IETF Logo Mail Archive

Re: [netconf] ietf-keystore, truststore, crypto-types

Balázs Kovács <balazs.kovacs@ericsson.com> Thu, 01 August 2019 09:26 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 740C2120052 for <netconf@ietfa.amsl.com>; Thu, 1 Aug 2019 02:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OzyU-wQ0Akde for <netconf@ietfa.amsl.com>; Thu, 1 Aug 2019 02:26:39 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on062a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33CAE12004A for <netconf@ietf.org>; Thu, 1 Aug 2019 02:26:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X+OxrS37NxK+FHOHoUKvMdDKGWXNF5Awt6RkRZwHraQqsmO2A+nxLAZqX6JxksLgyv0lifUO+f97HtrixadpHrY5h4bLRCeBkzxU55DoEesJ+/nkSCrvMnu8VEegEIPAS5vuQ2JDBQL6NY4gDEsRlSwZc8V0zcu3ehRbduGlHVw/ACf3aejx+0UCEGktslbmt/GMpJvQATDT4lrx/8cBnfeqEwkbnF3a425wnxmktNt2mlvefpBuJnmTtxrEKHoRcLJxJ9jatlrRRaV+IeL2fX/2cgJJy2MHCZTo53SQADerVZTxwU4XgiSEcEkAnYj+x1G6hNLK2UVuPA5rk0Jm3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DY9UxduyC72IQcgJqm/xuiN/V682HjH5V0aVBwfLNBA=; b=VbVdroYSnbA6eGtUSo0Zs0Rc6cnj4Lpo688JpLCjMohhgM13m3M59U586zFvKFRMzqUceerJmty7zr+vFM50QcFzQ9z6fK0JM+1n0mJ2zq3kQ1LkvciRsvCYncsZddgTBgzl1DkCwliIxqqDv+YkHFBjAB9ndzKN2TX0VWswcZnjaxNMNpTcMg3ZsdVR9NSI2SB2F5HLM528WYV+aINDDNzPiTaZFHFvcACs6wvmxnwJ5Uy/c4X07dsr1f7/vCcM292FaBMd+9D4YIWYd4zsXJmbaTjrCo1wKL/0Ai4HidTonumAqcZGue89dMFWQ9sVl232iLw1uBNQNOAxOQiDXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DY9UxduyC72IQcgJqm/xuiN/V682HjH5V0aVBwfLNBA=; b=aD2UVK65kBgiAPCuuELimC1dw6kxvoHJIpzLpghTv5zq+gYd8d2K1vzaQUlSWM9ap6e2Hmo8vQ8nWf7C9825IH774AMVTNG1OAQkskI6IBAILgXCegNBa1cMuNupZ8yRa7rWR/+cOw43L2YVqrxIo2IjNTklRDmXWMYcJys9l9Y=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB4845.eurprd07.prod.outlook.com (20.177.63.95) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.6; Thu, 1 Aug 2019 09:26:34 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::4d62:fa38:f8a5:9299]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::4d62:fa38:f8a5:9299%6]) with mapi id 15.20.2136.010; Thu, 1 Aug 2019 09:26:34 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] ietf-keystore, truststore, crypto-types
Thread-Index: AdVGAvfWHyjwiS0ESamK8nx1YV1aGgAc4YWAABVtFNA=
Date: Thu, 01 Aug 2019 09:26:34 +0000
Message-ID: <VI1PR07MB473506C906DFE2421851AFB883DE0@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <VI1PR07MB47355EFE36C004F0BB831B8A83DD0@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016c4080d8cf-c12d13c2-d356-4c44-b70e-13633e160c93-000000@email.amazonses.com>
In-Reply-To: <0100016c4080d8cf-c12d13c2-d356-4c44-b70e-13633e160c93-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4ed0342e-c711-4ec6-49d8-08d71662589a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR07MB4845;
x-ms-traffictypediagnostic: VI1PR07MB4845:
x-microsoft-antispam-prvs: <VI1PR07MB48457BC010A1B42C310B84E583DE0@VI1PR07MB4845.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01165471DB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(3846002)(71190400001)(71200400001)(6116002)(790700001)(110136005)(2501003)(52536014)(11346002)(446003)(486006)(476003)(14454004)(256004)(25786009)(14444005)(86362001)(99286004)(26005)(6506007)(85182001)(102836004)(478600001)(66066001)(186003)(966005)(316002)(66446008)(64756008)(66476007)(85202003)(66556008)(66946007)(76116006)(2906002)(6436002)(74316002)(8676002)(6306002)(54896002)(81156014)(9686003)(81166006)(9326002)(8936002)(55016002)(6246003)(53936002)(5660300002)(7736002)(229853002)(7696005)(68736007)(76176011)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4845; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: nNYi1ANEkNondq8PMjg2VXDset7/S3p8hBLiN71tZ+npaDIk6sV4BxHGpLzHTyWaLlmXn9OvSJu+JFmt/AKz3y01iTqHc+tD/HDrnGRmm3Qm6l19xilMrXn4FQINjlJ7fcl0q5/XEp2mMKR1ldpSjKveQpGusat0OBTVy4nVunVPl3lxoT+3mTSbrmXuX7YNQCxKIwjY0niVdVG4N99Cx58kcGivdBSmwgFNGLUrP3OCTHvPVSPa/PJWg9pB+lQ+8APbBQvASds6Eq0Fs+lCST7kI+NL4IPLoXznzgMRD51dZyz4dva0pn2552jauhHcAngzDaTC8cBEvhxnJi2g1aJbcgCet30MYKV54lSjVhY+2BNR1akyH5oYIAaekCLQ952xzRlWtNoMS10ouF1jBmbe7SodfKMPDaYKk/ybCto=
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB473506C906DFE2421851AFB883DE0VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ed0342e-c711-4ec6-49d8-08d71662589a
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2019 09:26:34.4107 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: balazs.kovacs@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4845
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/lBkwAmnyJJsVjkRkQz7Wy7M818g>
Subject: Re: [netconf] ietf-keystore, truststore, crypto-types
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 09:26:42 -0000

