IETF Logo Mail Archive

[netconf] built-in trust anchors

"Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com> Tue, 12 January 2021 19:02 UTC

Return-Path: <jason.sterne@nokia.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6C83A1028 for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 11:02:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBxzdxZiL80p for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 11:02:08 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2126.outbound.protection.outlook.com [40.107.92.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1844B3A1027 for <netconf@ietf.org>; Tue, 12 Jan 2021 11:02:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gQpg6m5o6FpcMqJY6cY7xNhbPIpcnsIYK/F797SjlyWzgvPZLgelHOC0/gSnCYAuEyhF7VNGUh9saIatOpNhcktiGB/crtr3pwvztkADvNdPgBgHdFoiDRnPdO3+V5gJNZMPK/RueJ2ctyQ0shtSo8BjBwhrr/a6Zb0GwrPHVVHb0SoEMKXxttO50s3ezXnvir9tVr8pMP3RZwKL0GiTjZ+WWeWSLHf8miu36egtUt5mJxlmVF9N0vmxYY6U2weoWfWicT4VV7kkpKmZpDoZkoiXTcp5ciIbVeFa4UTnJ0DV9i3nmXAqgamSFxAr3N/AY9zOyV5OuSRp+jaizKpWgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UhUdDwXkpBrukB10T5s86erKygq7ajQuQXI3F23VpjU=; b=Sul/qZa5VikQtO185N+JjzydHRol4+HlezUb1Ge1h9SoOyF9j3RAgeJQvTMgbDdRR1w+e0/yEn9VUn8G7UsvItRQeCkwAemwRnSIx/ejsBhu2TyiVjLwnRt1CSivkqdnU91I2CRWZSQRxiZDoztUNCAKC8Gztc47au8bL6foVerVs0pBADu1hitmEF9OqXh41IdaSskbQY/Mm1R1wxaNtEIimsYbAn1h10cN+3+qE436zdIF+N+iX6I0siMpipQh1GiNmAw9eAsIJNF2OCprnC8b1QRNA26kTelZiOqAt6aZi+j06vyf3vajo3N+ignGeLJObGKoWlJwwgN4jgxXcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UhUdDwXkpBrukB10T5s86erKygq7ajQuQXI3F23VpjU=; b=uOvKDYuHgk/7ZjU1AK/zhU69iJlMY5u4WMAwX7fos5MpZggK7Z3RRHjlwIog7Ts6TX2hzdNFJSyy9mDhKYHMiSUpa44x54bt1Fnr6KJAikAKsG3NqOxDf0tqzizi/buSZxpPPpseRk+I3qWs+tWKj7PqozR8ds7nyBiQmxsRtgU=
Received: from DM6PR08MB5084.namprd08.prod.outlook.com (2603:10b6:5:41::29) by DM5PR08MB2378.namprd08.prod.outlook.com (2603:10b6:3:72::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6; Tue, 12 Jan 2021 19:02:04 +0000
Received: from DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3]) by DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3%5]) with mapi id 15.20.3742.012; Tue, 12 Jan 2021 19:02:04 +0000
From: "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>
To: Netconf <netconf@ietf.org>
Thread-Topic: built-in trust anchors
Thread-Index: AdbpFFL2IioTw935RTC9hP47Cn7q7Q==
Date: Tue, 12 Jan 2021 19:02:04 +0000
Message-ID: <DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0@DM6PR08MB5084.namprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [2607:fea8:e324:8d00:f965:4ae3:4b56:123b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 43637d24-54b5-4b51-acc3-08d8b72c8d13
x-ms-traffictypediagnostic: DM5PR08MB2378:
x-microsoft-antispam-prvs: <DM5PR08MB23780C36E0C85120BD360E299BAA0@DM5PR08MB2378.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6Jfdpp1Z+17wePyBLjCGB7/BhcXnBHclxupTyU2bahDGq4UC+fUulslOcb3P+3gQ5rMMFiF3Ncs8QjJI9ZG52UK/SpSLc3WzqHGN5PvRXi2m5oHnvNNJLLdLMAxfvjEP91AdpXG4S9XxcrOeUEDMuTji2SBap4t/ARX2RsoDrXUYAr8o37Pc6yF1MdmhLIWnf/B2BHOgnBC3dEe+rZQ3T+eTyq5tVy6mtCfznubonYqc5qZ0gGomXmajZ0yNLe7CEGYIwVHWrSlCgv02M0EVdynC6fZJ72alfcPAwOazfsb9NDcQuc05x6Wy7QW9hDgwvEsEnTcMYyZ2nFWGjNSvVXRdbnTdpMsjD00mHbbx+gU5/1E33Qi4HRsBdY156WAWB90HvPwbgLyOi4QV+qZQFg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR08MB5084.