvm98FKaTTMMP+82doo7lmvSoTAFN0OBh/2VNmrIyxvrMPNYmTmZD26AT3yFEudIjKZHwidstEw56V3g51f68t7KHNyNJd9eW0fUJKEkeaiutDJTRCEzjKIG0NZL34F3lyKd9kQ9w9rFCuppE1Bh3l7tI8lJ+FlAv5MOYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LlzDDd4l+9e2X7icaRlU0Xk8l57q/NrPpfz0jGpfcH4=; b=O8H1kPXPqV3wHG5NU5Co32Yx5s/SsVjdHuESvmpdWDGC6uGHJLP2p7DN9HeORcYl6RkwxcUW8mdQUocG8ovNM8bcVAvdlCVnzCgWCEUEeE9XzAys32xdSWc/SZjYEZskK2pQfiyvwYNbhFkIvNrfDWjf+tnHB02wkae/NNmHQN6x0zehsL9pArdlKhF1DUALf9IfSXbaRjfzUN0Uf/gFZKDyyhS7QWAWGKbCZLGQuyrFFSNRsNslxzxfAdYDbmSI+4ZwMs7SaNSbpbEdqbrYdKiZjLBWPle7b7AZ+/0VhDYBpJi3TZ6IbQBhCkW8gyvUkR5jev/aJwG1KpRK+uVHYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LlzDDd4l+9e2X7icaRlU0Xk8l57q/NrPpfz0jGpfcH4=; b=ch138NsZxsf4nP50Nb09SvVPRhPibZeT6mCtgWtrCpCwbtIKe+9Ncgtn51ZgA27m5TVx3Y2XQOCK3iRnQwg7NpGTLHd0rfbzoxkV8+DJEeTJ2JfYh6uJxp8mPHTxse2Bos62U7TDfrcwhmOuX+2i/FkV6F4q3x/110QchwYJsIs=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by BY1PR11MB8080.namprd11.prod.outlook.com (2603:10b6:a03:528::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 09:39:16 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::4671:25af:94b6:7d36]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::4671:25af:94b6:7d36%6]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 09:39:16 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-crypto-types.all@ietf.org" <draft-ietf-netconf-crypto-types.all@ietf.org>
Thread-Topic: AD review of draft-ietf-netconf-crypto-types-26
Thread-Index: AdlcJlHFqFJT09R4QH66BFQctW2PAw==
Date: Wed, 22 Mar 2023 09:39:16 +0000
Message-ID: <BY5PR11MB41965E5BACB9ABEEA18FBA15B5869@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|BY1PR11MB8080:EE_
x-ms-office365-filtering-correlation-id: bb660041-e33d-4706-fcec-08db2ab94db1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NcNKi1PQXiwqTr33JNW/TLPllvPOjVSQT3MseP1vJ/bAoxftQvCbWrCYXXoVH/v7Es1QBgubstA7tn5a+VTMyXAxa5wViIkeVC8WmF1xnHLjurNFcJxPkVH+Ta3rMmhx74LvrTX2zPPmWZsG0uNw9PcbrYhfWYomDK4z6zSvrf8mxC13Zu7XxbTW2zZc/1DS/h0qHPXVX/ggZup7O2ye99cQPzjLqp+so0xODwpJylU2HXCOnTN1EoxkAmZZQvqqY8sna7QDhJ0buTkd0sBooPOSaJp2D5NYESih2Da/8V4iG6RDy+6ypyFj5pBC4URw3gQl1G2Xq2EwITjmKNNhGADVwuiwt0P+YFOpoRYYI6H1F1Ytg1atrNJUrGrphopx2y2c2BAAdGhiFZI5BZ3Ury0puEoRxzrBBfAGhKxlk2NgLeXXSshldcLTaN7L2HCnEPAfZLAD74sZvWdXsOfSsyUJ/SNP8YMRBxQDuPxusoIwjdbinY8zRjbC2GL0A1EuHMjF+FeIDt7VtKL5iRxIKtnAJL/BvOxzkfkpG0X7CkkF2NG+rmctZEW6BbMbUei/mWV+D+ZWoP/UxNw77jIuqnognXEq9DNTYNsc26aFGs2u5qfhbSepchLfOFe3Hq7lA++mnBqWyBVWmehdH8IoPdTB0T/RXuIBbsevPRaWtIxSp7mAeBHpkNyLrghQ7wKQ5UskUUMAEDoOrSBJLDEQ+A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(396003)(39860400002)(346002)(376002)(136003)(366004)(451199018)(52536014)(30864003)(41300700001)(8936002)(5660300002)(38100700002)(122000001)(55016003)(38070700005)(33656002)(86362001)(2906002)(83380400001)(71200400