[netconf] rename /ta:trust-anchors to /ts:truststore

Kent Watsen <kent+ietf@watsen.net> Thu, 02 May 2019 17:47 UTC

Return-Path: <0100016a79a8090b-e7480d49-0ee2-45c6-89ca-c4bcd374aa80-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DB6E51203AF for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 10:47:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id kFDeZFMIoifP for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 10:47:02 -0700 (PDT)
Received: from a8-64.smtp-out.amazonses.com (a8-64.smtp-out.amazonses.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E21B1204AB for <netconf@ietf.org>; Thu, 2 May 2019 10:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556819216; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To:Feedback-ID; bh=8dmZJU6daNIQc7OTigMtm57N7yTUHXLein1/cX3yfVM=; b=K54OWuBrkP42+LaWWTvKaxZOI+AN5eHYMgC4/CL7k5djQW8gAu+GVIB2Q7C6efU9 6wvFb+qxIlmfvekv3aO1rstqXl2do3Cot1bkDNBd4rg96xqn3RHkmCjb+sCPCitmTJj YRz0pK/6ymhzwfJCIx60e4Y0bd5pCkA8WnCJlfDU=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8E9066A8-71E3-44D3-B439-E0D4BEF1B26C"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-ID: <0100016a79a8090b-e7480d49-0ee2-45c6-89ca-c4bcd374aa80-000000@email.amazonses.com>
Date: Thu, 2 May 2019 17:46:56 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.05.02-
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/aVFnwnShjmjwuV0Ditq28rx6tJw>
Subject: [netconf] rename /ta:trust-anchors to /ts:truststore
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 17:47:05 -0000

One of the Change Log entries in Monday's update to the trust-anchor's draft said this:

  o  Added groupings 'local-or-truststore-certs-grouping' and 'local-
     or-truststore-host-keys-grouping', matching similar definitions in
     the keystore draft.  Note new (and incomplete) "truststore" usage!

Regarding renaming top-level container, I initially did this so that these new grouping names made sense (i.e., they sound like they're referring to a noun), but a little searching found lots of precedent. For instance:

  1. Truststore and Keystore Definitions
     https://stackoverflow.com/questions/318441/truststore-and-keystore-definitions <https://stackoverflow.com/questions/318441/truststore-and-keystore-definitions>

  2. Trust Store vs Key Store - creating with keytool
     https://stackoverflow.com/questions/6340918/trust-store-vs-key-store-creating-with-keytool <https://stackoverflow.com/questions/6340918/trust-store-vs-key-store-creating-with-keytool>

  3. Difference between trustStore vs keyStore in Java SSL
     http://www.java67.com/2012/12/difference-between-truststore-vs.html <http://www.java67.com/2012/12/difference-between-truststore-vs.html>

In my view, the above not only confirms that we should rename "trust-anchors" to "truststore", but also that we did the right thing in having separate models for keys and trust anchors.

If no objection is raised, this name change will be in the next update to the trust-anchors draft (note: the draft name itself will stay the same).  This update will likely not occur before the crypto-types "hidden" key issue is resolved, so as to minimize the number of updates.

Separately, there needs to be a discussion regarding these new groupings, specifically if the SSL and TLS client/server drafts should be updated to use them, to enable local-definition of trust anchors, rather than only supporting references to /ta:trust-anchors (or now, I guess, /ts:truststore).  It would be great if someone wants to comment on that now as well.

PS: As mentioned in Prague, the goal is to move the three drafts (crypto-types, keystore, and trust-anchors) to Last Call quickly, hence the attention being given to them lately.

Kent // contributor