[netconf] AD review of draft-ietf-netconf-keystore-28
"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 23 June 2023 15:41 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66A38C1524B6; Fri, 23 Jun 2023 08:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.595
X-Spam-Level:
X-Spam-Status: No, score=-9.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="KdqPYUpL"; dkim=pass (1024-bit key) header.d=cisco.com header.b="HmXKSXy+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNnPZJ8_faAm; Fri, 23 Jun 2023 08:41:22 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 991F7C151990; Fri, 23 Jun 2023 08:41:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10384; q=dns/txt; s=iport; t=1687534882; x=1688744482; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=ZihDnCzJPM8H5J60H0GMnCnP+t6mqCbCrFrwd2ChjRs=; b=KdqPYUpLr/pV+0dcGYGW1ktFVfOHtGOAjlLfna0R1yOCadgSnsKKXcUX q3ejrP11acFI83V5CKCWC7fLbAOqbHMAIsh36dUOgdv2KER54UB2nNP1m IIIz+sq/jnqIoZlzxSg04DVVGa8lQebu/rM/EPCKfRz8yKiiuqnhokwCV Y=;
X-IPAS-Result: A0CFAQDGvJVkmJpdJa1agQklgSqBYVJzUwgTFxJHiB0DhS2GMoIknXIUgREFVA8BAQENAQFEBAEBgVODMwKGBQIlNAkOAQICAgEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4VoDYYdKAYBATAIEQE+QiYBBAEaGoJcgl0DAaMEAYFAAooleIE0gQGCCAEBBgQFsmoJgUKET4t2gR8IHxuBSUSBFUOGCAKBRgIahBKCLossDQyCYoMJghYYLgeLHGWBKG+BHoEgegIJAhFngQgIX4FyQAINVAsLY4EcUjqBRgICEToUU3gbAwcDgQcQLwcELwkfBgkYLyUGUQctJAkTFUEEg1gKgQw/FQ4RglkiAgc2PxtRgmg3A0QdQAMLcD0UIQYOHwUEgkFugQgKAkajBmgCAwEBAWIEFIEvZwMEIBUCFw8CPZITSo5toAqCOQqECKE2F4QBjGyGbZEcYpgaIKIpPhOEdgIEAgQFAg4BAQaBYzqBW3AVgyJSGQ+OJwUNCYNSj3l1OwIHCwEBAwmLSAEB
IronPort-PHdr: A9a23:8p1ihRP7W78Jf3isKF4l6nfIWUAX0o4cdiYP4ZYhzrVWfbvmpNLpP VfU4rNmi1qaFYnY6vcRk+PNqOigQm0P55+drWoPOIJBTR4LiMga3kQgDceJBFe9LavCZC0hF 8MEX1hgrDmgKUYAIM/lfBXJp2GqqzsbGxHxLw1wc/7qG4rOiMKf3OGp8JqVaAJN13KxZLpoJ 0CupB7K/okO1JJ/I7w4zAfIpHYAd+VNkGVvI1/S1xqp7car95kl+CNV088=
IronPort-Data: A9a23:eCXiWay+6wEFm3hDiSt6t+c8xirEfRIJ4+MujC+fZmUNrF6WrkUGz GsdC2/VbvaCZjajfNp3boy+80MDusPWnd8xQQU6pFhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJloCCea/H9BC5C5xZVG/fngqoHUVqicY0ideSc+EH160Uw5wLZi6mJVqYHR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyV94KYkGE2EByCQrr+4sQKNb 72rILmRpgs19vq2Yz+vuu6TnkYiGtY+MeUS45Zbc/DKv/RMmsA9+r8SCdwDLmFdsQiUw89qk cVE5ZyXewh8a8UgmMxFO/VZOzt1MasD87jdLD3k98eS1EbBNXDrxp2CDmlvYtZeobkxUDoIr KFEQNwORkjra+ae2q26TvVrgOwoLdLgO8UUvXQIITTxUqh4EMCYHvmiCdlw3XASp8oRQ9DiV +kfSSdodh+dMx93NQJCYH45tL742iagG9FCk3qZv6M5/y3SwRB/lb7gLNHSfNLPRshEhVqfv G/u/mnlDFcdLtP34TyI7nmrgOHnnC7nVsQVDrLQyxJxqEeYympWAxoMWB7g5/K4kUW5HdlYL iT45xbCs4Ar3XGNUZ7bVSeFvSKbpUcMUopQNN81vVTlJrXv3y6VAW0NTzhkYdMgtdMrSTFC6 rNvt463bdCImODLIU9x5ot4vhvpZndIdT5qiTssCFpas4O68enfmzqWFo47eJNZmOEZDt0Z/ txnhDI1i7NWhskR2uDgu1vGmDmr4JPOS2bZBzk7vEr4sGuVh6b8N+REDGQ3C94cdO51qXHd5 BA5dzC2trxmMH10vHXlrB8xNL+o/e2ZFzbXnERiGZIsnxz0pS78Id0AvmogfBc0WirhRdMPS BGL0e+2zMELVEZGkYcsC25MI51wlPO5RYiNug78N4ASPfCdizNrDAk3NRLPgAgBYWAnkLo0P t+AYN2wAHMBYZmLPxLoL9rxJYQDn3hkrUuKHMiT503+jdK2OiXPIZ9bawTmUwzMxP7eyOkj2 4wBZ5LiJtQ2eLCWXxQ7BqZJdgxacCFlXcGpwyGVH8baSjdb9KgaI6a56ZsqepdumOJekeKgw 513chYwJIbX7ZEfFTi3Vw==
