Re: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
tom petch <ietfc@btconnect.com> Wed, 18 January 2023 12:38 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19520C14CF1C for <netconf@ietfa.amsl.com>; Wed, 18 Jan 2023 04:38:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9_EzbqPZFtG for <netconf@ietfa.amsl.com>; Wed, 18 Jan 2023 04:38:06 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2110.outbound.protection.outlook.com [40.107.7.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 844EDC14CF13 for <netconf@ietf.org>; Wed, 18 Jan 2023 04:38:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JDCH6v55FqBYA2Esss6BokQ+Qqx3RuLzaKjRtYGkXiubxXNCiilx99iYSv2uct3CSbgr5qmJs8k25vepsU83tNgcMN5+tZLWiO8HotA0123hloprrS2iyG6qKc8E4Gz89LQc/IQJxTx2UsqTfe0mB2751NAlidKUbA4kPSErGc6D5sY499OoUptrfFQoW+dzOkkGc2B5tCqulJTLMA3X9Xz2g4yfl1irvLdTopTrwGMro/w9q4J+ZPrE1vvdv68Pjv6nirHYLwZdc0y+IY+iSQrPJaI5RDujUrIN5cWGgPM3FY6Lwmxdet5m9ShzgQ4IRI2EMeVPv/VG/4pa6jEejQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jriu2DCLTi5Ttt+8EsFcXL2fZCHo9kmrhocgmlMrhOA=; b=e6I1RoEeo4zcNuPlXIqIVADCqQnLS/vJJCbv3prO7UvSbMY6tUEYmS/2RsWXPWUnjE+w56cAGKD1y1wSArmmpMcHxGoGgxwnlEFm/EYVbE+qhH96CKtwzHEb5CS8YabB9S2jYSO49yObXZ8P2Yy02lGLlf1g0nbhoWXCqImSBB3OqmGvOfbQNxYlg11ydc5MQitL0577PJbSv3M/v8CAzcByEaUyC4Myk83rSRjtrMSp+7j9wRybZqdzy1wEtWNorxSVZ0rJXggthyhrNtkzRKzespi6a8T8Dq3gf4KgnVjFpWzcWjZbdXgdYKosFWbxT5kti4Mn5NQ63DUXti7kJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jriu2DCLTi5Ttt+8EsFcXL2fZCHo9kmrhocgmlMrhOA=; b=Fbx78xHDVvS2h9bFcjmkqfqLd3rJ6HaOIUdWjhsaN6xuJojL6UPyi4XwZI36LENaW8OazoyIbWDlYuqYUHAvbkPRSZX/G7lfQH6z5p+bQMlE4z8yg/adF5HkFobBJdnD8mj8N9KGVY1Q9UELux+hGDYRFo2kbK2xbHo9iiKLL2I=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AS8PR07MB8102.eurprd07.prod.outlook.com (2603:10a6:20b:371::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24; Wed, 18 Jan 2023 12:37:59 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::86cd:e36d:9333:8537]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::86cd:e36d:9333:8537%5]) with mapi id 15.20.6002.024; Wed, 18 Jan 2023 12:37:59 +0000
From: tom petch <ietfc@btconnect.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
Thread-Index: AQHZDlqJEQexgEdWrU6y3VkhOjn+T66kSplr
Date: Wed, 18 Jan 2023 12:37:59 +0000
Message-ID: <AM7PR07MB6248CDDEA380E553031F4622A0C79@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <167087094875.45631.5752947059896213334@ietfa.amsl.com>
In-Reply-To: <167087094875.45631.5752947059896213334@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM7PR07MB6248:EE_|AS8PR07MB8102:EE_
x-ms-office365-filtering-correlation-id: 1b018671-3f87-44d5-3187-08daf950d51f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4vUB7tHtd56fwoAoc51fOo84lGbRvWGzMM7/NTPfzXldGmdNYoAGYgJTf+0uOb9nN7ZL6H9E6jyUYQGA9Tb7eOEaltkwOQuYnjmi5bCslrEO/pICG9QX8YFBijEd0sEqDyxYkKi2O/jWjNq2ZKG56mn2yJIzi/qrcr/Qkg6kT0YarkkT0sfY56897HqxS9XkeMkPDsLn0xt7XRfPJFmxA5xx7jHOgGGQY5z4a6iB3CW35Di361RW80MFon7mc0U4H0/dsac9DjERVRAX9obrcTibDX8dljg6R4nNVJekI5lA69EZtKMQmU8NCB/pjqvUpM/tqj4WJDY3qlap13AT3A6svM69NGwChIknfFyIPqTB+Jh7/a5mL54rymdAoyzMBm9x+h2eZKN6sXE88zazpbfH1Q0Ip8X7VXPBAo41lBsbC4QSkd/K1rcZkBTYLhS6fGL87Krbgas4TOl40xlJCm4mFMjCIHhq/GnsdXRtjB+6GxeNzKiAEG0BdiaG+H85NhRQ0jcm4WKEznwfTFn5o/z95X+4cWEHMUW+NgsuNbG78uai68SJO59FpwgxuykAkNvTsWzxoaSQY2JbuYSm61WFWlkchr5mqNF+a9M8uuysvnkYbf2IGX+6k1DzBX4D2g782IQhpve4wJZ+l49m+DmvaCkdUvFerR9jZ826Vms6K/WYxfB2hP2CdBISXtLLP0nik4kuzkfn+7UZoQRS9cmY/yZ93MrDJhEqd5epTH12qiotGx1vI2Mu6CVXsB0kJiUzWAGxSttQLQX8xpZKMU8zCygxk5iFemwXStG9wSReH5rEO0uJjNScsibhRCKa
