IETF Logo Mail Archive

Re: [netconf] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21

Jensen Zhang <jingxuan.n.zhang@gmail.com> Wed, 13 December 2023 02:33 UTC

Return-Path: <jingxuan.n.zhang@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25154C151077; Tue, 12 Dec 2023 18:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmVEs1VNqIEf; Tue, 12 Dec 2023 18:33:07 -0800 (PST)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E1AFC151073; Tue, 12 Dec 2023 18:33:07 -0800 (PST)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1d347b4d676so7474875ad.2; Tue, 12 Dec 2023 18:33:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702434786; x=1703039586; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eSnZoSOyq7RnXE1VlT3fT92r11D1Fi9RAPNvSmyACxk=; b=YH0sXL+kkufBxp/YZ8ikP4zce6FeXdNQreh6GB3knOwpmrwTuC/wFeHpfCKm5ygYBw cvGQK01F8mtqDfEiyRiPArCVLr2BdDghPARwyySJgw9OjBokU+8hcQ1f1lxcWaWDv+Z+ 419iapH4GB+mb3y1ktM0x1R9J/dZLcDsdw2qCQYM1SvelsCzfCUdaGOeg5KD596xz52g OGTuOs2XqbIgi6HTlVGuQNMk1BrhjPLRC1G9WVHFjyqukS0rkJco8PcuZsI314huhy5U sT0rxXdQ++bF2x9LRsY7HH8qhmV8/H4nttrTdYxEAvlD/jk/IfThPeLH8g/wg8ovKZ5n E4Qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702434786; x=1703039586; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eSnZoSOyq7RnXE1VlT3fT92r11D1Fi9RAPNvSmyACxk=; b=dMs8ILTKsznc4vNiwnYEm2F199+BV1LknU8SIT8Rjx1KIZfe3OgziBJZtU4670EzUo em9LXGZcgajsxE4o8Nq6DZHHnQU5lL0/daU1z2k5dzz9KFNxZDXtMgWaNzR4YEylK50j LKG3Oqh2ausRNnIywB4FW9YTXu7T4IofRKL5VAHFVhWW8K8ZQ6YbXEOftxSKHG6/Kc5q GI0Ciq7iPknIM7EuRMUf93l5SfKrq48EUoK4yFTitv4f26EnqPhCrmlldcPVvg696TsM TK7R+payKTWlBRHzEEh9c+sk+hfqgKNH78pkTkONGKyNvcpFUh+mAWUiXoCzkdx9EzEn 01xA==
X-Gm-Message-State: AOJu0YwAfyiK+1Dk3KcbfX9JlshQxRLwUQLaPRO5ylqt7Vq0E3H/dgwa YIp5GVcXVokyx94tR+GBmjkyvk/NIoModBhgDPjML1Ic3qA=
X-Google-Smtp-Source: AGHT+IEtIt91x3QA1I7/pBO3MfSBI0g2KtmzslWiAmN53LP+5//6in5P90PgvL1m2H5WPrsxMuFH+Ej+yzugrxyD5SU=
X-Received: by 2002:a17:902:ec92:b0:1cf:edd5:f783 with SMTP id x18-20020a170902ec9200b001cfedd5f783mr7518252plg.15.1702434786415; Tue, 12 Dec 2023 18:33:06 -0800 (PST)
MIME-Version: 1.0
References: <CAAbpuypYpm863NC3ka6LvEJMBEarpSguQKdHNs7EiooSWNsXcA@mail.gmail.com> <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@email.amazonses.com>
In-Reply-To: <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@email.amazonses.com>
From: Jensen Zhang <jingxuan.n.zhang@gmail.com>
Date: Wed, 13 Dec 2023 10:32:54 +0800
Message-ID: <CAAbpuyqiscNH+m4M3=5z_3KcinjdhYeSS=xf0PcH0w-wtWxYkw@mail.gmail.com>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: draft-ietf-netconf-trust-anchors@ietf.org, "netconf@ietf.org" <netconf@ietf.org>, IETF ALTO <alto@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b2992f060c5afca9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/HExSPyGcCvbENqr0x2ZGB3kuBXI>
Subject: Re: [netconf] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 02:33:08 -0000

Hi Kent,

Thanks for your quick response.

Maybe I did not make it clear. I am just pointing out a very simple
specific issue in the current 'ietf-truststore' module, which is that the
typedef 'public-key-ref' cannot be used by another module.

