Re: [netconf] built-in trust anchors
"Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com> Tue, 12 January 2021 22:59 UTC
Return-Path: <jason.sterne@nokia.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214193A1373 for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 14:59:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6V1rcpI9ROdm for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 14:59:31 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2132.outbound.protection.outlook.com [40.107.92.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E5A03A136C for <netconf@ietf.org>; Tue, 12 Jan 2021 14:59:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hUxVPnUCEvxcVG6jPr4DCfSAN6PGRY/ASIWeeIxvGuQVreHeTnBey/Dp8u6+QFsW4yklXXO6yd7Ql+IAiCPhkGaiiidfY+BhQqq36wb63Xhxa0shMroLgx0qRwJdPLf6NEfy5vEuexyKd2iLu0pDAeZKJMGzSDV7cumjIIlGCxiTx4wgnc7FHxiatCoTmyX28W9pGgPx5CwuLVl91qPkLt7LEspyD4FA0ZG7eD5DUkUTwKyqHXK/xvuBTGimNd7LxuDNdjUHQ9DRo8ZJa+9hVnvSb44iS4oRdwX0BeLIQOnWgX1CYFRxdv441TlOvazVNQ2uTMaig+kerNecDVEu8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MuNhft9+tA0ul53guen7wFb7JKfaUpqtqm9aqIXKKjY=; b=CO2wTAMPYQ1lDEz2bwfU1iP12VYIL4DhjQr6r600fTblS+HPSMygnidB+F61V2c1smsR2/DpwP8vGWQq5BKXDQww3LppiBX1GafHaXCJ17I6oH33iash+evT+tLc6w7X2CYh4Sqz2VwxiK7eLMldmZUbNBwtMJhkH1QLN4QBN4Qe+/1v4p7M4Qexcod78GHevDaov3Ps8MLglKT7htI8NmuRdSSVkRCKzb4sy2WoYxwfgdD80b0OyAys1H0gS6t/ETb2qDRSCLNt4f5IDpJdDVVf64N66NXf1U28LDZEBCznRiAUbK08/K6wLxVGdLtops2Xb9zLIUDkrG8qo+ZVFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MuNhft9+tA0ul53guen7wFb7JKfaUpqtqm9aqIXKKjY=; b=M+NVk4IJ3KSvKrB/4aztllmn+gVFB20AHZ3YML6P39KvW5s1HtYwN2XAvS1QG57OVimtSLuU24V+ZkTbPmi/hyt2ebLK86feOSjbuXRbQhpKHNVgCld4Q9d6I+OKbYTXhQNHjZNugyHPcXH+EeHWB4Epy0JMVAlr5ertdpOfn2s=
Received: from DM6PR08MB5084.namprd08.prod.outlook.com (2603:10b6:5:41::29) by DM5PR08MB3324.namprd08.prod.outlook.com (2603:10b6:4:65::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.12; Tue, 12 Jan 2021 22:59:28 +0000
Received: from DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3]) by DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3%5]) with mapi id 15.20.3742.012; Tue, 12 Jan 2021 22:59:28 +0000
From: "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: Netconf <netconf@ietf.org>
Thread-Topic: [netconf] built-in trust anchors
Thread-Index: AdbpFFL2IioTw935RTC9hP47Cn7q7QACSnGAAAYuKwA=
Date: Tue, 12 Jan 2021 22:59:28 +0000
Message-ID: <DM6PR08MB5084ED69870DF456DA8F1A509BAA0@DM6PR08MB5084.namprd08.prod.outlook.com>
References: <DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [2607:fea8:e324:8d00:f965:4ae3:4b56:123b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0f665033-31ec-4573-76ed-08d8b74db704
x-ms-traffictypediagnostic: DM5PR08MB3324:
