Re: [netconf] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21
Jensen Zhang <jingxuan.n.zhang@gmail.com> Wed, 13 December 2023 02:33 UTC
Return-Path: <jingxuan.n.zhang@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25154C151077; Tue, 12 Dec 2023 18:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmVEs1VNqIEf; Tue, 12 Dec 2023 18:33:07 -0800 (PST)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E1AFC151073; Tue, 12 Dec 2023 18:33:07 -0800 (PST)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1d347b4d676so7474875ad.2; Tue, 12 Dec 2023 18:33:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702434786; x=1703039586; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eSnZoSOyq7RnXE1VlT3fT92r11D1Fi9RAPNvSmyACxk=; b=YH0sXL+kkufBxp/YZ8ikP4zce6FeXdNQreh6GB3knOwpmrwTuC/wFeHpfCKm5ygYBw cvGQK01F8mtqDfEiyRiPArCVLr2BdDghPARwyySJgw9OjBokU+8hcQ1f1lxcWaWDv+Z+ 419iapH4GB+mb3y1ktM0x1R9J/dZLcDsdw2qCQYM1SvelsCzfCUdaGOeg5KD596xz52g OGTuOs2XqbIgi6HTlVGuQNMk1BrhjPLRC1G9WVHFjyqukS0rkJco8PcuZsI314huhy5U sT0rxXdQ++bF2x9LRsY7HH8qhmV8/H4nttrTdYxEAvlD/jk/IfThPeLH8g/wg8ovKZ5n E4Qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702434786; x=1703039586; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eSnZoSOyq7RnXE1VlT3fT92r11D1Fi9RAPNvSmyACxk=; b=dMs8ILTKsznc4vNiwnYEm2F199+BV1LknU8SIT8Rjx1KIZfe3OgziBJZtU4670EzUo em9LXGZcgajsxE4o8Nq6DZHHnQU5lL0/daU1z2k5dzz9KFNxZDXtMgWaNzR4YEylK50j LKG3Oqh2ausRNnIywB4FW9YTXu7T4IofRKL5VAHFVhWW8K8ZQ6YbXEOftxSKHG6/Kc5q GI0Ciq7iPknIM7EuRMUf93l5SfKrq48EUoK4yFTitv4f26EnqPhCrmlldcPVvg696TsM TK7R+payKTWlBRHzEEh9c+sk+hfqgKNH78pkTkONGKyNvcpFUh+mAWUiXoCzkdx9EzEn 01xA==
X-Gm-Message-State: AOJu0YwAfyiK+1Dk3KcbfX9JlshQxRLwUQLaPRO5ylqt7Vq0E3H/dgwa YIp5GVcXVokyx94tR+GBmjkyvk/NIoModBhgDPjML1Ic3qA=
X-Google-Smtp-Source: AGHT+IEtIt91x3QA1I7/pBO3MfSBI0g2KtmzslWiAmN53LP+5//6in5P90PgvL1m2H5WPrsxMuFH+Ej+yzugrxyD5SU=
X-Received: by 2002:a17:902:ec92:b0:1cf:edd5:f783 with SMTP id x18-20020a170902ec9200b001cfedd5f783mr7518252plg.15.1702434786415; Tue, 12 Dec 2023 18:33:06 -0800 (PST)
MIME-Version: 1.0
References: <CAAbpuypYpm863NC3ka6LvEJMBEarpSguQKdHNs7EiooSWNsXcA@mail.gmail.com> <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@email.amazonses.com>
In-Reply-To: <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@email.amazonses.com>
From: Jensen Zhang <jingxuan.n.zhang@gmail.com>
Date: Wed, 13 Dec 2023 10:32:54 +0800
Message-ID: <CAAbpuyqiscNH+m4M3=5z_3KcinjdhYeSS=xf0PcH0w-wtWxYkw@mail.gmail.com>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: draft-ietf-netconf-trust-anchors@ietf.org, "netconf@ietf.org" <netconf@ietf.org>, IETF ALTO <alto@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b2992f060c5afca9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/HExSPyGcCvbENqr0x2ZGB3kuBXI>
Subject: Re: [netconf] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 02:33:08 -0000
Hi Kent, Thanks for your quick response. Maybe I did not make it clear. I am just pointing out a very simple specific issue in the current 'ietf-truststore' module, which is that the typedef 'public-key-ref' cannot be used by another module. The reason is very simple: Based on the description, if module A wants to use this typedef to reference a public key in the central trust store, it is supposed to provide another sibling leaf node called 'public-key-bag' that has the typedef 'public-key-bag-ref', so that the public-key-ref can use the relative path '[ts:name = current()/../ts:public-key-bag]' to locate in which public-key-bag the referenced public key should be. However, in this relative path, 'public-key-bag' is prefixed by 'ts', it cannot reference the sibling leaf node 'public-key-bag' defined in module A correctly. The fix should also be very simple: Just remove the prefix of the 'public-key-bag', i.e., OLD: + "[ts:name = current()/../ts:public-key-bag]/" NEW: + "[ts:name = current()/../public-key-bag]/" You mentioned that the 'ietf-restconf-server' module also uses the 'ietf-truststore' module. But does it use the typedef 'public-key-ref' anywhere? I don't find any other module that uses the current typedef 'public-key-ref'. Do you have such a