Re: [netconf] Murray Kucherawy's No Objection on draft-ietf-netconf-trust-anchors-23: (with COMMENT)
Kent Watsen <kent+ietf@watsen.net> Fri, 02 February 2024 20:07 UTC
Return-Path: <0100018d6b6ee12f-26ef654d-f876-4ffa-9154-61fe772bfd6c-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFC14C14F60D; Fri, 2 Feb 2024 12:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNd63RpMG711; Fri, 2 Feb 2024 12:07:32 -0800 (PST)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B302BC14F5EF; Fri, 2 Feb 2024 12:07:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1706904445; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=r7qp1ZflqWaIlLirxATBMr5ZBMdYz/oBCaDefUPCrXg=; b=dJCQMxrbNxGwWklnX56f5xVqRF9TmLL3dAxgWztLlh6ENp0N7+Lg1R9QNrKEJGgS MZLy3qPtcodlgt1eIWIw+K/vR1X0F79s70/4vk/08CpR1QVQuZv7bgPzP6/tpFDmSDw 5AUWX/x5nuH7nWzUusTuG0Ws9P4FpCJ5pv9nMFJ4=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <170677367576.51650.11470356570855989782@ietfa.amsl.com>
Date: Fri, 02 Feb 2024 20:07:25 +0000
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-trust-anchors@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0100018d6b6ee12f-26ef654d-f876-4ffa-9154-61fe772bfd6c-000000@email.amazonses.com>
References: <170677367576.51650.11470356570855989782@ietfa.amsl.com>
To: Murray Kucherawy <superuser@gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.02-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Mm08wGXt9AarJTSD4jOhZxJghpw>
Subject: Re: [netconf] Murray Kucherawy's No Objection on draft-ietf-netconf-trust-anchors-23: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 20:07:33 -0000
Hi Murray, Please find response inline. Kent > On Feb 1, 2024, at 2:47 AM, Murray Kucherawy via Datatracker <noreply@ietf.org> wrote: > > Murray Kucherawy has entered the following ballot position for > draft-ietf-netconf-trust-anchors-23: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I support Roman's DISCUSS position. > > ==== > > Additional comments from incoming ART AD, Orie Steele: > >> A "choice" statement is used to expose the various options. Each option is > enabled by a "feature" statement. Additional "case" statements MAY be augmented > in if, e.g., there is a need to reference a bag in an alternate location. > > Reads a bit awk. The above is a duplicate from previous comment. > "http://example.com/ns/example-truststore-usage" prefer to see https, same > comment regarding `.example` TLD. I converted to “https” everywhere, per a previous comment. Hoping to keep “example.com” as it seems still allowed and is more well-konwn. >> Reference of a public key bag in the truststore inlucding > the certificate to authenticate the TLS client. > > spelling. Typo in “including” fixed. >> Servers that wish to define alternate truststore locations >> SHOULD augment in custom 'case' statements enabling >> references to those alternate truststore locations. > > What happens to the model, if they do not? (Why not MUST). Good point. Changed to a MUST. >> A description for this bag public keys. The intended purpose for the bag > SHOULD be described. > > Why not MUST? (or simply remove the normative). I agree that, if the “description” field is populated, it MUST do that. Changed to MUST. That said, please note that the “description” field is not mandatory, which is fine because, in some deployments, the “name” field may be descriptive enough. > I am surprised to not see any normative guidance regarding thumbprints or > "canonical names" for certificates. Why would this draft do that? Are there not other drafts guiding cert best practice? Maybe I misunderstand, does this regard the “name” field encoding a cert-value, being discussed elsewhere? Thanks again, Kent
- [netconf] Murray Kucherawy's No Objection on draf… Murray Kucherawy via Datatracker
- Re: [netconf] Murray Kucherawy's No Objection on … Kent Watsen