Re: [netconf] AD review of draft-ietf-netconf-sztp-csr

"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 24 June 2021 17:17 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F29BF3A2448; Thu, 24 Jun 2021 10:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.595
X-Spam-Level:
X-Spam-Status: No, score=-9.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=OIVaNHfT; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=W0HHNlo1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4Mz4Si2Y94K; Thu, 24 Jun 2021 10:17:49 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2A3C3A2449; Thu, 24 Jun 2021 10:17:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=44188; q=dns/txt; s=iport; t=1624555069; x=1625764669; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=X2GD4MhJ7p9vSPohr9lxs3oW6WKpEruT7pzbjCrcF4g=; b=OIVaNHfT7rgCiNHV/RD6IKdvuraraWOawt2v5vp3BddbxuhsNiyDNsFC DEaG+WcXlWQEIEqDFzApwVXpWlZkFF0i8tZqY37x7HhkQNy2HXOWeT7jZ YOeYkfXqyjxhdVEodJ+6UBSaaMdD6iefuum4wHArSSDKB62kJQUalhU/n g=;
X-IPAS-Result: =?us-ascii?q?A0AEAwD6vNRgl49dJa1RCR4BAQsSDIIMC4EjMCMuflo3M?= =?us-ascii?q?QuEPYNIA4U5iHgDmh2CUwNUCwEBAQ0BAT8CBAEBhFICF4JYAiU3Bg4CBAEBA?= =?us-ascii?q?QEDAgMBAQEBBQEBBQEBAQIBBgQUAQEBAQEBAQFohTsFKA2GRQEBAQEDEhEKE?= =?us-ascii?q?wEBNwEPAgEIEQQBASEBCQICAjAdCAEBBA4FCBqCTwGBflcDLwEDmwUBgToCi?= =?us-ascii?q?h96gTKBAYIHAQEGBASFLBiCMQmBOoJ7hAwBAYZhJxyBSUSBFUOCYD6EGAMRG?= =?us-ascii?q?oMVNoIugjY2ByYFAQJiBBQvMA8gQgdBBQYYBw8ZBkORDoNBiBiNJZIECoMfk?= =?us-ascii?q?UiMWhKDX4srhjGQPLMzghMNgVuDAwICAgIEBQIOAQEGgWojgVtwFYMkUBcCD?= =?us-ascii?q?olJhFYJAw0Jg06KXnM4AgYBCQEBAwl8iFKBNgGBEAEB?=
IronPort-PHdr: A9a23:KSxSnBI+5NRnnKULhNmcuXkyDhhOgF28FhEc9oEqjfRIf7jwt5jhP UmK4/JrgReJWIjA8PtLhqLQtLyoQm0P55uN8RVgOJxBXhMIk4MaygonBsPWFkTnN/PsKSo3A JcKWFps5XruN09TFY73bEHTpXvn6zkUF13/OAN5K/6zFJTVipG81vu5/NvYZAAb7Ac=
IronPort-HdrOrdr: A9a23:2tu3IaFchD833j/upLqFbpHXdLJyesId70hD6qkvc31om52j+f xGws516fatskdvZJkh8erwX5VoMkmsi6KdgLNhfItKOTOHhILGFvAY0WKP+UyEJ8S6zJ8g6U 4CSdk/NDSTNykBsS+S2mDReLxMrKjlgcKVbKXlvgpQpGpRGsddBnJCe36m+zpNNXB77PQCZf 6hz/sCgwDlVWUcb8y9CHVAdfPEvcf3mJXvZgNDLwI76SGV5AnYq4LSIly95FMzQjlPybAt/S zuiAri/JiutPm911v1y3LT1ZJLg9Hso+EzRvBky/JlbwkEuDzYI7iJaIfy+gzdZ9vfsWrCpe O85yvI+f4Ds085MFvF+icFkDOQoQrGo0WSuWNwx0GT+/AQgFkBepZ8bUUzSGqF16NohqAO7I tbm22erJZZFhXGgWD04MXJTQhjkg6urWMlivN7tQ0TbWIyUs4bkWUkxjIeLH7AJlON1Kk3VO 11SM3M7vdfdl2XK3jfo2l02dSpGnA+BA2PTEQOstGcl2E+pgE382IIgMgE2nsQ/pM0TJdJo+ zCL6RzjblLCssbd7h0CusNSda+TmbNXRXPOmSPJkmPLtBKB5sMke++3FwR3pDlRHUl9upHpH 3xaiIQiYdpQTOaNSSn5uw9zvniehTOYQjQ