001)(6506007)(8676002)(9686003)(478600001)(66574015)(7696005)(186003)(26005)(66446008)(66476007)(66556008)(64756008)(66946007)(76116006)(110136005)(450100002)(316002)(21314003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +LX4mSNcy3KgR7RAsps8iEmTUNvGxemtvgznksbdPUEKDfwh5nk26b7O2MRtu/5tZwE/3ooCvd6qw7G92rno6bq6V7KhvCuasNjirFhySv8kGvDDTI4sw5qoWneMq4TAA2HT2T0fugPEcOx8riSU9Cf5HZytjltvc7HyvkgLp/0N0CDB70uRXOj5+1YJyza+lERYF4GYmNoTClMCnl4N8+L6SghNWHDvPEXFc3wjqhaNLjW72XJT0Tue2Hqw0c6DBY/NgxQ3v9WtDjGbBaHqHyUOMp2pw6YB9zbyzYJGDg5r6kJRXRbenPLAJ3N3GJ4cBrumx0JRiFQdPD7X4yU7I5yrKbbVYdcKweZnXuYsW6bqdiQU8ExAlr03Cus7j/cNzUtP7AXUnPaXR4bsshoeRMK1k86XDlG892w/4pj5ZvPLwJ+ZzZ17iQ+jgc5TWOeF3RVAQs2zUNbLN8yaroTwBMLAdlBkNQr3x6kUfLFH4QyBWj1btej+nLUV7MQDtFfuLhvyc/wmJeLNalNDGC8zNhgj4aoQpViSxRi0fv5QEK4Ak6bb+GPsEq2+S59iqnxg5icV/G6e6Ouv31HQQF9Ohut6K/I8AOlvHSEA/ypdyAZO+F/+6qj9yecLk6DSslshmmNEaAx8Y+SDl1gmKl/sB8UVbA8n/IWCri/qxf4vnwRwFr72OmtvVUeYRKdhjQ7S6N4r8ZJUcHWgg7EBssl1UXv9sfBnF5TMrklebWM8+1b9hT2OSzdlxgyChuzFzztTPvuAwnWMuiIOUljYONKoOpKCVLBK/O+SYoDzme/PYOQjqRZQYRQNcfrt53sdt1/o+O/f0u3TSuKPXK+0UJQ/mpPKSTtqBc1ncLoOUeidMf8y8kK0hN6kywYe5v282ElvNOmv76pvjFlWNOvQDQ7iSdKD6v6QfgFsbxvHOIlofU8W/e+xFEz4EL+fLvGYw1UOUE9JMnOOH8UfWSR9zHHfyBL3x9e7UIazuLygjT+xeDWShR0OADgFEqO0GCbZF8bX/kFpOIQCUmiVVgi+5UZXx2+zsPRJ8a4Pc2nLcJkp4esssw+ZytXndTfppAcrgc81J4HSzjhk8s3dVuztxgRocSiLm6dm1uHU1Q84kfYYufbBV/vRWtzL1CUUgOXW5yy+p7YFthHh6vjQ2aeYGsU4/VXOABanbzXShCcJKM4R5gD7DZ7+mFdtG++DiaE9+Z+1haCdh0NYc+HX6e2HbtZJJ0eBWIGR3HoCV/xCJM7txcdSvZntMu2AgSz02InVhET/efSrKKG51gz/1PPWkB7FvHqfZZ9U4YsaSmqYGXi/jl7wzgZTO20NM6Zu4DzXpeDxInVl3DLSdZ1r0lJBOLNtbGavyKnxwhWM/XPKNyEkhQek6iN4pwFcHJ97F/pG87BKIzewkbclHONMWFRYleEHBlA5ZitKmzjXhRR/lzjLfRMcbU3yrMs2sIUaabk4cAuRJvsyL4EW0c96EZgpCbKJkOOX5u3CB8h+ZASLEWY0q7nysYaJYs3a4T59Zz3f4eCLPoBGjdoTjPjzbo1US6BmwEAFNoGoZP0OVLMRtjg0H+g=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bb660041-e33d-4706-fcec-08db2ab94db1
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2023 09:39:16.3571 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mjh3+1HRmBeSZFbEGy5MLuSwhpEEPsM4a50zMdcdbhJPjuzC4w5UfUzLCkEJCoTJfy74zJ5gSpk1fPXzhOIlqA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR11MB8080
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.234, xfe-rtp-004.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/AbJpn9TCsuFMW4fHLXjgCxUVEhs>
Subject: [netconf] AD review of draft-ietf-netconf-crypto-types-26
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 09:39:29 -0000
Hi Kent,
Here are my review comments for draft-ietf-netconf-crypto-types. This document is well written, so I would like to thank you, the shepherd, and WG for a high-quality document.
I have a few comments, but will note that I'm not a security expert and hence some of my questions/comments may be due to my security ignorance ...