IronPort-HdrOrdr: A9a23:JL1eTK4iv0RJwdrBrAPXwU2BI+orL9Y04lQ7vn2ZFiY1TiXIra 6TdaoguiMc0AxhIk3I+errBEDyewKgyXcT2/hbAV7CZnivhILMFuFfBOTZskXd8kHFh4tgPM RbAuJD4b/LfCNHZK/BiWHSf6dCsbu6GcuT9IDjJgJWPHhXgtZbnmFE42igYylLrQ99aKYRJd 653I5qtjCgcXMYYoCQHX8eRdXOoNXNidbPfQMGLwRP0njDsRqYrJrBVzSI1BYXVD1ChZ0493 LergD/7qK/99mm1x7n0XPJ5Zg+oqqv9jIDPr3DtiEmEESttu+aXvUjZ1REhkF2nAib0idqrD ALmWZkAy080QKUQoj/m2qQ5+Cp6kdQ15al8y7UvZMmyvaJAg7TzKF69MVkWwqc5Ew6sN5m1q VXm2qfqppMFBvF2D/w/t7SSnhR5z2JSFcZ4JsuZkZkIP8jQa4UqZZa8FJeEZ8GEi6/4Ic7EP N2BMWZ4PpNa1uVY33Qo2EqmbWXLz0ONwbDRlJHtt2e0jBQknw8x0wExNYHlnNF8J4mUZFL6+ nNL6wtnrBTSc0da757GY46ML2KI32IRQiJPHOZIFzhGq1CM3XRq4Tv6LFw/+2ucIxg9upBpH 0AaiIqiYcfQTOfNSTV5uw0zvnkehTNYQjQ
X-Talos-CUID: 9a23:5DaiNGq1wfNCNTVXfMS8G57mUdkMT1vCi1HaGXKlVXlyEa2cGV+3yqwxxg==
X-Talos-MUID: 9a23:T2gz7QmlVyCkV/gtpwWIdnpjc+VJ6fvwLnw9spMmps6ePnEgOQ+S2WE=
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jun 2023 15:41:21 +0000
Received: from rcdn-opgw-3.cisco.com (rcdn-opgw-3.cisco.com [72.163.7.164]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 35NFfLBV005775 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 23 Jun 2023 15:41:21 GMT
Authentication-Results: rcdn-opgw-3.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=rwilton@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.01,152,1684800000"; d="scan'208";a="3363603"
Received: from mail-bn7nam10lp2102.outbound.protection.outlook.com (HELO NAM10-BN7-obe.outbound.protection.outlook.com) ([104.47.70.102]) by rcdn-opgw-3.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jun 2023 15:41:20 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FWYkF3DSDsVK4mIBmtEplmI4nFNJFctnaj8PS4vj5pzEj2YAQ1uC1dICv+070WSohKgWpdHUA9xz95baUTpaPbPZyMJd8lA/YYVFROzm2OWVXl3ae1+LPV4tvfxasKjR78VZ6IipIwzJqpLCrYhTzSNoKnXhJwuuoeKp7bGVBpmrFz5cq4ptV088HNQ3cjXKJsDAD6NcGkyUsBGvw47hQUQz9pM9EXD42GdTeTBEKNOYnWc1OSMVK5p6HolVE2doce1QeKVy9bkQjtvxUCqjIsWFYDwx7mQ6iI2jc9nFjoD12Sq8zKmG/5ZOpQq5xmlTII94u6JfQhOm1YleGMEACQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KI8Aa53d+LVR8lPr4g1XAc5vhR9/QHKbd2mPHEDL8y8=; b=RF69ZYerVrwvJpWaOBaPmgEw4FLKdz9GYLfP9YIAfDcysqHFrJlhwkGe455rLXJRFcTlAIuMGctRf26LYQX25JRsMPyQYWXht90fs56LxZu+1Kv1/ebaOVAVAwssl5gocogmX7wtvEXCrY5gzR5MN84D0aP28IOlwvJTo7z6TNExV4cyJmbZy/RSIo27/VLNMIE01vAkO8zZpqEWzNuJHYi+ClycZ0C3x2ycBmarv5z2EBbd3I1egR9thg4+qknkO2NZt3pTICFzHo/jQX05/Ya4LovV6uicVKYBJRQYBatJ856WGSpfOHiVmxDpGlAUZF6QObSiiT0N4aVQj3LtiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KI8Aa53d+LVR8lPr4g1XAc5vhR9/QHKbd2mPHEDL8y8=; b=HmXKSXy+Of/vGWLYWF9eDGpVn9LEX31aBDRzKz9MAekSLiOm1fRwIj0VlwsDWn673Mf68/LNOAX69SMl0n4+tKVFF9W19IR5Ob3a5vbwcsvx/rsPzExDlKgh6EKzhgOxlYVdpnZldjLopGaMUIoTCT53CJXvBkOWEQ05nZVhkzE=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by DM4PR11MB6384.namprd11.prod.outlook.com (2603:10b6:8:8a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Fri, 23 Jun 2023 15:41:19 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::a6a3:7e3b:903b:2035]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::a6a3:7e3b:903b:2035%5]) with mapi id 15.20.6521.024; Fri, 23 Jun 2023 15:41:18 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-keystore@ietf.org" <draft-ietf-netconf-keystore@ietf.org>
Thread-Topic: AD review of draft-ietf-netconf-keystore-28
