IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Balázs Kovács <balazs.kovacs@ericsson.com> Tue, 28 August 2018 13:59 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75925130F5F for <netconf@ietfa.amsl.com>; Tue, 28 Aug 2018 06:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.331
X-Spam-Level:
X-Spam-Status: No, score=-3.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=IlRutEuA; dkim=pass (1024-bit key) header.d=ericsson.com header.b=ImZVoLUk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vH1gn4pWStI2 for <netconf@ietfa.amsl.com>; Tue, 28 Aug 2018 06:59:51 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5368B130F4A for <netconf@ietf.org>; Tue, 28 Aug 2018 06:59:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1535464789; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=hnFEFPEmTy5lm8nHCpThwcPJImCgfKtIRP4UxQEdBt4=; b=IlRutEuArYkKqydjn3R1BZro282t7eFyKiqeEhOBd2FhyqsE1f9wUYXEMWPcSFFY sx8zcYJTWyDUIk6vL6CXdzNfTFmkvAtT99DHUQ6zhyi+HJmM92rfu9DlEExGQfP/ fIaRroYRB4TURbbfsDNBwluOkUpFarKncB1aCE6x80E=;
X-AuditID: c1b4fb2d-223ff700000055ff-21-5b855555215d
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 06.63.22015.555558B5; Tue, 28 Aug 2018 15:59:49 +0200 (CEST)
Received: from ESESSMR502.ericsson.se (153.88.183.110) by ESESSMB503.ericsson.se (153.88.183.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 28 Aug 2018 15:59:49 +0200
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESSMR502.ericsson.se (153.88.183.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 28 Aug 2018 15:59:49 +0200
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 28 Aug 2018 15:59:48 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hnFEFPEmTy5lm8nHCpThwcPJImCgfKtIRP4UxQEdBt4=; b=ImZVoLUkpNcGBMLYXY+rLWCM6ktnmRyVWWW1Etd+N3wF62iBSeRSQOPornx4/AXi7fM70x4gtMIlKoHx2WxchBd4ahtqbjpULcWRDcbZTWTm4sIfXf6bMvfmtio++ZpyVSo0bp5k21HgO8t1FZwXALrcb4WFxynLwaN8jMIdXBs=
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com (10.167.209.150) by VI1PR0701MB1984.eurprd07.prod.outlook.com (10.167.209.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.9; Tue, 28 Aug 2018 13:59:47 +0000
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9]) by VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9%3]) with mapi id 15.20.1101.007; Tue, 28 Aug 2018 13:59:47 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Martin Bjorklund <mbj@tail-f.com>, "kwatsen@juniper.net" <kwatsen@juniper.net>, Balázs Lengyel <balazs.lengyel@ericsson.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4npYduSZhsf/U2Th8xceQbCUaSAzHaAgEmH34CAAG1ZgIAA+nAAgAPuH4CAA+yKAIABAxSAgAB6cACAAHFXIA==
Date: Tue, 28 Aug 2018 13:59:47 +0000
Message-ID: <VI1PR0701MB2016F2754609FAEC242C9D51830A0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
References: <28C3C2C7-22BE-4425-A26C-4A777FA68A95@juniper.net> <20180827.102118.630809612057220140.mbj@tail-f.com> <AD108D78-8E5D-429B-AFA9-8C84430F5186@juniper.net> <20180828.090648.398453385489817261.mbj@tail-f.com>
In-Reply-To: <20180828.090648.398453385489817261.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB1984; 6:8ZoNDzGZla1NTqzsJDWsZdoYJMc6bY8mUn7tlC1RPRDibTAAAeREjU3pkJrKDmrSvnlPE7hi+xo3R9kpilcflgQiCCPjmElw/kfllZvTLKqB8DW97Ei3E8oFy+JYui83zpMhKJi8qyVvBPkiWJ8vgcegGD3AEFNo5xlVybCHuBc9QgsSfhHVaZfP8iTt9eiCjKoKf84rPPnKxtT7uEgLcTIn5UXHBgr5XlX3W6iQ0yfs/ww1AwB0ZsiTpb3ijJZUxrkMZCVpVFn7zHqm63+fbeAlSwl6drD7ygRvoKT2XEoqxaTsD1KPn6DUOjdagJjP55zIBRGvkr/G86qo8BS63MQamyGW5EMFHjl5g/p1L5FSjjMyslgCydOf2TDQwgRQguHOpLfQKAG4biugxX4oT1hMk3FJQs9+XxA6UWhyMngD2s0opwSBgQa/7eo/l/6AlvG+5dCHYqe3Gy2KyPBWfQ==; 5:r2vFOm+gKMgz3PJ1JLTMnU6tE35wt82gaVq8X+ZcaL7nvknPHYbjtiowLzXWBlA21OdiYA8aV9WD3PUd/WUL1jOGEspUV56odCy6PafLMD+gzzbphXBrz3WIf7uVRmU9sq1HEhySKKeBng0t4965jTg2PPCVOMkBjxhmsgBDH1c=; 7:Iyzachtf0YiIX13vrVq46q0X9pzpRPgxfrhjDNRFWnWeb1gl6xm2w5vnLlFdG5BIwKoD3AQvv22QWPUZMSOCuKF5pXKTo2Za8yAnckeEass5Km/crlb7deDWkMm5M5yL8BqeS2o8GzCC2hVDaZdxwMaQoJyPKJ4api/e4SJWh4g3xngLiHuS/HMQKQ9aFtizEKFZKLP6WSkxQcjym/wsM4MppGceC6LBNUjLFo9Y6N67Ett2qDgv1VrvdwSFNEGz
