[netconf] Truststore: bags, sets, or other?
Kent Watsen <kent@watsen.net> Fri, 31 January 2020 01:01 UTC
Return-Path: <0100016ff91dfd1b-9e8e6622-7e36-45dc-a661-f4702b494040-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92F6F120131 for <netconf@ietfa.amsl.com>; Thu, 30 Jan 2020 17:01:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3hPMmtHDJ90 for <netconf@ietfa.amsl.com>; Thu, 30 Jan 2020 17:01:31 -0800 (PST)
Received: from a48-95.smtp-out.amazonses.com (a48-95.smtp-out.amazonses.com [54.240.48.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28E41120074 for <netconf@ietf.org>; Thu, 30 Jan 2020 17:01:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1580432489; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:Cc:To:Feedback-ID; bh=KbPyasI42eDo2/PXFJjlvvrLNnOyWP+o0O/Rvh2ieDI=; b=TVgdsG5+D3AyeWX4NH1TaWPa24xpI0Jrm/u+h064prs96EDLxNmY/xcIyJ4H3XeR 1GJcZRLpRw24hubu3pUoJCK57waJq4/WYydWrVCh0jUyB4qP3TFUxyFAr0/MuW2QIol jBo20Ye0trSyIuJBRtRtqPUpxQKSuubu/XB8SOPg=
From: Kent Watsen <kent@watsen.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4177C143-696A-45EF-A249-D047D1B21490"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-ID: <0100016ff91dfd1b-9e8e6622-7e36-45dc-a661-f4702b494040-000000@email.amazonses.com>
Date: Fri, 31 Jan 2020 01:01:29 +0000
Cc: Russ Housley <housley@vigilsec.com>
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.01.31-54.240.48.95
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/WBW8QJEPJDoD-1cykrtaMTQiOzQ>
Subject: [netconf] Truststore: bags, sets, or other?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 01:01:34 -0000
[CC-ing Russ, who says he knows a lot about bags ;)
The truststore draft [1] has the following general structure:
module: ietf-truststore
+--rw truststore
+--rw certificates* [name] {x509-certificates}?
| +--rw name string
| +--rw certificate* [name]
| +--rw name string
| ...
+--rw host-keys* [name] {ssh-host-keys}?
| +--rw name string
| +--rw host-key* [name]
| +--rw name string
| ...
+--rw raw-public-keys* [name] {raw-public-keys}?
+--rw name string
+--rw raw-public-key* [name]
+--rw name string
...
I have been struggling with the naming of the top-level nodes (/certificates, /host-keys, etc.) being plural while also being ‘list’ elements. What is intended is that each of these top-level nodes is a "list of sets/bags of things. To resolve this issue, I’m thinking about the following change:
OLD:
+--rw <thing>s* [name] {<thing-feature>}?
+--rw name string
+--rw <thing>* [name]
+--rw name string
…
NEW:
+--rw <thing>-bags {<thing-feature>}?
+--rw <thing>-bag* [name]
+--rw name string
+--rw <thing>* [name]
+--rw name string
…
Better, right? Any other ideas?
Note that the term “bag” is the commonly used term in crypto circles with regard to PKI and, in particular, in reference to the “CertBag” type defined in Section 4.2.3 in RFC 7292 [2]. That said, I don’t think that “bag" is commonly used in reference to SSH host keys or raw public keys. I don’t know if that is any issue but, in case it is, the choices are:
1) use “bag” for all three
2) use “set” for all three
3) use “bag” for certificates and “set” for the other two
4) <another idea?>
Thoughts?
[1] https://tools.ietf.org/html/draft-ietf-netconf-trust-anchors <https://tools.ietf.org/html/draft-ietf-netconf-trust-anchors>
[2] https://tools.ietf.org/html/rfc7292#section-4.2.3 <https://tools.ietf.org/html/rfc7292#section-4.2.3>
Kent
- [netconf] Truststore: bags, sets, or other? Kent Watsen
- Re: [netconf] Truststore: bags, sets, or other? Martin Bjorklund
- Re: [netconf] Truststore: bags, sets, or other? Kent Watsen
- Re: [netconf] Truststore: bags, sets, or other? Schönwälder
- Re: [netconf] Truststore: bags, sets, or other? Rob Wilton (rwilton)
- Re: [netconf] Truststore: bags, sets, or other? Kent Watsen
- Re: [netconf] Truststore: bags, sets, or other? Russ Housley
- Re: [netconf] Truststore: bags, sets, or other? Randy Presuhn
- Re: [netconf] Truststore: bags, sets, or other? Ladislav Lhotka
- Re: [netconf] Truststore: bags, sets, or other? Balázs Kovács