x-microsoft-antispam-prvs: <DM5PR08MB3324C9F7493E84C77E50B2C79BAA0@DM5PR08MB3324.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tY93dCcPPMFN2D63FHmx4Jih+8ZlpLFGKsRXDCtXtuQc3UQchyQvwqesTSF+vDRhMTJcxEkMs9n0Dxj5LJuiG5ZGA119Gr+GtKClLfoxdlBPAk4dSOQvq/kOuCdufSZc8T9XwPJVxEK2EL/Zpcop43C5YtLYgxvREhD9I9Zf9/qqnrFT0QirRuxzJRbKSXBTkxHVkvj9gM+W2UXzayd9PzOm+Rig1jWynH9EaBanrOdmx2F6iGmT2N5fWnYrkf0ZhCW5Rv6KUJpCMbCQNCX7IvrXSD5qXVlA1lxYGBGefLY9FsqW+P5Spp4k1sROHFgYp70y1y7QACqDMUUDAkgX/2QoC2iARtiZNg8JVKPLG1OUc3aNhW2vU+6O6o2WmVqadwWAn0XIx1xCvk+cSkhb6GkhOTyW76dXAxhGhvTaIBeIS7JaKntQEqABZEiL0EvUpunMAiql2AbtWQ4cd/KjRKq5APBinh0iDTBoiTXdX9u+rkrlUUqiTcEiOV3vaG1UlQGT2V1NwlpLL9FueXbSTQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR08MB5084.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(396003)(346002)(39860400002)(136003)(4326008)(8676002)(33656002)(316002)(7696005)(66476007)(55016002)(2906002)(53546011)(83080400002)(86362001)(186003)(6506007)(83380400001)(9686003)(71200400001)(8936002)(966005)(478600001)(5660300002)(52536014)(66556008)(66946007)(76116006)(64756008)(66446008)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: SE2t42sq352rK4Lb/6tYB95X/lnLYmmFHPn3unIgEwNJjk1W6I2LIQqT4DVOfSv7h3fcUn8/vvI+BNvTWGcx5uB+L+qrHOT6f6mlpZSK8I5ifITHuIRzZ6qc0Ys3gczqMeIq0FiDyQ4ZlIxBwuALkidh/4T0lH819g7xB3nXkCkCa/UvDTyNgAzjqYIeZgmOrr5Kf6M4CPhjiVY5GdTzfjJIiDbWJURAnUaH9GLBIu0YIDiMVLDsj9JdfqxB+41QyZa4DpjDUwq2vFWbGlYYb4eqQrjeZgt0o9H8B0C523b/7nK1PwzEb9D4fsIzRTQQr17EbBqrFh7eUvIj2mZdDHegK4R1RqSa5/OBr0Yi5bHqWn72iLEbX980MNRqLyQRgjCpZ5/DPjHKXy0bDDl8zfFqrYQdf835CjfJ4pmd7e0x6SOoPKV6/Uc3+bqPoTDWBMjBjA9S17/oK3DUDbwhHB6yCiuiszRo5DxdjVJQSTXb/pGsZow1Xsi/7oXv72qiqzqHHixosLVexd8Bz40j+SEwcqX9QEyQkgPY8bzOjMpUX5GC6l+bbkKLFd6SsggJOVKLIRg2PwJ+F/nDra3AsKyhlbojOyrnEcSwQhbRnjBlSRb9bgx8thOr1rY785QuWEC8jUlnEGz/0SqwsbSOVb6WOpax6l0ospxdTJZsyYEYJdv4i3XZSaQKOrvKxrUTMPys9Cm4o8vJAuPOsudh11Pra6SlPid8X4LBI+VNRpSylt3IcYsi8q97j5SHZsfBVLZ4PGKMoZcdXq7dNc8yzMyInmS9AvYQ3tHQqJLJCUJ1dAMV2jQHqKrQVQDUsCqMDF4MK2iTKdQdVLCA0quC4oAPjNDghxtEipy7zb03AzNH0diKoh9H/BSHggxI0L2eaNEPLqMb0Sg6k29ZOZlekWy9jBj+JyoZlFlO3A2UcDpFZcfG/Riny7lABhVa918vxwhXV2DtbhBvLoyUyTL+t9bosmM3sCfDOCDNXed7ISgaf7L6xh7LU9R24hSeSG3cJ8PwG2hsrPza5o0nixZeRT3zTQwY6CYCcKA2ofTlYEHNVVU7fhWoYtGKGGtoLfDE
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR08MB5084.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f665033-31ec-4573-76ed-08d8b74db704
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2021 22:59:28.3163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NIuwoCYz2ZHu7jrphMFskBk3Ik8r1j28uLWP2HbWfUjuk7HgHCW6uNxSyxJucAuDSTxpSOrjx/0dQuQMXeoVig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR08MB3324
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/G88WsVwJturKIAcXdmK89hz8VnA>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 22:59:33 -0000
Yes - adding require-instance false would eliminate the issue about built-in anchors in <running>. But there are useful advantages to keeping require-instance true. I don't have a strong feeling though one way or the other. But assuming we keep require-instance true then the question still remains of how built-in items get into <running> (and are they deletable, and do we only need keys in running, etc). Jason > -----Original Message----- > From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> > Sent: Tuesday, January 12, 2021 3:00 PM > To: Sterne, Jason (Nokia - CA/Ottawa) <jason.sterne@nokia.com> > Cc: Netconf <netconf@ietf.org> > Subject: Re: [netconf] built-in