Re: [netconf] AD review of draft-ietf-netconf-sztp-csr

Kent Watsen <kent+ietf@watsen.net> Wed, 07 July 2021 18:45 UTC

Return-Path: <0100017a8249ae8c-9dddaf10-597b-41dd-9e00-6352d110c362-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D70D3A2440; Wed, 7 Jul 2021 11:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-tWbn9a1U45; Wed, 7 Jul 2021 11:45:13 -0700 (PDT)
Received: from a48-94.smtp-out.amazonses.com (a48-94.smtp-out.amazonses.com [54.240.48.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CB533A243E; Wed, 7 Jul 2021 11:45:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1625683504; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=ZTR6NkUHIyMhE7+K+e0CLmDmgxWSFPvyb+KjpDtU0vw=; b=Udpw6+BYwZhFzy+rJ3oRAg/iaZ9nsiSoZlXyGtipLLHn1rj6WbSH4Ni0hgKR7eYY 5Hh/qtgU9oywFP4Qqfdv0/ygq1plFyy5uARNRf2N6JW+4ytopqsc+mOQVXzngiCiOSK gh8k4cLdLXNSPYmOWOWr3W/SPQVgx/xkub4awvZM=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100017a8249ae8c-9dddaf10-597b-41dd-9e00-6352d110c362-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_69F0577B-5FEA-48B4-8588-C314C0D0124D"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Wed, 7 Jul 2021 18:45:04 +0000
In-Reply-To: <DM4PR11MB5438034DFB9BBCC8963445C2B51B9@DM4PR11MB5438.namprd11.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-sztp-csr@ietf.org" <draft-ietf-netconf-sztp-csr@ietf.org>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
References: <c318ff6892614640b89a0eb775e9bf42@huawei.com> <0100017a67571569-f34e8df5-f018-4f08-ba46-5bd919b6d127-000000@email.amazonses.com> <DM4PR11MB5438034DFB9BBCC8963445C2B51B9@DM4PR11MB5438.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.07.07-54.240.48.94
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/oyogp5aR5wYGJhT9nHqxhhL8XNk>
Subject: Re: [netconf] AD review of draft-ietf-netconf-sztp-csr
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 18:45:16 -0000

Hi Rob,

-05 just posted.   More comments below.



> So, I agree on moving back to “400”.

Done!  (commit <https://github.com/netconf-wg/sztp-csr/commit/55947184e8b6446444e4b2229e106259619bf6b2>)


> BTW, one of my colleagues was looking at this draft, and couldn’t immediately understand what it was for.  Hence, would it be helpful to add a sentence or two in the introduction to explain why having a signed LDevID on the device is helpful?

We (the authors) added this to the Introduction: (commit <https://github.com/netconf-wg/sztp-csr/commit/6dac677edf879d9a6fd1fe4c5ad9c1f98e7745e9>)

            The ability to provision an identity certificate that is purpose-built 
            for a production environment during the bootstrapping process
            removes reliance on the manufacturer CA, and it also enables the
            bootstraped device to join the production environment with an
            appropriate identity and other attributes in its LDevID 
            certificate.


>  Regards,
> Rob

K.  // as co-author