Hi,





1. Typo



<CODE BEGINS> file "mailto:ietf-truststire@2019-06-07.yang"



I'd previously found/fixed this in my local copy, but thanks for reporting it.



Ok.



2. Is mandatory true missing from ‘cert’ leaf in ietf-crypto-types?



<snip/>



Possibly, but I don't think so.  For instance, consider asymmetric-key-pair-with-cert-grouping that uses both asymmetric-key-pair-grouping and end-entity-cert-grouping.   One has to create the asymmetric-key prior to being able to execute the generate-certificate-signing-request action to create the end-entity certificate.



That said, this probably is going to raise the question for why then asymmetric-key-pair-grouping nodes are mandatory true, or more generally, if groupings should ever define mandatory true nodes, rather than leave it to the using-schema to refine-in the mandatory true statements if desired.



Ok, I see now, I noticed only the usage in grouping asymmetric-key-pair-with-certs-grouping. But yes, I agree with you that we need to re-consider if groupings should have mandatory true nodes at all.





3. Question: why have the key generation actions been converted to RPCs? If this is because of their earlier containers having now mandatory leaves, then have you considered just moving them one level up, adding ‘name’ as parameter, and keeping them as actions? I’d prefer actions.



Because the requests are no longer bound to an "object".  The RPCs are defined have no effect on either configuration or opstate, they simply return a value that the client will, presumably (especially if encrypted), return back to the device via a standard config update request (e.g, <edit-config>).



FWIW, see "discussion #2" starting on page 12 here https://datatracker.ietf.org/meeting/105/materials/slides-105-netconf-client-server-suite-of-drafts-00.



Why do you prefer actions?



I’d have liked to use actions since I wanted a “datastore effect” to avoid the round-trip drawback of the RPCs. Due to the lack of NMDA implementation and also in general some actions affecting running did not seem an issue for us. But I guess we can always add an extension.



Br,

Balazs

v2.23.0 | Report a Bug | By Email