[netconf] built-in trust anchors
"Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com> Tue, 12 January 2021 19:02 UTC
Return-Path: <jason.sterne@nokia.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6C83A1028 for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 11:02:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBxzdxZiL80p for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 11:02:08 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2126.outbound.protection.outlook.com [40.107.92.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1844B3A1027 for <netconf@ietf.org>; Tue, 12 Jan 2021 11:02:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gQpg6m5o6FpcMqJY6cY7xNhbPIpcnsIYK/F797SjlyWzgvPZLgelHOC0/gSnCYAuEyhF7VNGUh9saIatOpNhcktiGB/crtr3pwvztkADvNdPgBgHdFoiDRnPdO3+V5gJNZMPK/RueJ2ctyQ0shtSo8BjBwhrr/a6Zb0GwrPHVVHb0SoEMKXxttO50s3ezXnvir9tVr8pMP3RZwKL0GiTjZ+WWeWSLHf8miu36egtUt5mJxlmVF9N0vmxYY6U2weoWfWicT4VV7kkpKmZpDoZkoiXTcp5ciIbVeFa4UTnJ0DV9i3nmXAqgamSFxAr3N/AY9zOyV5OuSRp+jaizKpWgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UhUdDwXkpBrukB10T5s86erKygq7ajQuQXI3F23VpjU=; b=Sul/qZa5VikQtO185N+JjzydHRol4+HlezUb1Ge1h9SoOyF9j3RAgeJQvTMgbDdRR1w+e0/yEn9VUn8G7UsvItRQeCkwAemwRnSIx/ejsBhu2TyiVjLwnRt1CSivkqdnU91I2CRWZSQRxiZDoztUNCAKC8Gztc47au8bL6foVerVs0pBADu1hitmEF9OqXh41IdaSskbQY/Mm1R1wxaNtEIimsYbAn1h10cN+3+qE436zdIF+N+iX6I0siMpipQh1GiNmAw9eAsIJNF2OCprnC8b1QRNA26kTelZiOqAt6aZi+j06vyf3vajo3N+ignGeLJObGKoWlJwwgN4jgxXcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UhUdDwXkpBrukB10T5s86erKygq7ajQuQXI3F23VpjU=; b=uOvKDYuHgk/7ZjU1AK/zhU69iJlMY5u4WMAwX7fos5MpZggK7Z3RRHjlwIog7Ts6TX2hzdNFJSyy9mDhKYHMiSUpa44x54bt1Fnr6KJAikAKsG3NqOxDf0tqzizi/buSZxpPPpseRk+I3qWs+tWKj7PqozR8ds7nyBiQmxsRtgU=
Received: from DM6PR08MB5084.namprd08.prod.outlook.com (2603:10b6:5:41::29) by DM5PR08MB2378.namprd08.prod.outlook.com (2603:10b6:3:72::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6; Tue, 12 Jan 2021 19:02:04 +0000
Received: from DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3]) by DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3%5]) with mapi id 15.20.3742.012; Tue, 12 Jan 2021 19:02:04 +0000
From: "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>
To: Netconf <netconf@ietf.org>
Thread-Topic: built-in trust anchors
Thread-Index: AdbpFFL2IioTw935RTC9hP47Cn7q7Q==
Date: Tue, 12 Jan 2021 19:02:04 +0000
Message-ID: <DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0@DM6PR08MB5084.namprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [2607:fea8:e324:8d00:f965:4ae3:4b56:123b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 43637d24-54b5-4b51-acc3-08d8b72c8d13
x-ms-traffictypediagnostic: DM5PR08MB2378:
x-microsoft-antispam-prvs: <DM5PR08MB23780C36E0C85120BD360E299BAA0@DM5PR08MB2378.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6Jfdpp1Z+17wePyBLjCGB7/BhcXnBHclxupTyU2bahDGq4UC+fUulslOcb3P+3gQ5rMMFiF3Ncs8QjJI9ZG52UK/SpSLc3WzqHGN5PvRXi2m5oHnvNNJLLdLMAxfvjEP91AdpXG4S9XxcrOeUEDMuTji2SBap4t/ARX2RsoDrXUYAr8o37Pc6yF1MdmhLIWnf/B2BHOgnBC3dEe+rZQ3T+eTyq5tVy6mtCfznubonYqc5qZ0gGomXmajZ0yNLe7CEGYIwVHWrSlCgv02M0EVdynC6fZJ72alfcPAwOazfsb9NDcQuc05x6Wy7QW9hDgwvEsEnTcMYyZ2nFWGjNSvVXRdbnTdpMsjD00mHbbx+gU5/1E33Qi4HRsBdY156WAWB90HvPwbgLyOi4QV+qZQFg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR08MB5084.