Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (second) on draft-ietf-anima-voucher-04 - Respond by Aug 08, 2017
Kent Watsen <kwatsen@juniper.net> Fri, 18 August 2017 13:21 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508F313235B; Fri, 18 Aug 2017 06:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iVWWSz41g2N; Fri, 18 Aug 2017 06:21:20 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0137.outbound.protection.outlook.com [104.47.33.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D7E1204DA; Fri, 18 Aug 2017 06:21:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8Sot/wKNZ6NceRCtCuixpjZtZX9vs+ca51hEMhb5mqA=; b=hkB0UbArPm/zjyImPDJTCkl/nrvjGQq3c3Qd5QEAvRe65LI7eA/MDL5ZgPre2hGwbkGR17WXQYXFNChz+FFWggWC5bftNYaVp83NWwrgtDfSdCxBt7w+lDkRmvgFcncwllmXLEyO/NYoBU59hbarI1ZH44SvqrNj7GhxSz63+Ew=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1395.namprd05.prod.outlook.com (10.160.117.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1362.12; Fri, 18 Aug 2017 13:21:17 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1385.003; Fri, 18 Aug 2017 13:21:17 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "consultancy@vanderstok.org" <consultancy@vanderstok.org>
CC: Sheng Jiang <jiangsheng@huawei.com>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, "6tisch@ietf.org" <6tisch@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [6tisch] [Netconf] [Anima] Cross-WGs WGLC (second) on draft-ietf-anima-voucher-04 - Respond by Aug 08, 2017
Thread-Index: AdMKmFTPR22MviVNQvGwNG9FbFt4tQAG0+8AAvnwfwAAVqYFgAADVm+A
Date: Fri, 18 Aug 2017 13:21:17 +0000
Message-ID: <8168023A-AC1F-4A7E-B8BA-026651EFEF33@juniper.net>
References: <5D36713D8A4E7348A7E10DF7437A4B927CE3D826@NKGEML515-MBX.china.huawei.com> <76229c58f5d60d3a0c185c6645ba4355@xs4all.nl> <3F9D68E6-57C9-48EF-A4EB-3CA8B613D42D@juniper.net> <1fee7f82c855def7345d506fbb720dbc@xs4all.nl>
In-Reply-To: <1fee7f82c855def7345d506fbb720dbc@xs4all.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1395; 6:NVHr/MOUAmN7XZAeF8vdcAFr3yxKGBSxLRwUgga0Yo2TZoYHiE4c4HMAOlQBEfgdtc0VrBuAXy3nu4/8VHUxipItDZDsf3rPthjviFKaxB4wQhhEMgVWRZctMdidFMw+y5qkRrWq0OM9tz5u08ZFuRAaUky8kyw83UIMfC3y4Mh8VHM57YlUuXcR+ZffVMtfQ7QY+0HlGMMTAcvsdt01nHzq4SWupv/bEQoYlyPPJcpSKSTa2iwlr+DsTN1I5gKhjxv4DptlZVo8runk8071U2D1XPizLvWeWSstu4Bpztu4aoLYa3m5Cx6NdF6vserqj2lwDmNQSJU8j3dnkX0yxg==; 5:P2BmF6rx77MIjQoaY8RcJwa4DZy9DZSOuUaiBp9q7LElzkXXDC9RPOsDDs6AofFNQrXb1dIUBYycrmiLK0I+rEKOwZesXc9ARm2CWKWGr+TQF1UGfcJtuwsB7Vft80SwJmUgSDZEHyzWEscse+E9ig==; 24:xDk2T0g5cCk0bU7hlBgDP0SAeNHJBYX6eJ5zJFv59H5g1og0qYJHBjXYFn4oVq9HjpQKX0kQEdgRF1D28MYw4OA5u7o3gx6s8Nhm5ilmRvE=; 7:6BFTE9bLGApxQfW7OGY6HJfWZqVakQZdt7wkMluZk9m3QzCcFWZ0vtSaiTIgupF5LlxUDC1/A3cAMikN8YwDlm8wDbEgrNzehhPkemBFRtlN0abhAynXAwO+ru6dy+C6RVbcUh1erHSyuRdcNdRCiRocxciGnCvDV4iIgpV0gVZ8f4HYPsyOU+4UkElnV7oAH9L6dO9ToRqajwk+AluBLZc3vwQMFjsQgmhJbNlLVUM=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 493efde7-dab9-47a9-4e29-08d4e63c024a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1395;
x-ms-traffictypediagnostic: BN3PR0501MB1395:
x-exchange-antispam-report-test: UriScan:(60795455431006)(17755550239193);
x-microsoft-antispam-prvs: <BN3PR0501MB13959ECE1FFEE47DD05A5863A5800@BN3PR0501MB1395.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123558100)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1395; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1395;
x-forefront-prvs: 040359335D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(199003)(189002)(25786009)(6436002)(54356999)(6506006)(33656002)(101416001)(50986999)(76176999)(77096006)(6486002)(97736004)(6246003)(81166006)(81156014)(1730700003)(4001350100001)(110136004)(8676002)(230783001)(8936002)(2501003)(7736002)(305945005)(14454004)(4326008)(229853002)(54906002)(99286003)(2950100002)(6512007)(68736007)(6916009)(53936002)(105586002)(106356001)(5640700003)(2351001)(478600001)(102836003)(3846002)(3660700001)(6116002)(2906002)(2900100001)(5660300001)(83506001)(189998001)(83716003)(3280700002)(82746002)(93886005)(66066001)(36756003)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1395; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <B916E9FD480EB94180DE8A9941C3D21B@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2017 13:21:17.6307 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1395
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/_S6cA7yH_JUmpwaNOtvlIj2of48>
Subject: Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (second) on draft-ietf-anima-voucher-04 - Respond by Aug 08, 2017
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 13:21:22 -0000
