Re: [netconf] Éric Vyncke's No Objection on draft-ietf-netconf-trust-anchors-23: (with COMMENT)
Kent Watsen <kent+ietf@watsen.net> Wed, 31 January 2024 22:21 UTC
Return-Path: <0100018d619d05b8-a377227e-871a-4702-8771-ece3fbafa999-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB4E5C14F681; Wed, 31 Jan 2024 14:21:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1BKOnNeINAS; Wed, 31 Jan 2024 14:21:38 -0800 (PST)
Received: from a48-95.smtp-out.amazonses.com (a48-95.smtp-out.amazonses.com [54.240.48.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4212BC14F5F6; Wed, 31 Jan 2024 14:21:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1706739697; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=gxSUbShkXAIDOkvrKsEjhe7z3s0zHUIagHalTgKKtmQ=; b=YrUF1tu5erC8PT3JiwuuP7TjFqYv5HQ44Ft0LnppHcBYgK2puyEa3fJjycnbVTwH 7WMM3v+cULWvuel24ChCqtQvVlytI3b7sk19DDKI8mPIsqjHjZXlCY7HUTS+xHwTqOU an/+nwC418Cld9LGzCHBM2XzKZwQ2hn+bcKd0GUY=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d619d05b8-a377227e-871a-4702-8771-ece3fbafa999-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9120D806-7672-4AEF-9232-A2B38BEFB0F5"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Wed, 31 Jan 2024 22:21:37 +0000
In-Reply-To: <A52D287A-487A-4146-8E05-D6E896FE4AEF@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-netconf-trust-anchors@ietf.org" <draft-ietf-netconf-trust-anchors@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
References: <170652427877.6671.15721070975651867436@ietfa.amsl.com> <0100018d55a55762-0b9f0225-e11e-42a8-984c-738f1e100c15-000000@email.amazonses.com> <A52D287A-487A-4146-8E05-D6E896FE4AEF@cisco.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.01.31-54.240.48.95
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/epfa240r3l35Gp0fvDfgA1O53uE>
Subject: Re: [netconf] Éric Vyncke's No Objection on draft-ietf-netconf-trust-anchors-23: (with COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2024 22:21:42 -0000
Hi Eric, > On Jan 31, 2024, at 4:43 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > > Hello Kent and thank you for your prompt reply. > > As my corporate mail agent is quite broken, please see below for EVY> Responses below! K. > Regards > > -éric > > > On 29/01/2024, 15:35, "Kent Watsen" <kent+ietf@watsen.net <mailto:kent+ietf@watsen.net> <mailto:kent+ietf@watsen.net>> wrote: > > > Hi Éric, > > > > >> On Jan 29, 2024, at 5:31 AM, Éric Vyncke via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org><mailto:noreply@ietf.org>> wrote: >> >> Éric Vyncke has entered the following ballot position for >> draft-ietf-netconf-trust-anchors-23: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/<https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/> >> for more information about how to handle DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/<https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/> >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thanks for the work done for this document. >> >> Suggest to refresh some dates used in examples (2018 is a long time ago). > > > I updated the date in the example to 2024. > This update is only in my local copy for now... > > > EVY> thank you > >> Should there also be a 'not valid before' date for certificates ? > > > Is this comment connected to the previous comment regarding the "certificate-expiration” notification? > Assuming “yes”, I do not think there is a need for a *notification* for 'not valid before’ - agreed? > > EVY> my only issue with the above statement is that the store is then limited to sending notification and not on how to select the right certificate. > EVY> selecting the right certificate is important when doing cert rollover (i.e., the sender has 2 certs with a small time overlap). Hmmm, now my understanding is that you’re NOT asking for a *notification”, but rather possibly a couple “config false" nodes to propagate said validity period values from the certificate itself. Whilst this could be done, I wonder to what end? How many more X.509 fields would folks want to surface? - On the flip side, clients can examine the cert themselves for such details - too much effort? If too much effort, then what about clients that care mangle info they care about into the “name” field? For example this: <certificate> <name>My certificate (notBefore: AAA, notAfter BBB)</name> <cert-data>BASE64VALUE=</cert-data> </certificate> Please advise. >> How can a node know where to send the certificate expiration notifications ? Is >> it also a pub/sub model ? (I should probably know the answer…) > > > How YANG notifications are delivered is topic outside the scope of this draft but, since you asked… > - delivery varies by protocol: e.g. NETCONF and RESTCONF have their own delivery mechanisms > - delivery can also be via UDP or HTTP (see the udp-notif and http-notif drafts - WG documents) > > EVY> I will have to (re)-read the udp/http notifications then ;-) Yes, orthogonal to this document. Thanks again, Kent
- [netconf] Éric Vyncke's No Objection on draft-iet… Éric Vyncke via Datatracker
- Re: [netconf] Éric Vyncke's No Objection on draft… Kent Watsen
- Re: [netconf] Éric Vyncke's No Objection on draft… Eric Vyncke (evyncke)
- Re: [netconf] Éric Vyncke's No Objection on draft… Kent Watsen