[netconf] Roman Danyliw's No Objection on draft-ietf-netconf-trust-anchors-24: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 06 February 2024 21:31 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: netconf@ietf.org
Delivered-To: netconf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 976D8C14F6FC; Tue, 6 Feb 2024 13:31:48 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-trust-anchors@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org, bill.wu@huawei.com, mjethanandani@gmail.com, bill.wu@huawei.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.4.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <170725510860.42671.3463074490975756528@ietfa.amsl.com>
Date: Tue, 06 Feb 2024 13:31:48 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/O7cZ3LZ0tEt26_9ZRi0Ym4b2TZs>
Subject: [netconf] Roman Danyliw's No Objection on draft-ietf-netconf-trust-anchors-24: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 21:31:48 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-netconf-trust-anchors-24: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Yoav Nir for the SECDIR review. Thanks for addressing my DISCUSS and part of my COMMENT. ** YANG. list certificate-bag "A bag of certificates. Each bag of certificates SHOULD be for a specific purpose. For instance, one bag could be used to authenticate a specific set of servers, while another could be used to authenticate a specific set of clients."; Since normative language is used here, can additional guidance be provided on qualifying “specific purpose”. For example, can one put different applications for the same server in the same bag? What is the consequence of incorrectly binning the certificate chains? More generally, I’m wondering about the significance of where certificates are binned. Because of natural language describing the purpose of these bags, I don’t see an obvious, interoperable, general purpose way to automatically parse this structure to know which certificate to use for a server beyond checking subjectAltNames in the certificate against a domain name (which precludes the need to even organize these certificates into bins beyond readability). ** Section 4.3 None of the readable data nodes defined in this YANG module are considered sensitive or vulnerable in network environments. The NACM "default-deny-all" extension has not been set for any data nodes defined in this module. Doesn’t read-access to this module provide insight into which other resources/applications/servers this particular server communicates with by virtue of having their end-entity certificates or SSH keys? Wouldn’t this provide an attacker insight into potential targeting? or business relationships?
- [netconf] Roman Danyliw's No Objection on draft-i… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's No Objection on dra… Kent Watsen