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.83,296,1616457600"; d="scan'208,217";a="706009320"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jun 2021 17:17:47 +0000
Received: from mail.cisco.com (xbe-aln-001.cisco.com [173.36.7.16]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 15OHHj70014162 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 24 Jun 2021 17:17:46 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xbe-aln-001.cisco.com (173.36.7.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.15; Thu, 24 Jun 2021 12:17:46 -0500
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 24 Jun 2021 13:17:44 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 24 Jun 2021 12:17:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dAKiuNfSYYovn2zWFGnnr1L9jJ0yUH4LK9U5jwdgJoYJplKnF2gl4wLwXeWFiiaX0TFr3PdZMxD6pYecHSodZYL01t9R022gPMjpZMFfki1KKn4CkdZ4kntnmOb7YQ4xfeN6VINA4COgD64KnhJEj72d371sXXtZwW3Y6e9sG/UdN5eQlsjbStN2J8newEHw1phgQJLarSEuCAkEKdZTjf07YLZvUS3FDE/OuLHO8MHlUSRhIRA/rVr/KlM+CV37nWjceyOoJ+5x4MYoQwjfjiNdGzjhTU6E4aeU08wY0CC4OfzUgI5mc0CX+SShfqieKRRQ5I6P72KS+pFPvzC2Mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X2GD4MhJ7p9vSPohr9lxs3oW6WKpEruT7pzbjCrcF4g=; b=F3ucUC9f4vw20AnTBzX4nW+fM6ip2CtpqT00XOr3jtHEaQWvYIPg9FDsT1E3RUPVru2l1biGiLN0XhtyYk7Fwpc833eXjX/N/7qku1A8u3N/jw1FTWh6HOcfrdK66d7R53iJsivCUqGUhcXtdoS34aiTs4efJVl+HFbaeXt0JoXLHjVOEElF0M70QjUtX5vqGvuJqkqjCWKKwBwNlxOjAS6uR64lywHLN6bVmyfDwJDXdhUdQJtQPuBb4m8DEs77U3F13i7Onp+l6h5taeVBSZF4FoaQz0GNftUwVSMFBF0Ureucxj9Usm5cqdc4OqDZPnGde7pD0vK5wNbxLTR+lQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X2GD4MhJ7p9vSPohr9lxs3oW6WKpEruT7pzbjCrcF4g=; b=W0HHNlo11K0ZBVhEnka9VjHpW/Ee0cApWGLvJcMBxTBntyLud7HzkhGomMo4gpPVlQy7z5qp4GkD5zfg3rzPJhdA8/CV5u0eek9OROhGocIO/v8pZ1BzTck3TOyRwZ2bRU9ZowVnInbsSwO4OdVdcR85kIKy4yuf3oPcWsq5Czo=
Received: from DM4PR11MB5438.namprd11.prod.outlook.com (2603:10b6:5:399::21) by DM6PR11MB3898.namprd11.prod.outlook.com (2603:10b6:5:19f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18; Thu, 24 Jun 2021 17:17:43 +0000
Received: from DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::e14c:8880:1101:bb0c]) by DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::e14c:8880:1101:bb0c%7]) with mapi id 15.20.4264.020; Thu, 24 Jun 2021 17:17:43 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-sztp-csr@ietf.org" <draft-ietf-netconf-sztp-csr@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>
Thread-Topic: AD review of draft-ietf-netconf-sztp-csr