Moderate level comments:
(1) p 14, sec 2.1.4.10. The "asymmetric-key-pair-with-cert-grouping" Grouping
Comments:
* This grouping defines an asymmetric key with at most one
associated certificate, a commonly needed combination in protocol
models.
Will it also always be the case that is has to support a CSR Action?
(2) p 14, sec 2.1.4.11. The "asymmetric-key-pair-with-certs-grouping" Grouping
* This grouping defines an asymmetric key with one or more
associated certificates, a commonly needed combination in
configuration models.
Will it also always be the case that is has to support a CSR Action?
(3) p 45, sec 3.2. No Support for Key Generation
Early revisions of this document included "rpc" statements for
generating symmetric and asymmetric keys. These statements were
removed due to an inability to obtain consensus for how to identify
the key-algorithm to use. Thusly, the solution presented in this
document only supports keys to be configured via an external client,
which does not support Security best practice.
There is an obvious risk that the SEC ADs may not accept this, and hence bump this back to the WG to solve, but I still think it is right to try and progress this document now.
(4) p 46, sec 3.5. Strength of Keys Conveyed
Implementations SHOULD only use secure transport protocols meeting
local policy. A reasonable policy may, e.g., state that only
ciphersuites listed as "recommended" by the IETF be used (e.g.,
[RFC7525] for TLS).
Should the security considerations mention that passwords can be stored in cleartext and the risks associated with that (i.e., specifically beyond what is already described in section 3.8)?
(5) p 51, sec 5.2. Informative References
[I-D.ietf-netconf-crypto-types]
Watsen, K., "YANG Data Types and Groupings for
Cryptography", Work in Progress, Internet-Draft, draft-
ietf-netconf-crypto-types-25, 19 October 2022,
<https://www.ietf.org/archive/id/draft-ietf-netconf-
crypto-types-25.txt>.
An informative reference to itself is strange and should be removed.
Minor level comments:
(6) p 4, sec 1.1. Relation to other RFCs
crypto-types
^ ^
/ \
/ \
truststore keystore
^ ^ ^ ^
| +---------+ | |
| | | |
| +------------+ |
tcp-client-server | / | |
^ ^ ssh-client-server | |
| | ^ tls-client-server
| | | ^ ^ http-client-server
| | | | | ^
| | | +-----+ +---------+ |
| | | | | |
| +-----------|--------|--------------+ | |
| | | | | |
+-----------+ | | | | |
| | | | | |
| | | | | |
netconf-client-server restconf-client-server
+======================+===========================================+
|Label in Diagram | Originating RFC |
+======================+===========================================+
|crypto-types | [I-D.ietf-netconf-crypto-types] |
+----------------------+-------------------------------------------+
|truststore | [I-D.ietf-netconf-trust-anchors] |
+----------------------+-------------------------------------------+
|keystore | [I-D.ietf-netconf-keystore] |
+----------------------+-------------------------------------------+
|tcp-client-server | [I-D.ietf-netconf-tcp-client-server] |
+----------------------+-------------------------------------------+
|ssh-client-server | [I-D.ietf-netconf-ssh-client-server] |
+----------------------+-------------------------------------------+
|tls-client-server | [I-D.ietf-netconf-tls-client-server] |
+----------------------+-------------------------------------------+
|http-client-server | [I-D.ietf-netconf-http-client-server] |
+----------------------+-------------------------------------------+
|netconf-client-server | [I-D.ietf-netconf-netconf-client-server] |
+----------------------+-------------------------------------------+
|restconf-client-server| [I-D.ietf-netconf-restconf-client-server] |
+----------------------+-------------------------------------------+
Rather than having a formal reference to E-D.ietf-netconf-crypto-types, it would probably be better to just label at as "This draft", with a note to change it to "This RFC".
(7) p 6, sec 2.1.2. Identities
* The various "leaf" identities define specific encoding formats.
The derived identities defined in this document are sufficient for
the effort described in Section 1.1 but, by nature of them being
identities, additional derived identities MAY be defined by future
efforts.
Using the term "leaf" applied to identities could be somewhat confusing, please consider using "terminal" or some other definition instead instead.
(8) p 9, sec 2.1.4.2. The "password-grouping" Grouping
- The "cleartext-password" node can encode any cleartext value.
- The "encrypted-password" node's structure is discussed in
Section 2.1.4.1.
I noted that there is no feature statement for cleartext passwords or cleartext private keys? E.g., is it plausible that for security purposes a device may want to disallow the use of cleartext passwords or cleartext private keys, without needing to resort to deviations?
(9) p 15, sec 2.2.1. The "symmetric-key-grouping" and "asymmetric-key-pair-with-
certs-grouping" Grouping
Notably, this example illustrates a hidden asymmetric key (ex-hidden-
asymmetric-key) has been used to encrypt a symmetric key (ex-
encrypted-one-symmetric-based-symmetric-key) that has been used to
encrypt another asymmetric key (ex-encrypted-rsa-based-asymmetric-
key). Additionally, the symmetric key is also used to encrypt a
password (ex-encrypted-password).
