IETF Logo Mail Archive

Re: [netconf] draft-ietf-netconf-trust-anchors and unconstrained public keys

Kent Watsen <kent+ietf@watsen.net> Thu, 28 April 2022 15:39 UTC

Return-Path: <0100018070d2eed8-c556a713-56df-4a78-b6f6-16a9f5e92ab6-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3AD5C15E6ED for <netconf@ietfa.amsl.com>; Thu, 28 Apr 2022 08:39:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-s92ZxU-GWo for <netconf@ietfa.amsl.com>; Thu, 28 Apr 2022 08:38:59 -0700 (PDT)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB64C15E6E0 for <netconf@ietf.org>; Thu, 28 Apr 2022 08:38:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1651160313; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=CUsC/KladpnGuybdODISlk9EvDvqXsrDYS6xKQyI6fc=; b=gzjbrYtvgql8tWBdY0a9SD9wM5dXJitXW3e9TibiB4kr4TuDwCT2DB3IIo9Xoqbv iDu07q+K9CZ6cDOH3+nFSWMYpagz2+nn/ljMggOZyXxK9IYvW5xy5TMFRSxwQW3X+K+ l72fnu3pX8HCdjm6SVReP8bzxi2p0vNyJ3FWxdro=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018070d2eed8-c556a713-56df-4a78-b6f6-16a9f5e92ab6-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A3399B7B-399D-4A6C-82D9-0635058E18FC"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Thu, 28 Apr 2022 15:38:33 +0000
In-Reply-To: <7E9F3FFB-F1A9-471C-ADB5-9737DC89CD5B@redhoundsoftware.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Carl Wallace <carl@redhoundsoftware.com>
References: <01000180707b3915-1e536572-d788-44f3-abf6-fe1140b2f3ac-000000@email.amazonses.com> <7E9F3FFB-F1A9-471C-ADB5-9737DC89CD5B@redhoundsoftware.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2022.04.28-54.240.8.88
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/BR0CETDD0-V51l6GmzzB7gizCjE>
Subject: Re: [netconf] draft-ietf-netconf-trust-anchors and unconstrained public keys
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 15:39:00 -0000

> Here’s a whack. 
> 
>>> OLD
>>> This module also enables the configuration of certificates, where each certificate may constrain the usage of the public key according to local policy.
>>> 
>>> NEW
>>> Trust anchors configured via this module are implicitly trusted to validate certification paths that may include any name, be used for any purpose and etc., subject to constraints imposed by an intermediate CA or by context in which the TA store is used. Implementations are free to use alternative or auxiliary structures and validation rules to define constraints that limit the applicability of any trust anchor. 

Works for me!  Here's the update: https://github.com/netconf-wg/trust-anchors/commit/233db66dae60c9d0b007697ed1b1f4c4a359522d <https://github.com/netconf-wg/trust-anchors/commit/233db66dae60c9d0b007697ed1b1f4c4a359522d>

Kent

v2.23.0 | Report a Bug | By Email