Thread-Index: Addmei+76OsPA+grSaqUN2qOgkG4uAAMdT6AAAAewWAAmDJOgAABKWhQ
Date: Thu, 24 Jun 2021 17:17:43 +0000
Message-ID: <DM4PR11MB54383EB098E3344A85A2DAA5B5079@DM4PR11MB5438.namprd11.prod.outlook.com>
References: <DM4PR11MB543889219C08694C147C6DA4B50A9@DM4PR11MB5438.namprd11.prod.outlook.com> <0100017a2f082e6a-1197e3c8-f8be-4d59-ba1c-8d39029a31fc-000000@email.amazonses.com> <DM4PR11MB543824369BA6920C7FA67BDEB50A9@DM4PR11MB5438.namprd11.prod.outlook.com> <0100017a3ea111a8-680c5610-bc55-4a82-b7fd-7715656f4924-000000@email.amazonses.com>
In-Reply-To: <0100017a3ea111a8-680c5610-bc55-4a82-b7fd-7715656f4924-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8973df9a-c846-4cf4-52d8-08d93733fa57
x-ms-traffictypediagnostic: DM6PR11MB3898:
x-microsoft-antispam-prvs: <DM6PR11MB3898F50CE418863CB16B4AB3B5079@DM6PR11MB3898.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: d7+pGcQHN32UDIYX8LYf9j677q82RdUPg15F7Vu2aqWIuzcm3cn13kgtR9tuEea25H4Rb+sGzM3usoSqDaFcgQSpWERDyurGnpme9Kl6R3Tb1RuvxrG3s20AxBa+4QRUVBNO3TmNEQ81r2Dlbi21UnnoniithM/fhPHuKy4Le8qyc+HSQpRyDYuTYv214vR9fjVLvZop7qnUUHQ69+9yUtinu/ag80OSVkh/jATp/T/9QfnasLTA8dIN9odcYEEZL/vq09Oy2U5oi4zXr51pUTDGAiP1eFcymAfIBy2bLNF40QjHGYT6kbxDns9N/AXwIVuBc7a0/vzq9mAWaJWQCABghOXjSalllQTrwtZT5Ya4zD2nF4zlr8iMVEDGBQR/lPB4F06y+tE0zyxSe5jC4KbetrblOS8M0eQCyNbVCkywwg7GxdKjNXOISYlbdHC+/B/+vBEwX+EVdLDgtie6sbM2MZLvRRwuxQV2fDc7I7xz/WPOKg6px61U3Zr+NrCPcTeQN8bSoqdiOsHKgBf0GQ6zXPUi6AGvYBORz8jtKM7GAOgEaZZ4S9BwJWGfhWXWE0YW3zpIbY+Lqs8IUZk/qbBc4yUa0lMhtThtjx8tUeo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5438.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(396003)(39860400002)(366004)(376002)(346002)(52536014)(71200400001)(9686003)(316002)(5660300002)(186003)(122000001)(7696005)(478600001)(86362001)(38100700002)(8676002)(4326008)(26005)(33656002)(55016002)(76116006)(54906003)(8936002)(66556008)(64756008)(66476007)(66946007)(2906002)(9326002)(83380400001)(66446008)(6506007)(53546011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?RDhQcjh3d2pHRis4SGFWc1dqUGwxenhROVdVVXZHRnNJd29QTFIwdG96aXg3?= =?utf-8?B?UEd4ZkNOSm0zT1ZjZGVBTXEvQmpReVg5R2VyTVlBYjFpeTFDRHRvUkttbWZx?= =?utf-8?B?TGdSNzBVTDlhYnRkMFJtOU1BVTFvcTRZcVdhaitBOTVsQXJEaHIyRnY5SENa?= =?utf-8?B?bTBWY3VubUtQKzRaNnNyKzQ5ZkZKTE1CZ0VheHdXQUFWVHZFQ21BWnc3ZjFO?= =?utf-8?B?VXB2Wmp4ejl3NVh4RW9iaDNQcitXQ1RDTitBSjBPa3dMQWdia3ZDSVZoMmdr?= =?utf-8?B?Ykx1ZmJZVUlrUFV3ckhZa0hiNXRHQ2JJbnJWSnR4M1pzV0FmTkkwTWFaTXVh?= =?utf-8?B?czlRWUEzNjBxN1lMYXhyZUZkYWRJMmFQYjdxZDc1OG8rVG1LRXpGS25TSm9Z?