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(136003)(396003)(346002)(376002)(52536014)(6916009)(66946007)(5660300002)(316002)(76116006)(7696005)(83380400001)(66446008)(186003)(9686003)(8936002)(8676002)(478600001)(64756008)(86362001)(55016002)(66556008)(2906002)(71200400001)(6506007)(66476007)(33656002)(3480700007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: q2qd7H90tl33wlWiee0dE51gbpQm078n4T6C6aPJa/feujXNwkX8kIz80IUsEEo4AisN7qsl3kKio40VmXyUkF6xo3vF+kfhc4H2rCx/6uqTPZ5HTho2su4BgnVTv++tQJu4lqK93aAyUlRLgK3CBOWU9I6Imn9BB6Ykz03vTxpDkCT9rdfsxnnSrUVg/Z4ebkmZ50VJz5ra2N1k91wHug+nRyNkbsIQsWUQNbQsCQ4dfV0Fw7DDVpHQz9lImaqPJreLRVGhbtgjCo1i6aE7lGvQ7KnGvjfLvqGZxmQqQBzynV2GUJkPnhaCQrg2/K5xrpdj+nXSLFwr3TQPKYg/eNU1MxfKUGqq3A1qK05S9EJRfHCC6h4QiVLKb2nEfmKY9rlAvZj0NYVsNdsygW39FXRH8z+cHOm7984d8ozPxw3VdmThcIn2FQqNrTHYjf5XGf9duD1LZweNcnhc0e4VxNtEIbuO5aMBew2munrsW+V+JoGhGLqVRhWZGt5Tf+3ZE5HtjtkYCJoG3FDIJ9+TeOdnKxVvqfHlIuM7vA+/eVSIU6rGkv0aUvB7Mr+JJZ+TkEb44+7q2tgjl0vcy37tfatsweAj9OD3KkothBY4yECGA7ZntLzWumRrX2187NnEBlI4AAI/okmfVr1iL5xu7kJMtCj1vdeT3du81mP1iDHrvrkcIi6NDa/l/+oNAnlKGIX+OEOc2j9D/9Oj/+2drCPzT/pAhhR14SanQ7UDEM8b0sJvREd4baP+XdoZvyOUG28J6YMfD2gAhkn8/9XdBsRg3D+ejmCz+LiDj44rCs4tpqzVQMSgoFdb6N8xV6HEFyhFlLr7YsEZlyGgiMV4BFzsjB/Jknlafb1DFPnof4gDxcr/zj9f6O8fWEjyGVPdIW/VPh/qj2m4KevTUoiSRD2FPKjoCQnIjybZ1i3J04iXK0QYqDMNOwWJTi2aW3Im1lnKymGyQue44d19C+Ar8j/TaVSLIVnjl/Feo43QIuA6NBc7Uu4m5BzxiTTkxIMttDhHaHMEYQIaye1iBn+/3tP+ssVUmiM+y2XT2+kXDzeGCI4ogU+XGdnv/iTQD09G
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0DM6PR08MB5084namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR08MB5084.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 43637d24-54b5-4b51-acc3-08d8b72c8d13
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2021 19:02:04.5776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pfk4sdJK+Z60KMSzfLTkHXHsb5jSOw92bCOLrxv73kqqtaDZOUBCfSX12gOui23JbPGpFGyDVOHqQKd2iMJ1ew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR08MB2378
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/i4kTGseYl3BpTtb31NWbb593knA>
Subject: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 19:02:10 -0000

Hi all,

I noticed Jurgen's comment about built-in trust anchors in his YANG doctor review of trust-anchors-13. I wanted to pull that out into a dedicated thread/discussion here.

Jurgen:


- Section 3 talks about populating <running> with built-in trust

  anchors.



   In order for the built-in trust anchors to be referenced by

   configuration, the referenced certificates MUST first be copied into

   <running>.  The certificates SHOULD be copied into <running> using

   the same "key" values, so that the server can bind them to the built-

   in entries.



  Is the idea that this copy operation is an explicit management

  operation or can implementations populate <running> with this

  data automatically?

I suppose a server *could* populate this in running as part of a built-in startup datastore in the absence of a startup datastore (i.e. as contents of a RFC8808 factory default). But I assume it is desirable to be able to delete the running copy of a built-in item. So the system would have to avoid populating these unless it is loading the factory default.

But even if the system can populate these, we'd also want the client/user to be able to explicitly populate them as well (i.e. in case they delete one from running, and want to add it back in to reference it).

In either case (system population of running, or client population of running), do we really need to put the contents of the bag or the cert into running?  Or is populating the list key enough since the operational copy shows what contents are in use for that list entry?

Jason

v2.23.0 | Report a Bug | By Email