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(376002)(346002)(396003)(136003)(39860400002)(451199015)(86362001)(66899015)(38070700005)(33656002)(66556008)(4001150100001)(66476007)(76116006)(55016003)(52536014)(91956017)(2906002)(5660300002)(8936002)(122000001)(66946007)(38100700002)(82960400001)(71200400001)(7696005)(66574015)(53546011)(316002)(6506007)(966005)(478600001)(41300700001)(8676002)(6916009)(4326008)(66446008)(64756008)(186003)(9686003)(26005)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: pXytAWDcFUX4J0izPl0JuWlHD156EJJtvyKiDMpd1qK+PfIe9aJq5pZAkcHUxOx4Ww1yvsxVssQesf0sxO3FhudtMz04FtSme224NslRLmqVlEhr+BTRZ7etfzhz6q8wgdo3G3ho1VydRSh54uQu3G4NcPvNwV0xbhbI/KyLUT1PyK7wHgXUFRiYKkKcQ0d7X6L4JOgCdjnicyLClKiR9DOKNG5/N9fwb5nc/243cxbEsDTocFYzqPkO7h/NNOCaWdz2vIhxFHwmdhfgSRJyAIQW9+zk8sXJxFomhg9H380O1tpP1jKK0fWrZK3JalXi/Biy8kHOi5QzSgAmTsiFys85/cXaKJGnaMHc0WCf32s83CVnvOqrIN0bl9VMTAo932xjxwNrEahhEJO7J1aHEbP2PbRF8UTgmMDTP2PJXRG3NL6XGLfTUTGV1HP32qFEQsmZcrgGZoVVl3yev+t6gDPNR2t6zij4WiBoGnJrTH6ymMF0BAG1MBRmBDLVVIiDw8dmm1122ndhL5dsXgbS9FvomXQRpCS+SJP4VYAp8kl24mwh29tH0teN14BIozIu1ZTR4tKWqoGvR/5vD+pB0xiNrolUp2npQp0cfGQo22dveanHR6DligtRQzQD4V427FQ8cZUi1uRJy+w3v++YFXaMm7ow66hnMJBlgOGogT8MxKuj8oPMREjwY6NU6cNNEZicp34ei8M4M2DFi+DxQTuzkBFWoycUwtbHAFUz/90iy/tFAGXuS6XXsS+/PPgmUUm1+dMDH6s2sGr3xg382ajIPGvoLjf7UNkVirtAJL5fzvv9MB2blkG5HloM58dCY3Raap6laM9SfFztMYodamh13+/k3OLOKYbBFD4N3aGt/iJHD6286L/gAftKRR3lkgkVJ/OzCX7Zd+j46gP3g0D1gy5zi6i/hwZx/uUl7f26J6KMps4CFaebWGvAq3HYUMPQ5nyhNj5/To9cuHUyWnkHNWaPUWo4eA/Y0eN0d0Ve07xc0euCWdDCWxNHP3DHcrwWZ5NrX/MtXdeisRP26BEQu5NN+38RHj1SfldrXfaL6J44mwa3/sVfuHYn1i46zzv+OMybA1xG91qx1TglmrvAg3MjbNyx2csTCWM6SfUJaWOF66HTfPKZTyJ/8Md51ajitJ/uJV5ZWICown2D7NgJIbOUmT0yQW3wx/YYrnQ7MhBApPfVcyh2NV5/DLZalVNAynsxCszRFAay+eYfj67ZfNhjxUv4z25yVFCrUbIqVDU/eENcl271Zf+fkLOuhZIH7Hrfoi1POoU+SZhVWJcmbkkXrooRk9lFMU3mmxBEwYVAKn/f2HlByobLM9BQLHBntUVtU3jjs9p6KEUz4YnG3e9rhIwRp7Bjl0y/pbgRnxjsgi8fr6/fuu8d/ggDpA6te5JtIHdoIu7cB9tN9SFsqJsf060GdDhxRTyYfnZrMVPsmhyZTydAC16iubN42GHVh929l+qhG/hJ1rGEEvIoY1DNrxklWuZkvnMNM8L1M+YtUFz1ILsehwfjXshU3tbAmbisRJJFxbJdyvHih4RBFUr5sl+uYVd3s31K728vMqLckWsbQy7tOeZT7e9y
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b018671-3f87-44d5-3187-08daf950d51f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2023 12:37:59.4481 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: saoFTxwabef9MmmrqCLvrnPsYAaPUcctXpMpUv5us+zxz6VwUh1Rmm30h7JdkeR7mM6DJwviQ7BgXydzACejDQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB8102
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/aP2lMPX26KD5QjOrMbwza92YwUM>
Subject: Re: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2023 12:38:11 -0000
Some thoughts, editorial mostly, on this version of this I-D.