When I first read this, I thought that this text was just describing the module and hence the prose regarding the hidden key was slightly confusing. Hence, perhaps consider tweaking this to:
Notably, this example module and associated configuration data illustrates ...
(10) p 15, sec 2.2.1. The "symmetric-key-grouping" and "asymmetric-key-pair-with-
certs-grouping" Grouping
description
"This module illustrates the 'symmetric-key-grouping'
and 'asymmetric-key-grouping' groupings defined in
the 'ietf-crypto-types' module defined in RFC AAAA.";
Suggest "This module" -> "This example module". Just in case anyone ever manually extracts (copies) this module.
(11) p 25, sec 2.3. YANG Module
feature p10-based-csrs {
description
"Indicates that the erver implements support
for generating P10-based CSRs, as defined
in RFC 2986.";
reference
"RFC 2986: PKCS #10: Certification Request Syntax
Specification Version 1.7";
}
I'll leave it to the authors discretion but note that the p10-based-csrs feature could be made conditional on the csr-generation feature.
(12) p 26, sec 2.3. YANG Module
feature password-encryption {
description
"Indicates that the server supports password
encryption.";
}
I'm wondering whether this should really be a feature, or whether supporting encrypted passwords should be a base requirement of the module.
(13) p 26, sec 2.3. YANG Module
feature private-key-encryption {
description
"Indicates that the server supports encryption
of private keys.";
}
I'm wondering whether this should really be a feature, or whether supporting encrypted private-keys should be a base requirement of the module.
(14) p 37, sec 2.3. YANG Module
This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280).";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile.";
}
/*****************/
/* Groupings */
/*****************/
Up to the authors, but for these groupings you could potentially include reference statements back to the specific section that describe there.
(15) p 37, sec 2.3. YANG Module
The leaf nodes MUST be direct descendants in the data tree,
and MAY be direct descendants in the schema tree.";
I presume that the intention here is that intermediate choice/case statements are allowed, but not containers. I wonder, whether that might also be worth stating (e.g., choice/case statements are allowed, but ...)
(16) p 38, sec 2.3. YANG Module
For encrypted keys, the value is the same as it would
have been if the key were not encrypted.";
I don't understand what this sentence is intending to convey.
(17) p 40, sec 2.3. YANG Module
grouping asymmetric-key-pair-grouping {
description
"A private key and its associated public key. Implementations
SHOULD ensure that the two keys are a matching pair.";
By "SHOULD ensure" does this mean "SHOULD validate", or something else?
(18) p 40, sec 2.3. YANG Module
For encrypted keys, the value is the same as it would have
been if the key were not encrypted.";
Another instance of that sentence that I don't follow.
(19) p 45, sec 3.3. Unconstrained Public Key Usage
The "asymmetric-key-pair-grouping" grouping uses the aforementioned
"public-key-grouping" grouping, and carries the same traits.
For the two cases above, is there any specific advice that could be given. E.g., they should only be used when ... or use XXX in preference? Same comment applies to private keys below.
Nit level comments:
(20) p 10, sec 2.1.4.3. The "symmetric-key-grouping" Grouping
* The "key-format" node is an identity-reference to the "symmetric-
key-format" abstract base identity discussed in Section 2.1.2,
enabling the symmetric key to be encoded using the format defined
by any of the derived identities.
Possible better phrasing: ... using any of the formats defined by the derived identities.
(21) p 13, sec 2.1.4.10. The "asymmetric-key-pair-with-cert-grouping" Grouping
This section presents a tree diagram [RFC8340] illustrating the
"asymmetric-key-pair-with-cert-grouping" grouping. The this diagram
does not expand the internally used grouping statement(s):
The this diagram -> This tree diagram
(22) p 36, sec 2.3. YANG Module
The CMS MUST contain only a single chain of certificates.
The client or end-entity certificate MUST only authenticate
to last intermediate CA certificate listed in the chain.
Should this be "to the last intermediate"?
(23) p 36, sec 2.3. YANG Module
typedef end-entity-cert-cms {
type signed-data-cms;
description
"A CMS SignedData structure that MUST contain the end
entity certificate itself, and MAY contain any number
of intermediate certificates leading up to a trust
anchor certificate. The trust anchor certificate
MAY be included as well.
The previous description references root certificates, this description references the trust anchor certificate. Are these the same thing, and if so would it help to align the descriptions?
Regards,
Rob
- [netconf] AD review of draft-ietf-netconf-crypto-… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-cry… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-cry… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-cry… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-cry… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-cry… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-cry… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-cry… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-cry… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-cry… Kent Watsen