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10009020)(39860400002)(346002)(376002)(136003)(366004)(396003)(199004)(51444003)(189003)(13464003)(6506007)(446003)(85182001)(102836004)(53546011)(11346002)(966005)(186003)(110136005)(26005)(478600001)(66066001)(476003)(2900100001)(14454004)(316002)(486006)(5660300001)(76176011)(1941001)(99286004)(86362001)(93886005)(14444005)(256004)(53936002)(25786009)(229853002)(9686003)(6436002)(2906002)(68736007)(55016002)(6246003)(6116002)(3846002)(305945005)(97736004)(2501003)(5250100002)(6636002)(7696005)(33656002)(8676002)(106356001)(74316002)(8936002)(4326008)(105586002)(85202003)(81166006)(6306002)(7736002)(81156014)(35224004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB1984; H:VI1PR0701MB2016.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-office365-filtering-correlation-id: 1459a084-5cf9-498b-2f96-08d60cee83dd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(5600074)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB1984;
x-ms-traffictypediagnostic: VI1PR0701MB1984:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-microsoft-antispam-prvs: <VI1PR0701MB19843A2241FEE923DD4CADD8830A0@VI1PR0701MB1984.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008)(788757137089);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(823301075)(10201501046)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201708071742011)(7699049)(76991033); SRVR:VI1PR0701MB1984; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB1984;
x-forefront-prvs: 077884B8B5
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 8K8PJjPhEItOiRYLYjQk9ad1WN2dnK88mXEowjSbsMEnLx2lCKWcDM0pex52xOTtj29D3/LWoBUWeYjWB+Zs5kDNmG/A9D02jRKitmWjxyv2j+L2/1HtauGwxlv5ni/P4aH0wPYzMKsfD69xj52gaHAAokCn0l98LBKJkJfDXFG0PvYLVtwBhVWWqmQWGoH7xoktiHLBVJfH0t+z5oKYoKi0atnTihmX3E5F19iqsTtjUMNTBgQNXio5G+34FWCenNTZHHRQCjpLHSkFfjh1uNog+l7/rFFOAwr6OjBr4fQiVmm5VbhithfqeRA/ed0fW7Jd3LXx+OUHmiVc69uS8IZ3JjHryWC+1m68ZNr3SUE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1459a084-5cf9-498b-2f96-08d60cee83dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2018 13:59:47.2783 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB1984
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42KZGbG9Ujc0tDXa4ME/VYsDc9gturufsVtM 3XSb1YHZY8mSn0we15uusnts/LWYJYA5issmJTUnsyy1SN8ugSvj7fP37AU/kiuO3O9ha2Dc kNjFyMkhIWAi0br8PWsXIxeHkMBRRokzT5YwQzjfGCU+3l7CAuc0rF7NDtIiJLCESeL3MUcQ m0VgArNEa38qRNEMJok19zqgOp4wSvTdWgvWwSbgLHH+xWMmkISIwDRGia0r14AlmAU0Jdb+ /cgMYgsLeEns2nubEcQWEfCW6OnezwJhZ0k82nICKM4BtE5Vou2iAUiYVyBB4u/kn4wQF91n lHjzIw3E5hRwkFi1qgWslVFATOL7qTVMEKvEJW49mc8E8bSAxJI955khbFGJl4//sULYShIz Xt2CsmUlLs3vZgS5WULgALvEh6+zoBKGEsdX7meGSOxgk1ix+hNUwlfiybVuVojESUaJtbd/ s0EkdCRWLb3ODnFSrMSO13fYIeL5Eh8bNzFPYDSaheTCWUCPggJm/S59iLCixJTuh+yzwJ4W lDg58wnLAkaWVYyixanFxbnpRsZ6qUWZycXF+Xl6eaklmxiByeTglt+6OxhXv3Y8xCjAwajE w5sp2xotxJpYVlyZe4hRgoNZSYTXywkoxJuSWFmVWpQfX1Sak1p8iFGag0VJnFdv1Z4oIYH0 xJLU7NTUgtQimCwTB6dUA2Pfoyc2r8WeSc33zT65ioOjINxWWEpirrntqS/vzh3/L9GSLj/n wTRjldREF6etjGVqFXempyxcVPXfZrZy3udZ70xUPK+cLL/xJr0ihl9k/7KH+/9tzRK7nuB9 Y8bFCMOrId0alUyVSXZPo+7cEdq3Oy+W2+TCIVMHtfnvvzH8vBysufjMzHIlluKMREMt5qLi RACSSTpdIgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/NlE420FvMBChY5RSj6G2EhL1XDs>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 14:00:06 -0000

