Re: [netconf] [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-sztp-csr-02

Kent Watsen <> Tue, 15 June 2021 20:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A041F3A3C00; Tue, 15 Jun 2021 13:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SO8mbp6LGYnV; Tue, 15 Jun 2021 13:06:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AA5A43A3C2A; Tue, 15 Jun 2021 13:06:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;; t=1623787605; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=LWBW1pIQYkV+Jnzed8gY5s9wMEce8QujbKTFwppDkGc=; b=PHcJQE8rQNq3bdQlzRFMRFh8um71ZeziWkkRhtJJ8oTpwzbSy80Tg4+f1KzF3fsC wbBR6GLSk9vDs7poG8HONLYSOBR/S29TPmVg2Jl/acjR9QnuMQkMmL3uKQbrxqKe6QY qCdnxZlR/cslaHACbQXb//Quw3fusrVFm29y40OA=
From: Kent Watsen <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_147F7BA6-F190-436F-9BEA-7853EFFB9B95"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Tue, 15 Jun 2021 20:06:45 +0000
In-Reply-To: <>
Cc: YANG Doctors <>,,, "" <>, Russ Housley <>, Sean Turner <>
To: Joe Clarke <>
References: <>
X-Mailer: Apple Mail (2.3654.
X-SES-Outgoing: 2021.06.15-
Archived-At: <>
Subject: Re: [netconf] [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-sztp-csr-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jun 2021 20:06:55 -0000

[Sean, please note the question to you below]

Hi Joe,

Thank you for your review!

Diffs can be found here: <>.

Please see below for comments.


> On Jun 8, 2021, at 2:16 PM, Joe Clarke via Datatracker <> wrote:
> Reviewer: Joe Clarke
> Review result: Ready with Nits
> I have been asked to perform a last-call review of this draft on behalf of YANG
> Doctors.  This draft specifies a YANG module for conveying a CSR in a Secure
> Zero Touch Provisioning Bootstrapping Request.  It augments the
> "get-bootstrapping-data" RPC defined in RFC 8572.  Overall, I found the draft
> (and module) ready with the following small issues/nits.

Thank you.

> Editorial Note:
> You mention XXXX and AAAA, and you also use BBBB in the module
> ietf-yang-structure-ext.  I know this section will be removed, but you may want
> to mention this to make sure that substitution is done.

XXXX and AAAA are both discussed in the "Editorial Note (To be removed by RFC Editor)” section found at the beginning of the document.

Good catch on BBBB, but even more importantly, “RFC BBBB" is now “RFC 8791”, so I made that final designation instead.

> ===
> Section 2.1
> The YANG tree here deviates from the output produced by pyang
> --tree-print-structures --tree-line-length=69 --tree-module-name-prefix.  In
> particular, the "flags" column is missing from each element under the augment
> branch (e.g., the 'w' that appears in pyang's output's flags field).

True.  I uncharacteristically used `yanglint` to generate that tree diagram.  I reverted back to `pyang` and now the flags appear correctly.

> ===
> Section 2.2
> You have this text: Some implementation may choose to convey it inside a script
> (e.g., SZTP's "pre-configuration-script")
> I'd like to see a reference to RFC 8572 here on where this is defined.  I
> realize I'm being pedantic here, but there are a number of SZTP documents, and
> I think having a reference helps.

I added the sentence "SZTP onboarding information is described in Section 2.2 of [RFC8572].”  to the end of that paragraph.  Is this what you had in mind?

> ===
> Section 2.2
> s/so that the the device/so that the device/


> ===
> Module overall:
> I noticed that the module itself differs in various formatting from pyang -f
> yang.  There are some line and spacing differences, and I don't think it would
> hurt to canonicalize the module in the draft.

Thanks - updated to better align with `pyang -f yang --keep-comments --yang-line-length 69 ietf-sztp-csr@*.yang`.

> ===
> Module's main description:
> You mention SZTP's 'onboarding-information' response, but this isn't a formal
> YANG node.  That node is conveyed-information.  Is it worth clarifying that
> here in the module description like you did in draft text in section 2.2?  I
> have the same comment in the description of "container csr".  The quoted and
> hyphenated "onboarding-information" might make one think that there is a node
> that contains this.

'onboarding-information’ *is* a formal node - it is described here:  

Just the same, I converted “ ‘onboarding-information’ ” to “onboarding information” (without the hyphen or single quotes, as it is also defined as a term that way in RFC 8572.

The clarification "onboarding-information" (encoded inside the "conveyed-information" node)" found in 2.2 was/is to help the reader with the following example snippet that doesn’t actually show the "onboarding-information” node because it is hidden inside the “base64encodedvalue==“ value.  Makes sense?

     "ietf-sztp-bootstrap-server:output" : {
       "reporting-level": "verbose",
       "conveyed-information": “base64encodedvalue =="

> ===
> Under leaf cmc's description:
> s/is the TaggedCertificationRequest and it a bodyPartId/is the
> TaggedCertificationRequest and it consists of a bodyPartId/
> There are two instances of this, and I wasn't sure exactly what you wanted to
> say here.  This was my attempt to make it readable.

Reading the description statement for "leaf cmc” shows that it describes three structures, each for a different condition.

I agree that the text for the last two structures is highly similar, though not exactly the same.  Perhaps the text could be simplified.  Sean, what do you think?  (Search for “leaf cmc” here: <>)

> ===
> While you indicate that the algorithm-selected node is mandatory, should this
> not be the case for the selected-algorithm container that contains it since as
> you state in the description for cert-req-info, it is an error if the
> SubjectPublicKeyInfo's algorithm does not match the selected-algorithm.  Could
> an implementer not return this container at all and still be compliant to the
> module while causing unexpected behavior for the client?

I think it’s okay.  I just tested and validation also fails if the "selected-algorithm” node is missing.

> In leaf cert-req-info's description:
> The word “another” (with respect to the 400 Server Error) doesn’t follow here
> unless one refers to the csr-support presence container above.  I think
> dropping it might make this text a bit less confusing (or copying similar text
> from the csr-support node’s description.

Replaced “another 400 (Bad Request) response” with "a 400 (Bad Request) response containingvanother 'request-info' structure.” 


> ===
> Section 3.1.2:
> s/In cases where it it not possible/In cases where it is not possible/

> s/key rather then generate/key rather than generate/


Thanks again!