Generally, I find many of the identifiers cumbersome, up to nine hyphen separated elements; I would see three or four as good and five as tolerable, more than that error prone,
grouping local-or-keystore-end-entity-cert-with-key-grouping
As ever, I see -grouping as prolix. I would also like to shorten local-or-keystore as a generic term for well, locality, or location, or place or site or .... there are lots of possible synonyms. Also where the grouping is about a cert then I think that that should come before locality. To me it is the cert that matters not the option about its locality
I would also like to shorten 'cert-with-key' which occurs many times but do not have an alternative to offer.
The other general comment is that in places this reads as Security 101, which I do not think that the Netconf WG should be publishing (even if the text has come from Security ADs or such like). The changes here would be small, deletions mostly, but I think should be made. Thus comments about built-in keys SHOULD NOT be cleartext are nothing to do with a YANG module, they are or they are not and no YANG module is going to change that. There are several such statements in sections 3, 4 and 5 which to me belong in a BCP from the Security Area.
Some less contentious points.
grouping asymmetric-key-pair-with-cert-grouping
grouping asymmetric-key-pair-with-certs-grouping
I think an unfortunate pairing; that letter 's' buried in the middle will be missed. Even
grouping asymmetric-key-pair-with-cert
grouping asymmetric-key-pair-with-certs
could cause erors.
The term "keystore" is defined in this /draft /document/
The term "key" may be used to mean one of three things in this /draft:/document/
Well, four to be picky - you also have it from RFC2119
In the tree diagrams. the type 'string' seems to wander around, as in 2.1.3.7, and not stay in a predictable place
What happens to choice/case if no features are defined? I do not know if YANG can enforce or cope with that.
s.2.1.4
'The protocol-accessible nodes for the "ietf-keystore" module are an instance '
perhaps instances
s.2.2.3
a big section when there are no pages numbers - worth splitting into subsections IMHO
prefix eku
we could do with a documentation-only YANG prefix; to me this looks too real, perhaps ex-eku
s.3
built-in keys
Built into what? The YANG module? suggest 'built into the device' or some such.
I-D.ma-netmod-with-system
needs to be Normative IMHO - I cannot understand system without it
copied into <running>
copied from where?
all key types may be copied
again, copied from where?
built-in key
lacks a terminal period
<running> data tree
Why data tree here when every else is just <running>?
s.4 Nothing to do with Netconf IMHO!
s.5.3
SSH, TLS lack references
Tom Petch
_______________________________________
From: netconf <netconf-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: 12 December 2022 18:49
To: i-d-announce@ietf.org
Cc: netconf@ietf.org
Subject: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Configuration WG of the IETF.
Title : A YANG Data Model for a Keystore
Author : Kent Watsen
Filename : draft-ietf-netconf-keystore-27.txt
Pages : 52
Date : 2022-12-12
Abstract:
This document defines a YANG module called "ietf-keystore" that
enables centralized configuration of both symmetric and asymmetric
keys. The secret value for both key types may be encrypted or
hidden. Asymmetric keys may be associated with certificates.
Notifications are sent when certificates are about to expire.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-netconf-keystore/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-netconf-keystore-27.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-netconf-keystore-27
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
____________________________
- [netconf] I-D Action: draft-ietf-netconf-keystore… internet-drafts
- Re: [netconf] I-D Action: draft-ietf-netconf-keys… tom petch
- Re: [netconf] I-D Action: draft-ietf-netconf-keys… Henk Birkholz
- Re: [netconf] I-D Action: draft-ietf-netconf-keys… tom petch
- Re: [netconf] I-D Action: draft-ietf-netconf-keys… Kent Watsen
- Re: [netconf] I-D Action: draft-ietf-netconf-keys… tom petch
- Re: [netconf] I-D Action: draft-ietf-netconf-keys… Kent Watsen