Hi,

> >> >> Unsure what you mean.  Currently all these values are configurable.
> >> >> Or are you trying to find a way to only "configure" them in 
> >> >> <operational>?
> >> >
> >> > Yes, *if* my use case of not exposing the private keys is 
> >> > supported, then it would be useful to be able to generate the 
> >> > keys off-box, and install them into <operational>.
> >> 
> >> Hmmm, sounds like *configuration*, not something goes into <operational>.
> >> 
> >> And, even if you did, that doesn't mean the keys are permanently-hidden.
> >> I suppose the model could let the client set that parameter as 
> >> well, but it somewhat defeats to goal of *never* having the private 
> >> key exposed, not even as a once in a lifetime kind of thing.
> >> That’s just my opinion, we should ask for more opinions if you're not convinced.
> >
> > I'm not convinced either way, actually ;-)  It would be good to hear 
> > other opinions as well.
> 
> We could define a "load-asymmetric-key" action that has that behavior?

Yes; if we decide to support this use case.  What do others think?

Balazs> Would this action have 'name' and 'private-key' binary input and the purpose to avoid setting the key via configuration and handling it directly in <operational>? Is it an implementation risk to handle the binary input via configuration but not via action?

> > This is what I would expect as well, but the model is not quite 
> > designed for this currently.  For example, suppose I generate a 
> > HSM-protected key with "generate-asymmetric-key".  It is then 
> > present in <operational>, with a public key etc.  Now I want to 
> > configure a certification for this key, so I have to create an entry 
> > in the "asymmetric-key" list, where I have to set both the 
> > private-key and public-key leafs (they are both mandatory); so I 
> > assume I have to use the exact values reported in <operational>?
> 
> Hmmm, using the same value could work, but it doesn't seem intuitive 
> and, from a general modelling perspective, doesn't scale e.g., what if 
> there were 100 descendants?

Exactly my point.

Balazs> In our opinion with Balazs L., we think it would be disadvantageous to change the model by ruining the containment relationship between certificate and corresponding asymmetric key. The action of 'generate-asymmetric-key' is typically something that should have effect on the 'running' configuration too (by setting the mandatory leaves) since the user wants to continue working with the result by deploying certificates or anything else related to the created asymmetric key that needs configuration. 

Balazs L.> In the NMDA RFC it is specifically indicated that actions/rpcs MAY modify the content of other datastores.
https://tools.ietf.org/html/rfc8342#section-6.2
In my view this is a general pattern that an action/rpc creates some configuration that the operator (CLI/Netconf/Restconf) may need to extend or change. In this case the action/rpc shall modify the running config not just operational.

Br,
Balazs K. and Balazs L.

