Re: [netconf] Roman Danyliw's No Objection on draft-ietf-netconf-trust-anchors-24: (with COMMENT)
Kent Watsen <kent@watsen.net> Thu, 08 February 2024 23:22 UTC
Return-Path: <0100018d8b079cf1-783eebf6-8f3c-4b13-8f6e-b8f5c17499f1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25843C14CEED; Thu, 8 Feb 2024 15:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJWHOq2cHQVL; Thu, 8 Feb 2024 15:22:30 -0800 (PST)
Received: from a48-93.smtp-out.amazonses.com (a48-93.smtp-out.amazonses.com [54.240.48.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD65FC14F60B; Thu, 8 Feb 2024 15:22:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1707434548; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=m6e+oLqrR9crNFdxg+Tt665wYg80F3NclFQXn8+SJAw=; b=RLmMdw63bV0O9V/wGQ+Dk9dxfdn6OJx8jPoJ/hHPv/IGb2PvkfppFonwWB+V5k79 dK4/cLMLOZLEWYjJZq67a1yi/kgD7jlf0bWJ6LbebShTb2GZPWBa+sVCs4/EDl5f/FE JatjGIbCj4e3t/+dEsVyYxOR40VoH0PYPPE+ZFoA=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <170725510860.42671.3463074490975756528@ietfa.amsl.com>
Date: Thu, 08 Feb 2024 23:22:28 +0000
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-trust-anchors@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0100018d8b079cf1-783eebf6-8f3c-4b13-8f6e-b8f5c17499f1-000000@email.amazonses.com>
References: <170725510860.42671.3463074490975756528@ietfa.amsl.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.08-54.240.48.93
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ETHJ6guBu2YdflJ1ICLoeNaVBCc>
Subject: Re: [netconf] Roman Danyliw's No Objection on draft-ietf-netconf-trust-anchors-24: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 23:22:31 -0000
Hi Roman, This email shows up in my Inbox as unread, yet it regards the same two issues that I replied to in a separate email thread earlier today. I am going to assume that my email earlier today will be used to chase these comments to ground, and thus there is no need to reply to these comments again. Please let me know if there is a misunderstanding. Thanks, Kent > On Feb 6, 2024, at 4:31 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-netconf-trust-anchors-24: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Yoav Nir for the SECDIR review. > > Thanks for addressing my DISCUSS and part of my COMMENT. > > ** YANG. list certificate-bag > "A bag of certificates. Each bag of certificates SHOULD > be for a specific purpose. For instance, one bag could > be used to authenticate a specific set of servers, while > another could be used to authenticate a specific set of > clients."; > > Since normative language is used here, can additional guidance be provided on > qualifying “specific purpose”. For example, can one put different applications > for the same server in the same bag? What is the consequence of incorrectly > binning the certificate chains? More generally, I’m wondering about the > significance of where certificates are binned. Because of natural language > describing the purpose of these bags, I don’t see an obvious, interoperable, > general purpose way to automatically parse this structure to know which > certificate to use for a server beyond checking subjectAltNames in the > certificate against a domain name (which precludes the need to even organize > these certificates into bins beyond readability). > > ** Section 4.3 > None of the readable data nodes defined in this YANG module are > considered sensitive or vulnerable in network environments. The NACM > "default-deny-all" extension has not been set for any data nodes > defined in this module. > > Doesn’t read-access to this module provide insight into which other > resources/applications/servers this particular server communicates with by > virtue of having their end-entity certificates or SSH keys? Wouldn’t this > provide an attacker insight into potential targeting? or business > relationships? > > > > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [netconf] Roman Danyliw's No Objection on draft-i… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's No Objection on dra… Kent Watsen