= =?utf-8?B?eTArcnV3UFlQNWx6eVowLzdVOXdUaUxTYWhVNmN6YlhOcW1Xd1VOQmh4L0hW?= =?utf-8?B?TVRYd3F5U2N2ZE9RaUNha3MzZkpLSmt3bjFadXVLSDFDN2k2MHkzVUtoL0Nr?= =?utf-8?B?eFFhVkl2eGVDb0M3UStSdFVDYjR2Q0pDS3ZvK3h6L3RlS0RyZFFYNUR4MzNy?= =?utf-8?B?OGdJWGIvaUM4VjMxQnFKdnQwZUdycVVGaU5Fd0VWSUtEd1ZORjJiQmJDNkRQ?= =?utf-8?B?Wlg3UmlmbnViV2M3RFUwZ0VuV2pIcE41WkNTcHZYemhvZERUampMaGlBNlc2?= =?utf-8?B?WCtkSjAwbjF1R3FKa3g0Y0hTa29QQU9yd2dxR0twTm1wcVRZd3FBcVB5alAv?= =?utf-8?B?OC9xQkJaSFhzMDlYb1RxQWk5TUZOUmZweW4vaDcwSFd2M1g5T3VsSmphUG56?= =?utf-8?B?OGlHYng4RHBKOFJ6bGwvWDJMdi9ISmJ0aGxWK3c0ejVQQWszSmk3TWpqTWxE?= =?utf-8?B?Mk1JN1I0QVRTYy9oUzFYdk5UOFlWWVFpQjFpd1c4bmU4SlpsRFQ1dUR3OG8z?= =?utf-8?B?bWxtN0lGWkYzeTVHU29vbVRIWWpCQXpvSmNNSXJQblN0M2trUnM1L2tzMWox?= =?utf-8?B?VUdxbHM0TUp2STRxTi85UlBLMkFQQXl4czlsTFN3d2NxKzhPR3NFWVdUSUpZ?= =?utf-8?B?RnpXbVJHendaNkdXaTd6bmozMVBuT3g4UVU1ZHk1elV3OHlPSFFEYWpOQXNP?= =?utf-8?B?VGtLOFNOQWNNQ2lSOTJWSy8rencwUjVkTHUrQjVmcVVzdDVvakthMkp3bDJj?= =?utf-8?B?bFdFNzFGekRScFA3dms1R1NCbFV3SHR4K05zV09EbkhGamFUMkViMXozTE5x?= =?utf-8?B?SDZwcW0rZEFycmoybjJueWNkRm0xSXJRbzRob3gyemV4czJBWUFWdnFiVFVs?= =?utf-8?B?QVJuUUhKalFDYm1hS1EwaDVMdllXUW1WV2ZlQUhJVUJRTjJRV1F3KzR6ZFpn?= =?utf-8?B?K1FjcDNqTmNNTkg3U0Yza0diSnVyZVcvQit5SXdUdm4wTWMzclYrYmpzeWtV?= =?utf-8?B?Sk9OeDd5OWptbjhGb2JIUm1DdWNpcGd0a1BBN0NyamppaUV2eHBrQklKSncw?= =?utf-8?B?NStXM05CMmt4OExoT29NZ3QzOFdPNjh3Q2JtVVBYNWJwd2NTOWZsanRSaGNO?= =?utf-8?B?WFB6QVptR3ZGb1VmcmRKN2ljL1dtQ09uYmk1RC9yOEpkWFhRd0hXK0NSeDZ6?= =?utf-8?B?aEFmaFRzempNT2FXVHBzNXV0dFZYMFZDM3dMVWgrMmxncFdmaWJ3TTRSbVVN?= =?utf-8?B?Y2JWYlB3bmpuNFYxNGlRYkIreXQ5UFkvVlNmZVZwMjhKcEJYcW5NcnVBVDJW?= =?utf-8?Q?a1AvrfQQPFvaMB5InTxVMmm/zGvb6khf8LSxbTh?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM4PR11MB54383EB098E3344A85A2DAA5B5079DM4PR11MB5438namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5438.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8973df9a-c846-4cf4-52d8-08d93733fa57
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2021 17:17:43.1068 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mLtiiXst9oqmQrrKCw2lG1I08/yBIJsM+GwDa92cqnsl+1nhkmsAWCNvM/w16vlZjveGW6vc2r2dQye5QSLA/g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3898
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.16, xbe-aln-001.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/dU22-OFyKrDD_RvrbzQLxaPzD2k>
Subject: Re: [netconf] AD review of draft-ietf-netconf-sztp-csr
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jun 2021 17:17:54 -0000