-----Original Message-----
From: Netconf <netconf-bounces@ietf.org> On Behalf Of Martin Bjorklund
Sent: Tuesday, August 28, 2018 9:07 AM
To: kwatsen@juniper.net
Cc: netconf@ietf.org
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> wrote:
> 
>  
> > > BTW, all private keys should have nacm:default-deny-all.
> 
> Updated in my local copy.  Added to the "asymmetric-key-pair-grouping"
> grouping, so all downstream users inherit it as well.
> 
> 
> 
> > I think that the operation "generate-asymmetric-key" only affects 
> > "permanently-hidden" keys, doesn't it?  If the client wants visible 
> > keys, it will configure them in the config datastores.
> 
> It wasn't so locked down before.  How about the following two changes?
> 
> 1. Updated the action's description statement:
> 
>       action generate-asymmetric-key {
>         description
>           "Requests the device to generate an asymmetric key using
>            the specified asymmetric key algorithm.  This action is
>            used to request the system the generate a key that is
>            'permanently-hidden', perhaps because it is protected
>            by a cryptographic hardware module.  The resulting
>            asymmetric key is considered operational state and
>            hence present only in <operational>.";
> 
> 2. updated the enum's description statement:
> 
>           enum "permanently-hidden" {
>             description
>              "The private key is inaccessible due to being
>               protected by the system (e.g., a cryptographic
>               hardware module).  It is not possible to 
>               configure a permanently hidden key, as a real
>               private key value must be set.  Permanently
>               hidden keys cannot be archived or backed up.";
>           }   

Ok.

> > > Regarding the name, s/hardware-protected/permanently-hidden/?
> >
> > I think this is better.
> 
> Okay, but maybe it should be just "hidden"?

Both work for me.

> >> Now you have me second-guessing this.  Maybe a device, without 
> >> special hardware, could present the illusion of a 
> >> permanently-hidden private key - it's completely inaccessible from 
> >> the device's supported interfaces, though actually present on the filesystem.
> >
> > This is what I would like to support.
> 
> Okay.
> 
> 
> 
> >> >> Unsure what you mean.  Currently all these values are configurable.
> >> >> Or are you trying to find a way to only "configure" them in 
> >> >> <operational>?
> >> >
> >> > Yes, *if* my use case of not exposing the private keys is 
> >> > supported, then it would be useful to be able to generate the 
> >> > keys off-box, and install them into <operational>.
> >> 
> >> Hmmm, sounds like *configuration*, not something goes into <operational>.
> >> 
> >> And, even if you did, that doesn't mean the keys are permanently-hidden.
> >> I suppose the model could let the client set that parameter as 
> >> well, but it somewhat defeats to goal of *never* having the private 
> >> key exposed, not even as a once in a lifetime kind of thing.  
> >> That’s just my opinion, we should ask for more opinions if you're not convinced.
> >
> > I'm not convinced either way, actually ;-)  It would be good to hear 
> > other opinions as well.
> 
> We could define a "load-asymmetric-key" action that has that behavior?

Yes; if we decide to support this use case.  What do others think?

> > This is what I would expect as well, but the model is not quite 
> > designed for this currently.  For example, suppose I generate a 
> > HSM-protected key with "generate-asymmetric-key".  It is then 
> > present in <operational>, with a public key etc.  Now I want to 
> > configure a certification for this key, so I have to create an entry 
> > in the "asymmetric-key" list, where I have to set both the 
> > private-key and public-key leafs (they are both mandatory); so I 
> > assume I have to use the exact values reported in <operational>?
> 
> Hmmm, using the same value could work, but it doesn't seem intuitive 
> and, from a general modelling perspective, doesn't scale e.g., what if 
> there were 100 descendants?

Exactly my point.

> A couple other options:
> 
>  a) make each leaf (algorithm, public-key, private-key) type be a
>     union having an enumerated value like "in-operational"

This feels clumsy and also doesn't really scale.

>  b) replace the three "mandatory true" with three "must" expressions
>     that assert either all or none of the leafs are set.

Better, but also has scaling issues in the general case.


> > Another design could be to have the certificates in a separate list, 
> > with leafrefs (require-instance false) into the "asymmetric-key"
> > list.
> 
> Perhaps, but let's see if we can make this work first.

Ok, let's look at the alternatives:

(A)

  container keystore {
    container asymmetric-keys {
      list asymmetric-key {
        key name;

        leaf name { ... }
        leaf algorithm { ... }
        leaf public-key { ... }
        leaf private-key { ... }

        must "(algorithm and public-key and private-key)
              or not (algorithm or public-key or private-key)";

        container certificates {
          list certificate { ... }
        }
    }
  }


(B)

  container keystore {
    container asymmetric-keys {
      list asymmetric-key {
        key name;

        leaf name { ... }
        leaf algorithm { mandatory true; ... }
        leaf public-key { mandatory true; ... }
        leaf private-key { mandatory true; ... }

    }

    container certificates {
      list certificate {
        ...
        leaf key {
          leafref {
            path "../../../asymmetric-keys/asymmetric-key/name";
          }
          require-instance false;
          mandatory true;
        }
        ...
      }
    }
  }


I think model B is cleaner.




/martin
_______________________________________________
Netconf mailing list
Netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email