Thread-Index: Adml6F4K4LHIPpCdQK6dFUBBGpmt8Q==
Date: Fri, 23 Jun 2023 15:41:18 +0000
Message-ID: <BY5PR11MB4196ADCAEEA83E72E43461F5B523A@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|DM4PR11MB6384:EE_
x-ms-office365-filtering-correlation-id: daff0750-67ff-472a-d140-08db740049c1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y52mRNfy8PFuuVB9R6buokNZUW01Zl5htSXPvNTrlQNVOleHx0j7BYgxxPwfdGBElte2BFdQ9gVHPmF14BcF7rwEMv0rm2n1ZSQ1Eq/cnBZN3mNMpKEqCzJ78bWG+spkWJSyom9wM+SWtC2XT2Pwix6JsRAJCY+rLoUWDYhz3tukKh8iFtKNTeXLkmArPzxj+qK2EE949gubEh5CdNalh+oB1EtcJfwFopdB5M12tJbU/6/rhcFR8PAN8VEsxouXNDYN2PpXlPrcVKkwKm4pJsUzhG+8FW4NtVLnf7gVT9X+Q1jCgU20c2uKREunD281sO3vPENgLHL83mM37er43SaM7GwttBOLKTri+FaeCW6Q3XIfsg8s89hjAQPuNIpecdMVHzuinQvUC+QjZa0oe9YA11gPYND7UKQAoq223jLRVC4xOsRyLuStdfL06tMri3UvdMDVtyCDcUMzA9Ddk92hBF9cYJD5V96AhJiMrbihs5zysFkWiaYlIrQ2meRImiB9zJ/2HCF1LGB0D8AAD+twDZJmxMKCz38ME6oiM7YAH8DqbKG17sdcy/Xarq9rI8O+/WmVWO6UpDJTlj7jShgbNYqo7GHyG+QHkKgJvLUhgche5v7EmB2EUPzx7HRj
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(136003)(39860400002)(366004)(376002)(451199021)(66946007)(66556008)(76116006)(450100002)(66446008)(33656002)(8936002)(8676002)(66476007)(64756008)(478600001)(316002)(5660300002)(52536014)(55016003)(110136005)(41300700001)(86362001)(38070700005)(7696005)(2906002)(6506007)(186003)(38100700002)(71200400001)(83380400001)(122000001)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DxOQnTzt3U1yBi5rLkH7O0HggwBAWUqZdBa9Ss1tFsILXEU1CPp/I7tVIq6YS5J80/juXcBKjnutzMujkuoIjwNUwanWTRUSNOUVMXKWfijcGqJ0UO9j14nUsZ48XDBVLIKuytwscz11mkAZMeZ4R+/FzzxGmKHZfVdCZZWeSrRnpD5HA/7tHoyMTmyTE0lj5ioCy2vS+qrmZk9jZfkEpwsCmykdAuCeTNgJCIXFaoEqZXMHQcaX+mWgtWAMnmT35jGzNxV0Rd0Kk0B5dlNfbmxIdHAdWheZdYgupUppMI/dQ2uc+9kcgJn8yu88via8mAk4Z5WN6lBeWnOeyHFo82M0jIQLj8ifE+ElJzOiIilLDtdEK9/6S47HQKaKMcoHpskZa2mAP2YmAGGCXrOLUeg/GLT8/bw5Ykq+9meB20ZN3ENs1kQGl0SuGoHyiwmikH1vwzFtKJwmYHboINgSjrLSMbqQdxzWmM51jJfxmWssi+e3TDIlxjWRInjCizEgnLPY+MM3BojwsuCrhO7yIFxvyXNHb1JvcpP/okbCVnIhSaA3EZIo9I1Jeaaq97DS/wkxlNsPqxtHhq/qhNbAR6a7IhfIGSmJEbdaWPX83RddMQLPpcE8Lfqi26uCOBAjwTzb2S8FnKg8gHSciUG9zxdjhLXcTmpMoFgZlZ2ogsqs4WFtTs1VwmHRWKqAWY6oFbh62tDW5htx9dPqyeAx6hNJ3APG/Uywnx4w3knA+c1BITwMddfrOppztx/EKxmsVfJVsjujiOU7eMkYlPp6mXvkTeeQTBuUqAaqphDxkMusL3ki9oC4mB5e1ltmY0zEPdMg76edCJeSqkd0kcRGJEOwcnEbjBtpGfZgLCKoupN5rW0rStp6+sLF2r9K1i86Yg6SzoNHP+fnWCGXdOdVCRCP1A1b+WpaxofYqnZgfPw63ZeIkUtRyPmCtMwkpiYCj4mUarC2MV7Q5Yi7DmVXqjRWCUmMp+pWGPYDPWxO67XWCvwNfQqoF/cIoc5fjTSu/GznjwETZxgPrLAZzMbyUjEnOrE4S/OCgFFkvb7LSlN9O/XBHcNsAprBwSHYYtT1f9ijqFKSgm/wjaPUByThV/MELz4lzS3JXC6ig4RU0BUx3v2+ofqntBLT+AEZjWxOyLfBCnpSoGxQ4kG4ITP7gp1VS5Kw9VVs6KOP1vVhtlGIeI7eYpbLKkpbl7EWxlRYvWfEh6birHxmB786jfUoZSBFG4z6sD60yPd8J9D88A2LaE+fSwMi1c+Q4yw7VZs2AUPXCHcKa5gFdkEJHGjQa+Blmv2hSV/GnbUpVXTD9qQTJVH+VNrmlKkygin5tgLapdGsX9BRoph875gptyYrKGTXEXUXYha04QfxOzPcfKTawT+7NI3mM1RFIDClTUYKZmSbzvuZVnavVabjhNY0WcWUpen0Q6CvXPQh0VtwUhdc2DK5OHOBJK62QYa+W8YTijx0qSWNNzUk/15h7nSit923eJVnI3oMM8H48XoDYJnw0T3wUWhN/bAjVIHJe/xS6lcTTVdcYZL4etSYiFnCLb0HDtISzQSKEINUU4UZ7ki/LbTs7tluxIShS3YG4IqRfWJzx16s5cJuBZukmWGY1u7kEfJQt0UkENxLJF+6xLA=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: daff0750-67ff-472a-d140-08db740049c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2023 15:41:18.9294 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9lS7rEQXSW33P20iRxIhMZv0cT+3ZWzfMzVoYxc4xQiPuQLjZZWQMOxY2DDncBT1CFghA4pf2J0VrWEojACCrg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB6384