Hi Kent,

From: Kent Watsen <kent+ietf@watsen.net>
Sent: 24 June 2021 16:26
To: Rob Wilton (rwilton) <rwilton@cisco.com>
Cc: netconf@ietf.org; draft-ietf-netconf-sztp-csr@ietf.org; netconf-chairs@ietf.org
Subject: Re: AD review of draft-ietf-netconf-sztp-csr

Hi Rob,

Pruning down to just interesting bits…



My main questions really relate to REST semantics.

1. It is always the case that the SZTP-client must do the handshake with
the server (i.e, populating the csr-support container, then getting a 400
error back,

before making the actual bootstrap request), or is it acceptable for the
SZTP-client

to guess on acceptable parameters, and send a single request?  Obviously,
this cannot

work in all cases, but I want to check whether it is allowed (or explicitly
disallowed)

in any cases.

A handshake is not strictly always required, as:

1) it’s possible the device could automatically generate a CSR using the same
certificate information as present in its IDevID certificate.  This would allow
the signature on the resulting LDevID to be from the deployment’s CA
infrastructure, which has value in and of itself, but the LDevID would not
contain any new/different/interesting fields, and hence might have limited
appeal.

2) it’s possible that the device could automatically generate unique keys and
associated p10, cmc, cmp structures (i.e., every permutation of key-algorithm
and request-structure the device supports), but this would be expensive on
the device, especially without knowledge if the deployment’s infrastructure
even cares to set an LDevID on the device.

For these reasons the authors felt it best to introduce the dialog presented in
the draft.

Okay, I'm wondering whether a sentence to that effect would be helpful, since when I read the draft, my impression was that a handshake was always expected, but perhaps I'm missing something?

I had an offline chat with my co-authors.

As the YANG syntax stands, it’s possible for the SZTP-client to proactively send a CSR in it’s first message, but the value is so low that it’s almost a SHOULD NOT…and, if we’d caught it before, a “choice” statement may have been used to make it impossible (in order to simplify implementations).

That said, the first paragraph of the “description" statement for "container csr” states that a “csr” is sent in response to a “request-info” structure from the SZTP-server, which suggests that only a “csr-support” node can be proactively sent in the first message.  That only issue is that it doesn’t state that it is *only sent* in response to a “request-info” structure, leaving open a possibility that the first message MAY include both the “csr-support” *and* “csr” nodes.

Looking at just the draft-text (i.e., Ignoring the YANG), Section 2.1 says "In the order of their intended use”, which is suggestive, but the word “intended” leaves open the possibility for alternate uses.

My recommendation is to 1) remove the word “intended”, 2) add a choice statement to the YANG around the “csr-support” and “csr” nodes., and 3) strengthen the language in the last paragraph on page 4 to be more like the YANG, indicating that the “csr” node is sent only in response to a “request-info” from the SZTP-server.

Thoughts?

I’m not sure.  It feels less RESTful (at least to me) to not allow the data to be provided as a single message, even if in practice that might not make sense in most (almost all) cases.  If you were using a separate YANG RPC to send the crs-support and get the request-info then only including the crs node in the bootstrapping data RPC then I would have no complaints.  I.e., it only feels strange to handle a transactional dependency within the data structures of a single RPC on what is nominally a stateless API.