Hi Peter, >> Can a discussion section about "manufacturer additions" be >> added. Pointing out the consequences for interoperability >> when using "Augment" to add manufacturer specifics can be >> helpful. > > I'm confused, which section does this comment regard? It refers to the document as a whole and especially section 7. Usually, manufacturers want manufacturer-specific additions to documents. They may consider to use Augment for that purpose. My suggestion is to discuss ways to add manufacturer additions to the voucher and the consequences. That may turn out to be a big NO-NO to manufacturer additions. I think it would be worthwhile to point that out. <KENT> Are you asking for the voucher to contain a node called something like 'opaque' having YANG type 'anyData'? A sanctioned place where the MASA can stash some extra stuff not defined by this document? Recall that some of the motivation for this work being standardized is to enable inspection by intermediates, and while the opaque data could be presented to a human, it might be base64 data. Any concerns bout that? > Section 2; mention terminology from RFC7950 > > <KENT> What is this? Are you asking for the draft to import terms > from RFC7950? Which terms Reading RFC7950 is useful to understand section 4 for example; and needed when reading the voucher YANG text. So not especially terms, but complete knowledge of RFC7950 is required. <KENT> I added an introductory sentence to Section 6.3: Following is a YANG [RFC7950] module formally describing the voucher's JSON document structure. Good? > page 4, Voucher: add: that "acknowledges ownership of the pledge and" > indicates... > > <KENT> what does "acknowledges ownership of the pledge" mean? how > is it different than "indicates to a Pledge the cryptographic identity > of the Domain it should trust"? Now I am confused. I thought it was 2 ways. Pledge trusts domain, and domain partners trust pledge. <KENT> The pledge trusts the MASA (which signs the voucher) and then the pledge trusts the domain (whose cert is inside the voucher). Perhaps you're conflating signing the voucher with acknowledging ownership? >> Add type in: >> Ownership ID voucher "type" is named >> Bearer Voucher "type" is named > > <KENT> you only mention these two, but none of the voucher type > descriptions have "type" in them, or maybe I'm missing something. The name of the voucher is taken from the type I understand. Only ownership ID voucher and Bearer voucher have text starting with "xxxx is named". I see that I forgot: An audit voucher "type" is named ..... <KENT> Max, this is your section, can you reply to Peter on this? >> section 7.1 last line: "there is a delay" is that delay between >> creation >> and consumption and when is the delay unacceptable? the text is (on >> purpose?) vague. > > <KENT> The previous sentence says "...there may be a significant > delay between when a voucher is created and when it is consumed." > and the remainder of the line you're citing says "to ensure that > the assertions made when the voucher was created are still valid > when it is consumed." This is vague? To me yes. It sounds like a circular definition. To paraphrase: When the voucher is consumed, the assertions are valid by definition. I would expect a pointer to a delay definition and then an assertion that states: when consumption time is larger than the creation time + delay, the voucher is invalid. <KENT> I'm modified the paragraph slightly (s/delay/time delay/ + end of last sentence): The lifetimes of vouchers may vary. In some bootstrapping protocols, the vouchers may be created and consumed immediately whereas, in other bootstrapping solutions, there may be a significant time delay between when a voucher is created and when it is consumed. In cases when there is a time delay, there is a need for the pledge to ensure that the assertions made when the voucher was created are still valid. and the 3rd paragraph, to call out the 'expires-on' leaf: Addressing the short-comings of revocations, this document recommends instead the use of lightweight renewals of short-lived non-revocable vouchers. That is, rather than issue a long-lived voucher, where the 'expires-on' leaf is set to some distant date, the expectation is for the MASA to instead issue a short-lived voucher, where the 'expires- on' leaf is set to a relatively near date, along with a promise (reflected in the 'last-renewal-date' field) to re-issue the voucher again when needed. Importantly, while issuing the initial voucher Better? Kent
- [Netconf] Cross-WGs WGLC (second) on draft-ietf-a… Sheng Jiang
- Re: [Netconf] [Anima] Cross-WGs WGLC (second) on … peter van der Stok
- Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (se… Michael Richardson
- Re: [Netconf] [Anima] Cross-WGs WGLC (second) on … Kent Watsen
- Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (se… peter van der Stok
- Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (se… Kent Watsen
- Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (se… peter van der Stok
- Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (se… Kent Watsen
- Re: [Netconf] [6tisch] [Anima] Cross-WGs WGLC (se… peter van der Stok