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(136003)(396003)(346002)(376002)(52536014)(6916009)(66946007)(5660300002)(316002)(76116006)(7696005)(83380400001)(66446008)(186003)(9686003)(8936002)(8676002)(478600001)(64756008)(86362001)(55016002)(66556008)(2906002)(71200400001)(6506007)(66476007)(33656002)(3480700007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: q2qd7H90tl33wlWiee0dE51gbpQm078n4T6C6aPJa/feujXNwkX8kIz80IUsEEo4AisN7qsl3kKio40VmXyUkF6xo3vF+kfhc4H2rCx/6uqTPZ5HTho2su4BgnVTv++tQJu4lqK93aAyUlRLgK3CBOWU9I6Imn9BB6Ykz03vTxpDkCT9rdfsxnnSrUVg/Z4ebkmZ50VJz5ra2N1k91wHug+nRyNkbsIQsWUQNbQsCQ4dfV0Fw7DDVpHQz9lImaqPJreLRVGhbtgjCo1i6aE7lGvQ7KnGvjfLvqGZxmQqQBzynV2GUJkPnhaCQrg2/K5xrpdj+nXSLFwr3TQPKYg/eNU1MxfKUGqq3A1qK05S9EJRfHCC6h4QiVLKb2nEfmKY9rlAvZj0NYVsNdsygW39FXRH8z+cHOm7984d8ozPxw3VdmThcIn2FQqNrTHYjf5XGf9duD1LZweNcnhc0e4VxNtEIbuO5aMBew2munrsW+V+JoGhGLqVRhWZGt5Tf+3ZE5HtjtkYCJoG3FDIJ9+TeOdnKxVvqfHlIuM7vA+/eVSIU6rGkv0aUvB7Mr+JJZ+TkEb44+7q2tgjl0vcy37tfatsweAj9OD3KkothBY4yECGA7ZntLzWumRrX2187NnEBlI4AAI/okmfVr1iL5xu7kJMtCj1vdeT3du81mP1iDHrvrkcIi6NDa/l/+oNAnlKGIX+OEOc2j9D/9Oj/+2drCPzT/pAhhR14SanQ7UDEM8b0sJvREd4baP+XdoZvyOUG28J6YMfD2gAhkn8/9XdBsRg3D+ejmCz+LiDj44rCs4tpqzVQMSgoFdb6N8xV6HEFyhFlLr7YsEZlyGgiMV4BFzsjB/Jknlafb1DFPnof4gDxcr/zj9f6O8fWEjyGVPdIW/VPh/qj2m4KevTUoiSRD2FPKjoCQnIjybZ1i3J04iXK0QYqDMNOwWJTi2aW3Im1lnKymGyQue44d19C+Ar8j/TaVSLIVnjl/Feo43QIuA6NBc7Uu4m5BzxiTTkxIMttDhHaHMEYQIaye1iBn+/3tP+ssVUmiM+y2XT2+kXDzeGCI4ogU+XGdnv/iTQD09G
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0DM6PR08MB5084namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR08MB5084.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 43637d24-54b5-4b51-acc3-08d8b72c8d13
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2021 19:02:04.5776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pfk4sdJK+Z60KMSzfLTkHXHsb5jSOw92bCOLrxv73kqqtaDZOUBCfSX12gOui23JbPGpFGyDVOHqQKd2iMJ1ew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR08MB2378
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/i4kTGseYl3BpTtb31NWbb593knA>
Subject: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 19:02:10 -0000
Hi all, I noticed Jurgen's comment about built-in trust anchors in his YANG doctor review of trust-anchors-13. I wanted to pull that out into a dedicated thread/discussion here. Jurgen: - Section 3 talks about populating <running> with built-in trust anchors. In order for the built-in trust anchors to be referenced by configuration, the referenced certificates MUST first be copied into <running>. The certificates SHOULD be copied into <running> using the same "key" values, so that the server can bind them to the built- in entries. Is the idea that this copy operation is an explicit management operation or can implementations populate <running> with this data automatically? I suppose a server *could* populate this in running as part of a built-in startup datastore in the absence of a startup datastore (i.e. as contents of a RFC8808 factory default). But I assume it is desirable to be able to delete the running copy of a built-in item. So the system would have to avoid populating these unless it is loading the factory default. But even if the system can populate these, we'd also want the client/user to be able to explicitly populate them as well (i.e. in case they delete one from running, and want to add it back in to reference it). In either case (system population of running, or client population of running), do we really need to put the contents of the bag or the cert into running? Or is populating the list key enough since the operational copy shows what contents are in use for that list entry? Jason
- [netconf] built-in trust anchors Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netconf] built-in trust anchors Qin Wu
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Martin Björklund
- [netconf] 答复: built-in trust anchors maqiufang (A)
- [netconf] 答复: built-in trust anchors maqiufang (A)
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors tom petch
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors maqiufang (A)