Re: [netconf] built-in trust anchors

Qin Wu <> Wed, 13 January 2021 01:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE5E53A1542; Tue, 12 Jan 2021 17:15:32 -0800 (PST)
X-Quarantine-ID: <0v7690H3V19v>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 20 hex): References:>
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0v7690H3V19v; Tue, 12 Jan 2021 17:15:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E48613A1540; Tue, 12 Jan 2021 17:15:30 -0800 (PST)
Received: from (unknown []) by (SkyGuard) with ESMTP id 4DFqDZ4FVkz67b2m; Wed, 13 Jan 2021 09:12:30 +0800 (CST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 13 Jan 2021 02:15:28 +0100
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.2106.2 via Frontend Transport; Wed, 13 Jan 2021 02:15:28 +0100
Received: from ([]) by ([]) with mapi id 14.03.0509.000; Wed, 13 Jan 2021 09:15:19 +0800
From: Qin Wu <>
To: "Sterne, Jason (Nokia - CA/Ottawa)" <>, Netconf <>
CC: "" <>
Thread-Topic: built-in trust anchors
Thread-Index: AdbpR3BVyU6dINBtRDqjLKPEfMuxVgAAD8+Q
Date: Wed, 13 Jan 2021 01:15:19 +0000
Message-ID: <>
References: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B8F9A780D330094D99AF023C5877DABAADCD04AAdggeml531mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [netconf] built-in trust anchors
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2021 01:15:33 -0000

发件人: netconf [] 代表 Sterne, Jason (Nokia - CA/Ottawa)
发送时间: 2021年1月13日 3:02
收件人: Netconf <>
主题: [netconf] built-in trust anchors

Hi all,

I noticed Jurgen's comment about built-in trust anchors in his YANG doctor review of trust-anchors-13. I wanted to pull that out into a dedicated thread/discussion here.


- Section 3 talks about populating <running> with built-in trust


   In order for the built-in trust anchors to be referenced by

   configuration, the referenced certificates MUST first be copied into

   <running>.  The certificates SHOULD be copied into <running> using

   the same "key" values, so that the server can bind them to the built-

   in entries.

  Is the idea that this copy operation is an explicit management

  operation or can implementations populate <running> with this

  data automatically?

I suppose a server *could* populate this in running as part of a built-in startup datastore in the absence of a startup datastore (i.e. as contents of a RFC8808 factory default). But I assume it is desirable to be able to delete the running copy of a built-in item. So the system would have to avoid populating these unless it is loading the factory default.

[Qin]:Interesting discussion, either loading the factory default from factory datastore or define a new system datastore, I think both can enable the server to populate the data automatically, one of individual draft in NETCONF (draft-ma-netconf-with-system) seems to target to address this issue, i.e., avoid duplicated data items to be created in the running, I have copied this email to the author of draft-ma-netconf-with-system for their feedback.

But even if the system can populate these, we'd also want the client/user to be able to explicitly populate them as well (i.e. in case they delete one from running, and want to add it back in to reference it).

[Qin]: See details in draft-ma-netconf-with-system. It helps define consistent behavior for system data handling, just like what RFC6243 did.

In either case (system population of running, or client population of running), do we really need to put the contents of the bag or the cert into running?  Or is populating the list key enough since the operational copy shows what contents are in use for that list entry?