X-Outbound-SMTP-Client: 72.163.7.164, rcdn-opgw-3.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ZTLN-S8UU5gNGmDKYpRp3H1aoK8>
Subject: [netconf] AD review of draft-ietf-netconf-keystore-28
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 15:41:28 -0000
Hi Kent, Another really well written document that is very clear and easy to read, hence all my comments are only minor or nits. The only notable one is about copying the parts of the key into running, i.e., whether those parts of the key definition should be mandatory. There are benefits both ways and it isn't really clear which way this is going to go with the Netmod system datastore discussion. I didn't flag it, but I did question whether the SEC ADs may want some of the SHOULDs in the security considerations to be MUSTs, but I will defer to your judgement on this for now, and obviously their judgement when it comes to IESG review. Moderate level comments: None. Minor level comments: (1) p 8, sec 2.1.3.2. The "asymmetric-key-certificate-ref-grouping" Grouping * This grouping is usable only when the keystore module is implemented. Servers defining custom keystore locations MAY define an alternate grouping for references to the alternate locations. I would suggest "can" rather than "MAY" here. (2) p 8, sec 2.1.3.3. The "inline-or-keystore-symmetric-key-grouping" Grouping grouping inline-or-keystore-symmetric-key-grouping: +-- (inline-or-keystore) +--:(inline) {inline-definitions-supported}? | +-- inline-definition | +---u ct:symmetric-key-grouping +--:(keystore) {central-keystore-supported,symmetric-keys}? +-- keystore-reference? ks:symmetric-key-ref How likely is it that there will be extra keystores augmented in? Specifically, I wonder whether "central-keystore-reference" would be a better leaf name here? If you decide to change here, I presume that you will check/change other similar occurences. (3) p 29, sec 2.3. YANG Module Servers that do not 'implement' this module, and hence 'central-keystore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate keystore locations."; I'm not sure about the "do not 'implement' this module" text. Could this comment just be predicated on whether the server supports the feature? This same comment/resolution probably applies to similar descriptions below. (4) p 30, sec 2.3. YANG Module description "A reference to an symmetric key that exists in the keystore, when this module is implemented."; I would suggest removing the "when this module is implemented" part of the description, since that is implicit on any data node predicated on a feature. (5) p 36, sec 3. Support for Built-in Keys <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore" xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> <asymmetric-keys> <asymmetric-key> <name>Manufacturer-Generated Hidden Key</name> <public-key-format>ct:subject-public-key-info-format</public-k\ ey-format> <public-key>BASE64VALUE=</public-key> <hidden-private-key/> <certificates> <certificate> <name>Manufacturer-Generated IDevID Cert</name> <cert-data>BASE64VALUE=</cert-data> </certificate> <certificate> <name>Deployment-Specific LDevID Cert</name> <cert-data>BASE64VALUE=</cert-data> </certificate> </certificates> </asymmetric-key> </asymmetric-keys> </keystore> Related to my comment on the other draft, it would have been nice if the public-key-format, public-key, hidden-private-key and cert-data fields could be kept out of running, but presumably it is too undesirable to make all of these fields mandatory false (e.g., by the a 'use' refinement statement)? I think that if, after copying, the public-key is changed, then this will end up causing a configuration error if the key is ever updated out of band, since the updated publci-key field would overrite the value in system (assuming tha names match), which could the public and private keys to be out of step. I.e., there is a benefit of keeping them out of running if possible. (6) p 37, sec 3. Support for Built-in Keys <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore" xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" or:origin="or:intended"> <asymmetric-keys> <asymmetric-key or:origin="or:system"> <name>Manufacturer-Generated Hidden Key</name> <public-key-format>ct:subject-public-key-info-format</public-k\ ey-format> <public-key>BASE64VALUE=</public-key> <hidden-private-key/> <certificates> <certificate> <name>Manufacturer-Generated IDevID Cert</name> <cert-data>BASE64VALUE=</cert-data> </certificate> <certificate or:origin="or:intended"> <name>Deployment-Specific LDevID Cert</name> <cert-data>BASE64VALUE=</cert-data> </certificate> </certificates> </asymmetric-key> </asymmetric-keys> </keystore> I would have thought that or:intended would also be applied to the asymmetric-keys container. Then the existing or:origin="or-intended" on'Deployment-Specific LDevID Cert' can be removed, and "or:origin="or-system" could be added to the other certificate that is not in running. (7) p 39, sec 4.3. Migrating Configuration to Another Server The following diagram illustrates this idea: In the diagram, the direction of the arrows and 'encrypted by' can perhaps be read either way. E.g., I can read that diagram as saying that the MK-1 key is encrypted-by "shared KEK". Would it make sense to use "encrypts" rather than "encrypted by" and reverse the direction of the arrows? Nit level comments: (8) p 0, sec The "Relation to other RFCs" section Section 1.1 contains a self- reference to this draft, along with a corresponding Informative Reference in the Appendix. Please clarify this instruction, as per the other reviews. (9) p 3, sec 1. Introduction The "ietf-keystore" module defines many "grouping" statements intended for use by other modules that may import it. For instance, there are groupings that define enabling a key to be either configured inline (within the defining data model) or as a reference to a key in the keystore. Should this be "the keystore" or "a keystore" (10) p 3, sec 1. Introduction Implementations may utilize zero or more operating-system level keystore utilities (e.g., "Keychain Access" on MacOS) and/or cryptographic hardware (e.g., TPMs). I suggest eliding "zero or more", which is implies by the may. (11) p 5, sec 1.3. Terminology The term "keystore" is defined in this document as a mechanism that intends safeguard secrets placed into it for protection. I found this sentence to be somewhat clunky to read. Perhaps just "that safeguards secrets ..."