The reason is very simple: Based on the description, if module A wants to
use this typedef to reference a public key in the central trust store, it
is supposed to provide another sibling leaf node called 'public-key-bag'
that has the typedef 'public-key-bag-ref', so that the public-key-ref can
use the relative path '[ts:name = current()/../ts:public-key-bag]' to
locate in which public-key-bag the referenced public key should be.
However, in this relative path, 'public-key-bag' is prefixed by 'ts', it
cannot reference the sibling leaf node 'public-key-bag' defined in module A
correctly.

The fix should also be very simple: Just remove the prefix of the
'public-key-bag', i.e.,

OLD:

         + "[ts:name = current()/../ts:public-key-bag]/"

NEW:

         + "[ts:name = current()/../public-key-bag]/"

You mentioned that the 'ietf-restconf-server' module also uses the
'ietf-truststore' module. But does it use the typedef 'public-key-ref'
anywhere? I don't find any other module that uses the current typedef
'public-key-ref'. Do you have such a successful example?

About your other feedback, please see my responses inline :)

Thanks,
Jensen

On Wed, Dec 13, 2023 at 2:36 AM Kent Watsen <kent+ietf@watsen.net> wrote:

> Hi Jensen,
>
> On Dec 12, 2023, at 7:47 AM, Jensen Zhang <jingxuan.n.zhang@gmail.com>
> wrote:
>
> Hi authors,
>
> I am one of the authors of the draft-ietf-alto-oam-yang draft. Our draft
> is trying to reuse some groupings and typedefs in this document to support
> some TLS authentication features. But we find the current typedef
> 'public-key-ref' cannot be used by another module.
>
> To be more concrete, in the current document, the path of the typedef
> 'public-key-ref' enforces a prefix of the relative path to the sibling
> 'public-key-bag' leaf:
>
>    typedef public-key-ref {
>      type leafref {
>        path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
>          + "[ts:name = current()/../ts:public-key-bag]/"
>          + "ts:public-key/ts:name";
>      }
>      ...
>    }
>
> From my understanding, this typedef is for other modules to reference a
> public key in the trust store. The sibling 'public-key-bag' leaf should be
> in the same module of the leaf using this typedef, instead of the module
> 'ts'.
>
> To make this typedef usable, I believe it should look like the following:
>
>    typedef public-key-ref {
>      type leafref {
>        path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
>          + "[ts:name = current()/../public-key-bag]/"
>          + "ts:public-key/ts:name";
>      }
>      ...
>    }
>
> Otherwise, we have to define another typedef in our own module like this:
> https://github.com/ietf-wg-alto/draft-ietf-alto-oam-yang/blob/284d2e630cec00f752ea94f586469797786c6f57/yang/ietf-alto.yang#L612-L628
>
>
> This is my first time looking at Alto.  It may take me a little to fully
> grok what’s going on.  Please let me know if you think a call would be
> helpful.
>
> Looking at the linked YANG module, I see that it looks very much like the
> "ietf-restconf-server" module’s grouping
> "restconf-server-listen-stack-grouping”, which is fine.
>
> I take it that Alto is okay referencing the central truststore (not
> defining its own instances of "truststore-grouping") as well as supporting
> inlined definitions.  I do not see the Alto module augmenting the
> centralized truststore and, in general, it seems to behave just like the ietf-restconf-server
> module, though I’m sure I’m missing something  ;)
>
> What I don’t understand is why what seems to work in ietf-restconf-server
> doesn’t work in ietf-alto.  Can you help me understand?
>
> Separately, did ALTO WG ever consider renaming to “ietf-alto-server”?
> Would there be value to extending that convention for consistency?
>

The module 'ietf-alto' provides both server and client configurations. I
guess you are suggesting to separate them into two modules. It may not be
necessary unless somebody has a strong opinion on this. But still thanks
for your comment.


>
> One last thought, I notice that ietf-alto defines a number of typedefs
> that seem generic enough to move to ietf-truststore.  Is this thought yours
> as well?
>

Good point. The reason why ietf-alto defines those typedefs and groupings
is that we don't find the reusable typedefs and groupings in another
module. It definitely will be great if ietf-truststore can provide some of
them.

Specifically, I believe the typedef 'public-key-ref' and grouping
'truststore-public-key-ref' can be moved to ietf-truststore.

But for the typedefs and groupings related to the inline certificates, I
have no idea how to make them generic properly. Because the inline
certificates defined by the 'inline-or-truststore-certs-grouping' grouping
will have different absolute paths when it is used in different modules.


>
>
> Thanks,
> Jensen
>
>
>
> Kent   // author
>
>

v2.23.0 | Report a Bug | By Email