trust anchors > > Jason, > > since the leafref typedefs are weak references that do not require > that the certs/keys exist (there is no 'require-instance true'), it > may be OK to not have the certs/keys in <running> in terms of validity > of the <running> datastore. > > Oops, I had to reread RFC 7950 (section 9.9.3): if require-instance is > not present, it defaults to true, so my review comment about weak > references is incorrect, these are actually strong references and > hence there is the need to copy what is referenced. Setting > require-instance to false may resolve this (but we loose the ability > to catch references to certs/keys that do not exist). > > /js > > On Tue, Jan 12, 2021 at 07:02:04PM +0000, Sterne, Jason (Nokia - CA/Ottawa) > wrote: > > Hi all, > > > > I noticed Jurgen's comment about built-in trust anchors in his YANG doctor > review of trust-anchors-13. I wanted to pull that out into a dedicated > thread/discussion here. > > > > Jurgen: > > > > > > - Section 3 talks about populating <running> with built-in trust > > > > anchors. > > > > > > > > In order for the built-in trust anchors to be referenced by > > > > configuration, the referenced certificates MUST first be copied into > > > > <running>. The certificates SHOULD be copied into <running> using > > > > the same "key" values, so that the server can bind them to the built- > > > > in entries. > > > > > > > > Is the idea that this copy operation is an explicit management > > > > operation or can implementations populate <running> with this > > > > data automatically? > > > > I suppose a server *could* populate this in running as part of a built-in > startup datastore in the absence of a startup datastore (i.e. as contents of a > RFC8808 factory default). But I assume it is desirable to be able to delete the > running copy of a built-in item. So the system would have to avoid populating > these unless it is loading the factory default. > > > > But even if the system can populate these, we'd also want the client/user > to be able to explicitly populate them as well (i.e. in case they delete one > from running, and want to add it back in to reference it). > > > > In either case (system population of running, or client population of > running), do we really need to put the contents of the bag or the cert into > running? Or is populating the list key enough since the operational copy > shows what contents are in use for that list entry? > > > > Jason > > > _______________________________________________ > > netconf mailing list > > netconf@ietf.org > > https://www.ietf.org/mailman/listinfo/netconf > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [netconf] built-in trust anchors Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netconf] built-in trust anchors Qin Wu
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Martin Björklund
- [netconf] 答复: built-in trust anchors maqiufang (A)
- [netconf] 答复: built-in trust anchors maqiufang (A)
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors tom petch
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors maqiufang (A)