Re: [netconf] Comments on crypto types presentation
Kent Watsen <kent@watsen.net> Mon, 06 April 2020 22:09 UTC
Return-Path: <01000171518a37da-e2c4b56b-dd75-48e7-b735-94e5eb39edf3-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77DA73A0D36 for <netconf@ietfa.amsl.com>; Mon, 6 Apr 2020 15:09:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ucv0c9vEX4nI for <netconf@ietfa.amsl.com>; Mon, 6 Apr 2020 15:09:06 -0700 (PDT)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 549393A0D32 for <netconf@ietf.org>; Mon, 6 Apr 2020 15:09:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1586210945; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=PhOAine1KdvkE28T+t9seUFqTpPrxtQRC+8cKj7fgVU=; b=WzVMZQFq5VZljpERUPmAdmj+qc+Hg1FJS73WKMoZDQVKJ73F6kt16icGYHuRKwYm J15/CalpfEKMdT6zW7TVyIBdVfoqBgPTLWvjhKS1SLbW+p8Gwme/lEi1kE3TpgDhtjg 2t3fqZxAUH6qWVSXUW19gzpVAfNevga9zuil1OiI=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <20200406153338.dgh5zlbdomctzbop@anna.jacobs.jacobs-university.de>
Date: Mon, 06 Apr 2020 22:09:05 +0000
Cc: "Joe Clarke (jclarke)" <jclarke=40cisco.com@dmarc.ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <01000171518a37da-e2c4b56b-dd75-48e7-b735-94e5eb39edf3-000000@email.amazonses.com>
References: <DBB45843-C6AC-476E-93CD-2631A2573F3B@cisco.com> <20200406153338.dgh5zlbdomctzbop@anna.jacobs.jacobs-university.de>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.04.06-54.240.8.33
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/OXkt4Hk82aUItg1IGRU3vgUAFlk>
Subject: Re: [netconf] Comments on crypto types presentation
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 22:09:07 -0000
Hi Juergen (and Joe and Jason), > Just for clarification: If we do #3 now, we can still do #2 later? Yes, as far as we know, the “algorithm" id can be added later. Assuming existing versioning rules (Sec 11 in RFC 7950), the “algorithm” node would have to be added then as "mandatory false", which might be okay. Of course, the YANG-versioning work (in NETMOD WG) should be published by then so, in the worst case (i.e., it needs to be mandatory true), the YANG module could legally introduce the non-backwards-compatible change. > If the answer is 'yes', then option #3 is attractive as we gain time > and hopefully implementation experience and we can add protocol > specific key generation RPCs in a second step. Indeed, time-to-market vs completeness. However everyone should be aware that the deferral would likely be "a few years", if not more. I’m personally okay with that, and perhaps even prefer it, since it more quickly gets the monkey off my back. Devil’s advocate position: not supporting keygen would be a disservice to the industry as whole, and there’s something to be said for striking while the iron is hot. PS: regarding enum vs identityref. Option 1 could also use identityref…and, in fact, it did before. The reason Option 1 changed to using an enum was so that a set “value” could be associated with each algorithm. That said, the need to set a value was never clearly explained and, IMO, doesn’t exist. My only point is, don’t let enum-vs-identity be the key differentiator in thinking about Option 1-vs-2. Kent // contributor > Otherwise, option #2 > seems more attractive to me. In a TPM world, it seems key generation > on the device is somewhat essential to have. > > /js > > On Mon, Apr 06, 2020 at 02:39:08PM +0000, Joe Clarke (jclarke) wrote: >> Since we are running short on time at the VI, I want to register some comments on the list. >> >> * I ultimately like option #3 to progress the base client-server work and see if the key gen feature is desired down the road (enough to pick it back up). >> >> * Second, I prefer option #2 for the reasons discussed as well as because of the comment Jason raised that I think the identityref approach makes sense. >> >> Joe
- [netconf] Comments on crypto types presentation Joe Clarke (jclarke)
- Re: [netconf] Comments on crypto types presentati… Juergen Schoenwaelder
- Re: [netconf] Comments on crypto types presentati… Salz, Rich
- Re: [netconf] Comments on crypto types presentati… Kent Watsen
- Re: [netconf] Comments on crypto types presentati… Joe Clarke (jclarke)
- Re: [netconf] Comments on crypto types presentati… tom petch
- Re: [netconf] Comments on crypto types presentati… Joe Clarke (jclarke)