Also, worth noting that using a separate YANG RPC to transmit the capabilities avoids the need to return an error.  It could just return success with the required information.  Was this approach considered at all, and would this be too big a change?  I’m not trying to create extra work for you, or delay this document …

If a separate RPC to get the capabilities in undesirable or infeasible then changing to a choice seems reasonable, but I would probably suggest keeping “intended” and probably keeping the language on page 4 somewhat open, i.e., not strictly locking it down to doing a handshake.

4. References.  RFC 3688 probably should be normative for the XML
registry, noting that

RFC 6020 is normatively referenced.

Really?  I tend to disagree as I thought the litmus test for if something were
normative was if it had to be understood in order to implement the RFC.

I guess the logic here is that you need to understand RFC 6020 to understand the registry that is having entries added (given that RFC 7950 doesn't define the registry).

But, as per below, I'll check with the IESG on this one.



You raise an interesting point about RFC 6020 being Normative, as I see that
it is NOT normative in at least one of my other drafts.  I think that it is a
reasonable position that, if the RFC 6020 reference is only present in the
IANA Considerations section, then it is INFORMATIVE as far as the draft as a
whole goes.  Thoughts?

Let me check with the IESG and get back to you on this one.  Although, perhaps worth noting that both these references are normative in RFC 8343 (and they are only referenced from the IANA registry entries).

Ack, I will wait for your response on this item.

I didn’t really get a strong answer from other ADs on this.

Some of us felt that a normative reference is appropriate (because you need to understand the meaning of the registry that is being updated), and nobody objected to that characterization, but equally, some ADs didn’t think that Informative is necessarily wrong and it is probably not worth worrying about.

My recommendation is to make them normative, because that is what has been done for other RFCs with YANG modules (and consistency is good), and I don’t see any other ADs objecting to this approach.  I would regard this as the path of least resistance.

Thanks,
Rob




Nits:

5.
In the example data, would it helpful to add a sentence to explain
             "base64encodedvalue1=",
             "base64encodedvalue2=",
             "base64encodedvalue3="

Actually, given this convention is used in various places, there is a choice as
to whether

to add a sentence to each example, or perhaps in the introduction.

Adding a sentence to each example would be ideal, but a ton of work,
especially considering my needing to propagate it to the suite of client-server
drafts as well.

Adding something like the following to the Introduction section wouldn’t be
too much work:

1.3.  Conventions

  Various examples used in this document use a placeholder
  value for binary data that has been base64 encoded (e.g.,
  "base64encodeddata==“).  This placeholder value is used
   as real base64 encoded structures are often many lines
   long and hence distracting to the example being presented.

Thoughts?

Looks good.

Applied.



7. In Security Considerations:
 Generating a new key each time enables the random bytes used to
 create the key to serve the dual-purpose of also acting like a
 "nonce" used in other mechanisms to detect replay attacks.

I wasn't clear to me what the two purposes are here.  One is acting like
a "nonce", but what is the other purpose?

:laugh:  The original first purpose is, of course, to generate a new key at all,
as opposed to each time.   Please provide suggested text if you still think it
can be improved.

When you put it that way, it is kind of obvious ;-)

You can either leave it as is, or perhaps a small tweak (moving also) might make it clearer:

  Generating a new key each time enables the random bytes used to
  create the key to also serve the dual-purpose of acting like a
  "nonce" used in other mechanisms to detect replay attacks.

Applied.



Terminology:
Should you add LDevID or IDevID

Maybe, but note that this draft (as with RFC 8572) carefully refers to “identity
certificates”, of which IEEE 802.1AR DevIDs are mere examples of such, but
by no means the only possibility.   It’s unclear if promoting such an ancillary
reference to a top-level term is appropriate.  Currently, as I’m sure you’re
aware, the draft has a reference (i.e., an <xref>) where these values are
used…admitted, likely more times than necessary, such that I wouldn’t be
surprised if the copyeditor were to eliminate all but the first references.
Thoughts? Please advise.

Okay.  I'm happy for you to leave this as is, this is pretty minor.

Leaving as is for now, but on the fence and would welcome thoughts from others.




Thanks,
Rob

K.