Re: [netconf] More complications

Kent Watsen <> Mon, 14 June 2021 14:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A5133A25F7 for <>; Mon, 14 Jun 2021 07:27:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bBJHnDgz5i3c for <>; Mon, 14 Jun 2021 07:27:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC9FC3A25FD for <>; Mon, 14 Jun 2021 07:27:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;; t=1623680875; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=T6mmLlU7d30Frku5l+FehyvICFNOwcw1u8w1qq/iQNI=; b=fQFWVDYjlVaHlFR6GgnPlOc8Nduod9S9B9ajbeJJaLMwzYHuSbfVMhJaMPtKInA2 PPHD1RpffY30zASUXnd0zauEZWsd7O47RXXtzKW5uy96CQ+OONGLrHlyLYPEEmjMox8 SH3uVk+8IcRXPWhNqsRS5Rb4HXMafQlDipU3u22w=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Kent Watsen <>
In-Reply-To: <>
Date: Mon, 14 Jun 2021 14:27:55 +0000
Cc: "" <>, Henk Birkholz <>, "" <>
Content-Transfer-Encoding: quoted-printable
Message-ID: <>
References: <> <> <> <> <> <> <> <>
To: tom petch <>
X-Mailer: Apple Mail (2.3654.
X-SES-Outgoing: 2021.06.14-
Archived-At: <>
Subject: Re: [netconf] More complications
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jun 2021 14:27:58 -0000

[CC-ing Henk, to whom a question is directed to below]

Hi Tom,

> Top posting a new and different issue.

Thanks for updating the subject line.

> server case psk references ServerKeyExchange and psk-identity-hint neither of which exist in TLS1.3.  The client sends an extension PreSharedKeyExtension which contains a list of identities from which the server selects one as selected-identity for which the identifier is uint16 indexing into the client's list. RFC8446 s.4.2.11.
> The client description also needs amending.
> TLS1.2 was extended to use tickets in this area to aid session resumption; these have now gone and been replaced by this extension.  I would not suggest adding support for tickets.
> As I may have said before, TLS 1.3 is different.

Henk, could you help with these edits?   Support for PSK and raw public key were added to draft-ietf-netconf-tls-client-server per your request and, if memory serves me, didn’t you help me with the YANG update too?   I suppose what is needed is a either a “choice” statement (with cases for 1.2 and 1.3) *or* sibling-container statements (in case it’s necessary both are configured in case, e.g., the client sends one or the other)...

> Tom Petch