successful example? About your other feedback, please see my responses inline :) Thanks, Jensen On Wed, Dec 13, 2023 at 2:36 AM Kent Watsen <kent+ietf@watsen.net> wrote: > Hi Jensen, > > On Dec 12, 2023, at 7:47 AM, Jensen Zhang <jingxuan.n.zhang@gmail.com> > wrote: > > Hi authors, > > I am one of the authors of the draft-ietf-alto-oam-yang draft. Our draft > is trying to reuse some groupings and typedefs in this document to support > some TLS authentication features. But we find the current typedef > 'public-key-ref' cannot be used by another module. > > To be more concrete, in the current document, the path of the typedef > 'public-key-ref' enforces a prefix of the relative path to the sibling > 'public-key-bag' leaf: > > typedef public-key-ref { > type leafref { > path "/ts:truststore/ts:public-key-bags/ts:public-key-bag" > + "[ts:name = current()/../ts:public-key-bag]/" > + "ts:public-key/ts:name"; > } > ... > } > > From my understanding, this typedef is for other modules to reference a > public key in the trust store. The sibling 'public-key-bag' leaf should be > in the same module of the leaf using this typedef, instead of the module > 'ts'. > > To make this typedef usable, I believe it should look like the following: > > typedef public-key-ref { > type leafref { > path "/ts:truststore/ts:public-key-bags/ts:public-key-bag" > + "[ts:name = current()/../public-key-bag]/" > + "ts:public-key/ts:name"; > } > ... > } > > Otherwise, we have to define another typedef in our own module like this: > https://github.com/ietf-wg-alto/draft-ietf-alto-oam-yang/blob/284d2e630cec00f752ea94f586469797786c6f57/yang/ietf-alto.yang#L612-L628 > > > This is my first time looking at Alto. It may take me a little to fully > grok what’s going on. Please let me know if you think a call would be > helpful. > > Looking at the linked YANG module, I see that it looks very much like the > "ietf-restconf-server" module’s grouping > "restconf-server-listen-stack-grouping”, which is fine. > > I take it that Alto is okay referencing the central truststore (not > defining its own instances of "truststore-grouping") as well as supporting > inlined definitions. I do not see the Alto module augmenting the > centralized truststore and, in general, it seems to behave just like the ietf-restconf-server > module, though I’m sure I’m missing something ;) > > What I don’t understand is why what seems to work in ietf-restconf-server > doesn’t work in ietf-alto. Can you help me understand? > > Separately, did ALTO WG ever consider renaming to “ietf-alto-server”? > Would there be value to extending that convention for consistency? > The module 'ietf-alto' provides both server and client configurations. I guess you are suggesting to separate them into two modules. It may not be necessary unless somebody has a strong opinion on this. But still thanks for your comment. > > One last thought, I notice that ietf-alto defines a number of typedefs > that seem generic enough to move to ietf-truststore. Is this thought yours > as well? > Good point. The reason why ietf-alto defines those typedefs and groupings is that we don't find the reusable typedefs and groupings in another module. It definitely will be great if ietf-truststore can provide some of them. Specifically, I believe the typedef 'public-key-ref' and grouping 'truststore-public-key-ref' can be moved to ietf-truststore. But for the typedefs and groupings related to the inline certificates, I have no idea how to make them generic properly. Because the inline certificates defined by the 'inline-or-truststore-certs-grouping' grouping will have different absolute paths when it is used in different modules. > > > Thanks, > Jensen > > > > Kent // author > >
- [netconf] Comment on typedef 'public-key-ref' of … Jensen Zhang
- Re: [netconf] Comment on typedef 'public-key-ref'… Kent Watsen
- Re: [netconf] Comment on typedef 'public-key-ref'… Jensen Zhang
- Re: [netconf] Comment on typedef 'public-key-ref'… mohamed.boucadair
- Re: [netconf] Comment on typedef 'public-key-ref'… Martin Björklund
- Re: [netconf] Comment on typedef 'public-key-ref'… Kent Watsen