? (12) p 7, sec 2.1.3.1. The "encrypted-by-choice-grouping" Grouping The grouping's name is intended to be parsed "(encrypted- by)-(choice)-(grouping)", not as "(encrypted)-(by- choice)-(grouping)". Possibly dropping the "-choice-" part of the name, i.e., encrypted-by-grouping, might help avoid potential confusion? (13) p 11, sec 2.1.3.7. The "keystore-grouping" Grouping grouping keystore-grouping: +-- asymmetric-keys {asymmetric-keys}? | +-- asymmetric-key* [name] | +-- name? string | +---u ct:asymmetric-key-pair-with-certs-grouping +-- symmetric-keys {symmetric-keys}? +-- symmetric-key* [name] +-- name? string +---u ct:symmetric-key-grouping The first "string" looks too far right. (14) p 12, sec 2.1.4. Protocol-accessible Nodes =============== NOTE: '\' line wrapping per RFC 8792 ================ For readabilty of this diagram, it might be better to have an RFC editor note, asking them to fix this manually, e.g., to wrap the feature statements and add in the missing '|' characters. (15) p 27, sec 2.3. YANG Module feature central-keystore-supported { description "The 'central-keystore-supported' feature indicates that the server supports the keystore (i.e., implements the 'ietf-keystore' module)."; } Perhaps "fully implements the ...", since technically a server could 'implement' this module but not support the central-keystore-supported feature. (16) p 29, sec 2.3. YANG Module grouping inline-or-keystore-symmetric-key-grouping { description "A grouping that expands to allow the symmetric key to be either stored locally, i.e., within the using data model, or a reference to a symmetric key stored in the keystore. Will readers generically undersatand the "using data model"? Perhaps "i.e., within the data model that uses this grouping, or a ..." (17) p 38, sec 4.2. Configuring Encrypted Keys Implementations SHOULD provide an API that simultaneously generates and encrypts a key (symmetric or asymmetric) using a KEK. Thusly newly generated key cleartext values may never known to the administrators generating the keys. 'may never known' => 'are never known'? (18) p 42, sec 5.3. The "ietf-keystore" YANG Module All the writable data nodes defined by this module, both in the "grouping" statements as well as the protocol-accessible "keystore" instance, may be considered sensitive or vulnerable in some network environments.. For instance, any modification to a key or reference to a key may dramatically alter the implemented security policy. For this reason, the NACM extension "default-deny-write" has been set for all data nodes defined in this module. s/.././ Regards, Rob
- [netconf] AD review of draft-ietf-netconf-keystor… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-key… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-key… Rob Wilton (rwilton)